AWS Certified Cloud Practitioner (CLF-C02) #7 Domain 3-2 Core Services — Networking and Databases

10 min read

#6 covered compute and storage. This post handles the second half of Domain 3 — networking, databases, and ops services.

Networking services at a glance #

ServiceRole
VPCVirtual private cloud
SubnetIP range inside a VPC
Internet Gateway (IGW)Connects a VPC to the internet
NAT GatewayOutbound internet for private subnets
Route 53DNS + domain registration + health checks
CloudFrontCDN, edge caching
ELBLoad balancing (four types)
VPNEncrypted tunnel between site and AWS
Direct ConnectDedicated line between site and AWS
Global AcceleratorGlobal acceleration over the AWS backbone
Transit GatewayHub that connects many VPCs and on-premises

VPC (Virtual Private Cloud) #

A virtual private cloud. The isolated space that holds your resources (EC2, RDS, and so on).

Core components of a VPC #

ComponentRole
VPCAn IP range bound to one region (e.g., 10.0.0.0/16)
SubnetA smaller IP range inside the VPC, scoped to a single AZ
Route TableDecides where traffic goes
Internet GatewayConnects the VPC to the internet
NAT GatewayOutbound internet for private subnets
Security GroupEC2-level firewall (stateful)
NACLSubnet-level firewall (stateless)

Public vs. Private Subnet #

TypeBehavior
Public SubnetRoute table includes an IGW, so two-way communication with the internet
Private SubnetNo IGW. Outbound only, through a NAT Gateway

The typical pattern: web servers in a public subnet (or just the ALB in public), app servers and DBs in private subnets.

Security Group vs. NACL (the comparison people mix up most) #

AspectSecurity GroupNACL
ScopeEC2 instanceSubnet
Stateful?Stateful (return traffic auto-allowed)Stateless (return traffic must be explicit)
RulesAllow onlyAllow + Deny
EvaluationAll rules evaluated togetherIn numbered order
DefaultDeny all inbound, allow all outboundAllow all traffic (default NACL)

On the exam: “Allow inbound port 22 on an EC2 instance only from a specific IP” → Security Group.

“Block a specific IP at the subnet level” → NACL.

Route 53 #

AWS’s DNS and domain registration service. The 53 in the name is the DNS port.

The three Route 53 features #

FeatureDescription
Domain registrationBuy domains like .com and .io
DNSManage A, CNAME, MX, and other records
Health checksMonitor endpoint status

Routing Policies #

PolicyUse case
SimpleA single resource
WeightedWeight-based distribution (A/B testing)
Latency-basedThe closest region
FailoverSwitch from primary to secondary on failure
GeolocationBranch by user location
GeoproximityBased on the geographic location of the resource
Multi-ValueReturn multiple IPs

On the exam: “Route to another region automatically when there’s a failure” → Failover.

“Route to the region with the fastest response” → Latency-based.

CloudFront — CDN #

Caches content at 600+ edge locations worldwide so it answers users from somewhere nearby.

AspectValue
OriginS3, EC2, ALB, or another site
HTTPSSupported by default
WAF integrationYes
Geo RestrictionBlock or allow per country
Lambda@Edge / CloudFront FunctionsRun code at the edge

Exam question patterns #

  • “Deliver static content (images, CSS, JS) quickly to a global audience” → CloudFront
  • “Minimize latency for video streaming” → CloudFront
  • “Block access from a specific country” → CloudFront Geo Restriction

ELB (Elastic Load Balancing) #

The load balancing service. Four types, each operating at a different layer for different use cases.

TypeLayerUse
ALB (Application Load Balancer)L7 (HTTP/HTTPS)Web apps, path-based routing, WebSocket
NLB (Network Load Balancer)L4 (TCP/UDP)Ultra-low latency, high performance, static IP
GLB (Gateway Load Balancer)L3 (IP)In front of firewalls, IDS, and other security appliances
CLB (Classic Load Balancer)L4 + L7Legacy (not recommended for new workloads)

Exam question patterns #

  • “Load balance HTTPS web traffic with different backends per path” → ALB
  • “Ultra-low-latency load balancing for a TCP game server with a static IP” → NLB
  • “In front of firewall appliances” → GLB

VPN vs. Direct Connect #

Two ways to connect on-premises to AWS.

AspectSite-to-Site VPNDirect Connect
Setup timeMinutes to hoursWeeks to months
CircuitInternet (encrypted tunnel)Dedicated line
BandwidthA function of the internet circuitFixed at 1, 10, or 100 Gbps
LatencyVaries with the internetVery stable
CostCheapExpensive (dedicated line lease)
SecurityEncryptedIsolated dedicated line

Exam question patterns #

  • “Connect on-prem to AWS quickly and cheaply” → VPN
  • “Consistent bandwidth, low latency, predictable cost” → Direct Connect
  • “Top security plus consistent performance, no internet hop” → Direct Connect

Global Accelerator vs. CloudFront #

Both work on global performance, but they serve different purposes.

