AWS Certified Cloud Practitioner (CLF-C02) #7 Domain 3-2 Core Services — Networking and Databases
#6 covered compute and storage. This post handles the second half of Domain 3 — networking, databases, and ops services.
Networking services at a glance #
| Service | Role |
|---|---|
| VPC | Virtual private cloud |
| Subnet | IP range inside a VPC |
| Internet Gateway (IGW) | Connects a VPC to the internet |
| NAT Gateway | Outbound internet for private subnets |
| Route 53 | DNS + domain registration + health checks |
| CloudFront | CDN, edge caching |
| ELB | Load balancing (four types) |
| VPN | Encrypted tunnel between site and AWS |
| Direct Connect | Dedicated line between site and AWS |
| Global Accelerator | Global acceleration over the AWS backbone |
| Transit Gateway | Hub that connects many VPCs and on-premises |
VPC (Virtual Private Cloud) #
A virtual private cloud. The isolated space that holds your resources (EC2, RDS, and so on).
Core components of a VPC #
| Component | Role |
|---|---|
| VPC | An IP range bound to one region (e.g., 10.0.0.0/16) |
| Subnet | A smaller IP range inside the VPC, scoped to a single AZ |
| Route Table | Decides where traffic goes |
| Internet Gateway | Connects the VPC to the internet |
| NAT Gateway | Outbound internet for private subnets |
| Security Group | EC2-level firewall (stateful) |
| NACL | Subnet-level firewall (stateless) |
Public vs. Private Subnet #
| Type | Behavior |
|---|---|
| Public Subnet | Route table includes an IGW, so two-way communication with the internet |
| Private Subnet | No IGW. Outbound only, through a NAT Gateway |
The typical pattern: web servers in a public subnet (or just the ALB in public), app servers and DBs in private subnets.
Security Group vs. NACL (the comparison people mix up most) #
| Aspect | Security Group | NACL |
|---|---|---|
| Scope | EC2 instance | Subnet |
| Stateful? | Stateful (return traffic auto-allowed) | Stateless (return traffic must be explicit) |
| Rules | Allow only | Allow + Deny |
| Evaluation | All rules evaluated together | In numbered order |
| Default | Deny all inbound, allow all outbound | Allow all traffic (default NACL) |
On the exam: “Allow inbound port 22 on an EC2 instance only from a specific IP” → Security Group.
“Block a specific IP at the subnet level” → NACL.
Route 53 #
AWS’s DNS and domain registration service. The 53 in the name is the DNS port.
The three Route 53 features #
| Feature | Description |
|---|---|
| Domain registration | Buy domains like .com and .io |
| DNS | Manage A, CNAME, MX, and other records |
| Health checks | Monitor endpoint status |
Routing Policies #
| Policy | Use case |
|---|---|
| Simple | A single resource |
| Weighted | Weight-based distribution (A/B testing) |
| Latency-based | The closest region |
| Failover | Switch from primary to secondary on failure |
| Geolocation | Branch by user location |
| Geoproximity | Based on the geographic location of the resource |
| Multi-Value | Return multiple IPs |
On the exam: “Route to another region automatically when there’s a failure” → Failover.
“Route to the region with the fastest response” → Latency-based.
CloudFront — CDN #
Caches content at 600+ edge locations worldwide so it answers users from somewhere nearby.
| Aspect | Value |
|---|---|
| Origin | S3, EC2, ALB, or another site |
| HTTPS | Supported by default |
| WAF integration | Yes |
| Geo Restriction | Block or allow per country |
| Lambda@Edge / CloudFront Functions | Run code at the edge |
Exam question patterns #
- “Deliver static content (images, CSS, JS) quickly to a global audience” → CloudFront
- “Minimize latency for video streaming” → CloudFront
- “Block access from a specific country” → CloudFront Geo Restriction
ELB (Elastic Load Balancing) #
The load balancing service. Four types, each operating at a different layer for different use cases.
| Type | Layer | Use |
|---|---|---|
| ALB (Application Load Balancer) | L7 (HTTP/HTTPS) | Web apps, path-based routing, WebSocket |
| NLB (Network Load Balancer) | L4 (TCP/UDP) | Ultra-low latency, high performance, static IP |
| GLB (Gateway Load Balancer) | L3 (IP) | In front of firewalls, IDS, and other security appliances |
| CLB (Classic Load Balancer) | L4 + L7 | Legacy (not recommended for new workloads) |
Exam question patterns #
- “Load balance HTTPS web traffic with different backends per path” → ALB
- “Ultra-low-latency load balancing for a TCP game server with a static IP” → NLB
- “In front of firewall appliances” → GLB
VPN vs. Direct Connect #
Two ways to connect on-premises to AWS.
| Aspect | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Setup time | Minutes to hours | Weeks to months |
| Circuit | Internet (encrypted tunnel) | Dedicated line |
| Bandwidth | A function of the internet circuit | Fixed at 1, 10, or 100 Gbps |
| Latency | Varies with the internet | Very stable |
| Cost | Cheap | Expensive (dedicated line lease) |
| Security | Encrypted | Isolated dedicated line |
Exam question patterns #
- “Connect on-prem to AWS quickly and cheaply” → VPN
- “Consistent bandwidth, low latency, predictable cost” → Direct Connect
- “Top security plus consistent performance, no internet hop” → Direct Connect
Global Accelerator vs. CloudFront #
Both work on global performance, but they serve different purposes.
| Aspect | CloudFront | Global Accelerator |
|---|---|---|
| Kind | CDN (content caching) | Global routing |
| Traffic | Mostly HTTP/HTTPS | Any TCP/UDP |
| Caching | Yes | No |
| Static IP | None (CloudFront domain) | Two anycast static IPs |
| Use case | Accelerate static and dynamic content | Games, VoIP, real-time apps |
Exam scenario: “Reduce response time for a global game server and need a static IP” → Global Accelerator.
“Cache video and images and serve them quickly to a global audience” → CloudFront.
Transit Gateway #
A gateway that connects many VPCs and on-premises sites from a single hub-and-spoke point.
Exam scenario: “Dozens of VPCs and on-prem sites need to talk to each other” → Transit Gateway (scales better than VPC Peering).
Networking mapping summary #
| Scenario | Answer |
|---|---|
| Virtual private cloud | VPC |
| EC2 exposed to the internet | Public Subnet + IGW |
| Outbound internet for a private EC2 | NAT Gateway |
| Domain registration + DNS | Route 53 |
| Global caching of static content | CloudFront |
| HTTP load balancing with path-based routing | ALB |
| Ultra-low-latency TCP load balancing | NLB |
| In front of firewall appliances | GLB |
| Fast on-prem ↔ AWS setup | VPN |
| Stable performance without traversing the internet | Direct Connect |
| Global TCP acceleration with a static IP | Global Accelerator |
| Hub for many VPCs and on-prem | Transit Gateway |
| EC2-level firewall | Security Group |
| Subnet-level firewall | NACL |
Database services at a glance #
| Service | Type | Workload |
|---|---|---|
| RDS | Relational (managed) | MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, Aurora |
| Aurora | Relational (AWS-built) | MySQL/PostgreSQL compatible, 5x performance |
| DynamoDB | NoSQL (key-value / document) | Serverless, infinite scale, single-digit ms |
| ElastiCache | In-memory cache | Redis, Memcached |
| Redshift | Data warehouse | OLAP, large-scale analytics |
| DocumentDB | NoSQL (document) | MongoDB compatible |
| Neptune | Graph DB | Social graphs, recommendation systems |
| Keyspaces | NoSQL (wide-column) | Cassandra compatible |
| Timestream | Time-series DB | IoT, metrics |
| QLDB | Ledger DB | Immutable ledger (finance, etc.) |
RDS (Relational Database Service) #
The managed service for relational databases. Supports multiple engines.