AspectCloudFrontGlobal Accelerator
KindCDN (content caching)Global routing
TrafficMostly HTTP/HTTPSAny TCP/UDP
CachingYesNo
Static IPNone (CloudFront domain)Two anycast static IPs
Use caseAccelerate static and dynamic contentGames, VoIP, real-time apps

Exam scenario: “Reduce response time for a global game server and need a static IP” → Global Accelerator.

“Cache video and images and serve them quickly to a global audience” → CloudFront.

Transit Gateway #

A gateway that connects many VPCs and on-premises sites from a single hub-and-spoke point.

Exam scenario: “Dozens of VPCs and on-prem sites need to talk to each other” → Transit Gateway (scales better than VPC Peering).

Networking mapping summary #

ScenarioAnswer
Virtual private cloudVPC
EC2 exposed to the internetPublic Subnet + IGW
Outbound internet for a private EC2NAT Gateway
Domain registration + DNSRoute 53
Global caching of static contentCloudFront
HTTP load balancing with path-based routingALB
Ultra-low-latency TCP load balancingNLB
In front of firewall appliancesGLB
Fast on-prem ↔ AWS setupVPN
Stable performance without traversing the internetDirect Connect
Global TCP acceleration with a static IPGlobal Accelerator
Hub for many VPCs and on-premTransit Gateway
EC2-level firewallSecurity Group
Subnet-level firewallNACL

Database services at a glance #

ServiceTypeWorkload
RDSRelational (managed)MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, Aurora
AuroraRelational (AWS-built)MySQL/PostgreSQL compatible, 5x performance
DynamoDBNoSQL (key-value / document)Serverless, infinite scale, single-digit ms
ElastiCacheIn-memory cacheRedis, Memcached
RedshiftData warehouseOLAP, large-scale analytics
DocumentDBNoSQL (document)MongoDB compatible
NeptuneGraph DBSocial graphs, recommendation systems
KeyspacesNoSQL (wide-column)Cassandra compatible
TimestreamTime-series DBIoT, metrics
QLDBLedger DBImmutable ledger (finance, etc.)

RDS (Relational Database Service) #

The managed service for relational databases. Supports multiple engines.

Supported engineNotes
MySQL / PostgreSQL / MariaDBOpen source
Oracle / SQL ServerCommercial
AuroraAWS-built (MySQL/PostgreSQL compatible)

What RDS manages for you #

  • Automated backups — retained for 1 to 35 days
  • Manual snapshots — retained indefinitely
  • Multi-AZ — synchronous standby replica (automatic failover)
  • Read Replica — distribute read load (asynchronous replication)
  • Automatic patching — within a maintenance window you set
  • Monitoring — CloudWatch integration

Exam question patterns #

  • “Managed MySQL/PostgreSQL” → RDS
  • “High availability with automatic failover when one AZ goes down” → Multi-AZ
  • “Distribute read load” → Read Replica

Aurora #

AWS’s own relational engine. MySQL/PostgreSQL compatible, advertised at 5x performance.

AspectValue
StorageAuto-scales (10 GB → 128 TB)
Replication6 copies across 3 AZs
Read ReplicaUp to 15
Aurora ServerlessAuto start/stop — for variable traffic
Global DatabaseSub-second replication across regions

On the exam: “Highest performance and availability for a managed relational DB” → Aurora.

“Relational DB with very irregular usage” → Aurora Serverless.

DynamoDB #

Serverless NoSQL DB. Key-value plus document.

AspectValue
Response timeSingle-digit milliseconds
ScaleEffectively unlimited (horizontal)
ModesOn-Demand (pay per use) / Provisioned (reserved capacity)
Global TablesMulti-master replication across regions
StreamsA stream of change events

Exam question patterns #

  • “Serverless NoSQL with single-digit ms response” → DynamoDB
  • “Need relational SQL queries” → DynamoDB is not the answer. RDS/Aurora
  • “Multi-master replication worldwide” → Global Tables

ElastiCache #

Managed in-memory cache — Redis and Memcached.

EngineCharacteristics
RedisPersistence, replication, Pub/Sub, complex data structures
MemcachedSimple cache, multi-threaded, no persistence

Exam question patterns #

  • “Cache frequently queried data to reduce DB load” → ElastiCache
  • “Real-time leaderboard, Pub/Sub” → Redis

Redshift — Data warehouse #

Petabyte-scale OLAP analytics DB. Columnar storage.

AspectValue
KindOLAP (analytics) — not OLTP (transactions)
Data modelColumnar
IntegrationsS3 (fast loads via COPY), BI tools
Redshift ServerlessPay only for what you use
SpectrumQuery S3 data directly

Exam scenario: “Analyze years of sales data on a BI dashboard” → Redshift.

“Real-time transaction processing” → Redshift is not the answer. RDS.