| Supported engine | Notes |
|---|---|
| MySQL / PostgreSQL / MariaDB | Open source |
| Oracle / SQL Server | Commercial |
| Aurora | AWS-built (MySQL/PostgreSQL compatible) |
What RDS manages for you #
- Automated backups — retained for 1 to 35 days
- Manual snapshots — retained indefinitely
- Multi-AZ — synchronous standby replica (automatic failover)
- Read Replica — distribute read load (asynchronous replication)
- Automatic patching — within a maintenance window you set
- Monitoring — CloudWatch integration
Exam question patterns #
- “Managed MySQL/PostgreSQL” → RDS
- “High availability with automatic failover when one AZ goes down” → Multi-AZ
- “Distribute read load” → Read Replica
Aurora #
AWS’s own relational engine. MySQL/PostgreSQL compatible, advertised at 5x performance.
| Aspect | Value |
|---|---|
| Storage | Auto-scales (10 GB → 128 TB) |
| Replication | 6 copies across 3 AZs |
| Read Replica | Up to 15 |
| Aurora Serverless | Auto start/stop — for variable traffic |
| Global Database | Sub-second replication across regions |
On the exam: “Highest performance and availability for a managed relational DB” → Aurora.
“Relational DB with very irregular usage” → Aurora Serverless.
DynamoDB #
Serverless NoSQL DB. Key-value plus document.
| Aspect | Value |
|---|---|
| Response time | Single-digit milliseconds |
| Scale | Effectively unlimited (horizontal) |
| Modes | On-Demand (pay per use) / Provisioned (reserved capacity) |
| Global Tables | Multi-master replication across regions |
| Streams | A stream of change events |
Exam question patterns #
- “Serverless NoSQL with single-digit ms response” → DynamoDB
- “Need relational SQL queries” → DynamoDB is not the answer. RDS/Aurora
- “Multi-master replication worldwide” → Global Tables
ElastiCache #
Managed in-memory cache — Redis and Memcached.
| Engine | Characteristics |
|---|---|
| Redis | Persistence, replication, Pub/Sub, complex data structures |
| Memcached | Simple cache, multi-threaded, no persistence |
Exam question patterns #
- “Cache frequently queried data to reduce DB load” → ElastiCache
- “Real-time leaderboard, Pub/Sub” → Redis
Redshift — Data warehouse #
Petabyte-scale OLAP analytics DB. Columnar storage.
| Aspect | Value |
|---|---|
| Kind | OLAP (analytics) — not OLTP (transactions) |
| Data model | Columnar |
| Integrations | S3 (fast loads via COPY), BI tools |
| Redshift Serverless | Pay only for what you use |
| Spectrum | Query S3 data directly |
Exam scenario: “Analyze years of sales data on a BI dashboard” → Redshift.
“Real-time transaction processing” → Redshift is not the answer. RDS.
Other DBs #
| Service | Use case |
|---|---|
| DocumentDB | MongoDB compatible (migration) |
| Neptune | Social graph, recommendation system (graph) |
| Keyspaces | Cassandra compatible |
| Timestream | IoT metrics, time-series |
| QLDB | Immutable ledger |
DB mapping summary #
| Scenario | Answer |
|---|---|
| Managed relational DB | RDS |
| Highest-performance relational DB | Aurora |
| Variable-traffic relational DB | Aurora Serverless |
| Serverless NoSQL, fast response | DynamoDB |
| Cache to offload DB | ElastiCache |
| Real-time leaderboard | ElastiCache Redis |
| Large-scale analytics, data warehouse | Redshift |
| MongoDB migration | DocumentDB |
| Social graph, recommendations | Neptune |
| Cassandra migration | Keyspaces |
| Time-series data (IoT metrics) | Timestream |
| Financial ledger, audit trail | QLDB |
Ops and management services #
CloudWatch — Monitoring #
| Feature | Description |
|---|---|
| Metrics | Resource metrics (CPU, memory, request count, etc.) |
| Logs | Log collection, search, alarms |
| Alarms | Notifications and automated actions on threshold breach |
| Events / EventBridge | Event-driven automation |
| Dashboards | Visualization |
CloudTrail vs. CloudWatch (revisited) #
- CloudTrail — who called which API
- CloudWatch — the state and metrics of resources
AWS Trusted Advisor #
A service that auto-checks an entire account across five categories.
| Category | Checks |
|---|---|
| Cost Optimization | Unused resources, RI utilization |
| Performance | Instance sizing fitness |
| Security | Public exposure, root without MFA |
| Fault Tolerance | Missing backups, no Multi-AZ |
| Service Limits | Approaching limits |
Basic and Developer Support → only the six core checks. Business and Enterprise Support → all checks.
Exam scenario: “Find cost-saving opportunities automatically” → Trusted Advisor.
AWS Systems Manager #
| Feature | Description |
|---|---|
| Session Manager | EC2 access without SSH keys |
| Patch Manager | EC2 patch management |
| Run Command | Run a command across many EC2 instances at once |
| Parameter Store | Store configuration and secrets |
CloudFormation — IaC #
A service that lets you define infrastructure as YAML/JSON code and deploy it from the console or CLI. Free (you only pay for the resources it creates).
Exam scenarios:
- “Manage infrastructure as code” → CloudFormation
- “Replicate the same infrastructure across dev, staging, and prod” → CloudFormation templates
AWS Cloud Development Kit (CDK) #
A tool that lets you author CloudFormation in a programming language like TypeScript or Python.
AWS Service Catalog #
A service that exposes only pre-approved resources from inside the organization to users. Reinforces governance.
AWS Health Dashboard #
| Kind | Description |
|---|---|
| Service Health Dashboard | Status of all AWS services (public) |
| Personal Health Dashboard | Events that affect your account |
Common traps #
1) Confusing Security Group and NACL #
- Security Group = instance, stateful, allow only
- NACL = subnet, stateless, allow + deny
2) Confusing ALB and NLB #
- ALB = L7 (HTTP/HTTPS, path routing)
- NLB = L4 (TCP/UDP, static IP, ultra-low latency)
3) Confusing CloudFront and Global Accelerator #
- CloudFront = content caching (CDN)
- Global Accelerator = global routing (static IP, games/VoIP)
4) SQL queries on DynamoDB #
DynamoDB is NoSQL. No SQL. (PartiQL provides a SQL-like interface, but it’s not the recommended exam answer.)
5) Transaction processing on Redshift #
Redshift is OLAP-only. Transactions go to RDS/Aurora/DynamoDB.
6) Confusing CloudWatch and CloudTrail #
- CloudWatch = resource state
- CloudTrail = API call audit
7) Assuming Trusted Advisor runs every check on every account #
Basic and Developer Support cover only the six core checks. Business and Enterprise unlock the full set.
Wrap-up #
What this post locked in:
- Networking — VPC, subnets, Route 53, CloudFront, four ELB types, VPN, Direct Connect, Global Accelerator, Transit Gateway
- Security Group (instance, stateful) vs. NACL (subnet, stateless)
- ALB (L7) vs. NLB (L4) vs. GLB (L3)
- VPN (fast setup, cheap) vs. Direct Connect (dedicated line, stable)
- CloudFront (CDN) vs. Global Accelerator (global routing, static IP)
- Databases — RDS / Aurora / DynamoDB / ElastiCache / Redshift / DocumentDB, Neptune, Keyspaces, Timestream, QLDB
- Workload-to-DB mapping — relational to RDS/Aurora, NoSQL to DynamoDB, cache to ElastiCache, analytics to Redshift
- Ops services — CloudWatch (monitoring) / CloudTrail (audit) / Trusted Advisor (auto-checks) / Systems Manager (ops) / CloudFormation (IaC) / Service Catalog / Health Dashboard
Next — Domain 4 Billing and Support #
Domain 3 is done. The last domain is Billing, Pricing, and Support (12%).
#8 Domain 4 Billing and Support — Pricing Models, Support Plans, TCO covers the four EC2 pricing models (On-Demand / Reserved / Savings Plans / Spot), the free tier, AWS Pricing Calculator, Cost Explorer, AWS Budgets, Consolidated Billing, and the four Support Plan tiers (Basic / Developer / Business / Enterprise).