Other DBs #

ServiceUse case
DocumentDBMongoDB compatible (migration)
NeptuneSocial graph, recommendation system (graph)
KeyspacesCassandra compatible
TimestreamIoT metrics, time-series
QLDBImmutable ledger

DB mapping summary #

ScenarioAnswer
Managed relational DBRDS
Highest-performance relational DBAurora
Variable-traffic relational DBAurora Serverless
Serverless NoSQL, fast responseDynamoDB
Cache to offload DBElastiCache
Real-time leaderboardElastiCache Redis
Large-scale analytics, data warehouseRedshift
MongoDB migrationDocumentDB
Social graph, recommendationsNeptune
Cassandra migrationKeyspaces
Time-series data (IoT metrics)Timestream
Financial ledger, audit trailQLDB

Ops and management services #

CloudWatch — Monitoring #

FeatureDescription
MetricsResource metrics (CPU, memory, request count, etc.)
LogsLog collection, search, alarms
AlarmsNotifications and automated actions on threshold breach
Events / EventBridgeEvent-driven automation
DashboardsVisualization

CloudTrail vs. CloudWatch (revisited) #

  • CloudTrailwho called which API
  • CloudWatch — the state and metrics of resources

AWS Trusted Advisor #

A service that auto-checks an entire account across five categories.

CategoryChecks
Cost OptimizationUnused resources, RI utilization
PerformanceInstance sizing fitness
SecurityPublic exposure, root without MFA
Fault ToleranceMissing backups, no Multi-AZ
Service LimitsApproaching limits

Basic and Developer Support → only the six core checks. Business and Enterprise Support → all checks.

Exam scenario: “Find cost-saving opportunities automatically” → Trusted Advisor.

AWS Systems Manager #

FeatureDescription
Session ManagerEC2 access without SSH keys
Patch ManagerEC2 patch management
Run CommandRun a command across many EC2 instances at once
Parameter StoreStore configuration and secrets

CloudFormation — IaC #

A service that lets you define infrastructure as YAML/JSON code and deploy it from the console or CLI. Free (you only pay for the resources it creates).

Exam scenarios:

  • “Manage infrastructure as code” → CloudFormation
  • “Replicate the same infrastructure across dev, staging, and prod” → CloudFormation templates

AWS Cloud Development Kit (CDK) #

A tool that lets you author CloudFormation in a programming language like TypeScript or Python.

AWS Service Catalog #

A service that exposes only pre-approved resources from inside the organization to users. Reinforces governance.

AWS Health Dashboard #

KindDescription
Service Health DashboardStatus of all AWS services (public)
Personal Health DashboardEvents that affect your account

Common traps #

1) Confusing Security Group and NACL #

  • Security Group = instance, stateful, allow only
  • NACL = subnet, stateless, allow + deny

2) Confusing ALB and NLB #

  • ALB = L7 (HTTP/HTTPS, path routing)
  • NLB = L4 (TCP/UDP, static IP, ultra-low latency)

3) Confusing CloudFront and Global Accelerator #

  • CloudFront = content caching (CDN)
  • Global Accelerator = global routing (static IP, games/VoIP)

4) SQL queries on DynamoDB #

DynamoDB is NoSQL. No SQL. (PartiQL provides a SQL-like interface, but it’s not the recommended exam answer.)

5) Transaction processing on Redshift #

Redshift is OLAP-only. Transactions go to RDS/Aurora/DynamoDB.

6) Confusing CloudWatch and CloudTrail #

  • CloudWatch = resource state
  • CloudTrail = API call audit

7) Assuming Trusted Advisor runs every check on every account #

Basic and Developer Support cover only the six core checks. Business and Enterprise unlock the full set.

Wrap-up #

What this post locked in:

  • Networking — VPC, subnets, Route 53, CloudFront, four ELB types, VPN, Direct Connect, Global Accelerator, Transit Gateway
  • Security Group (instance, stateful) vs. NACL (subnet, stateless)
  • ALB (L7) vs. NLB (L4) vs. GLB (L3)
  • VPN (fast setup, cheap) vs. Direct Connect (dedicated line, stable)
  • CloudFront (CDN) vs. Global Accelerator (global routing, static IP)
  • Databases — RDS / Aurora / DynamoDB / ElastiCache / Redshift / DocumentDB, Neptune, Keyspaces, Timestream, QLDB
  • Workload-to-DB mapping — relational to RDS/Aurora, NoSQL to DynamoDB, cache to ElastiCache, analytics to Redshift
  • Ops services — CloudWatch (monitoring) / CloudTrail (audit) / Trusted Advisor (auto-checks) / Systems Manager (ops) / CloudFormation (IaC) / Service Catalog / Health Dashboard

Next — Domain 4 Billing and Support #

Domain 3 is done. The last domain is Billing, Pricing, and Support (12%).

#8 Domain 4 Billing and Support — Pricing Models, Support Plans, TCO covers the four EC2 pricing models (On-Demand / Reserved / Savings Plans / Spot), the free tier, AWS Pricing Calculator, Cost Explorer, AWS Budgets, Consolidated Billing, and the four Support Plan tiers (Basic / Developer / Business / Enterprise).

X