Imagine you are the owner of a coffee shop. You have a cashier who takes orders from customers and a barista who prepares the coffee. Now, what if there are a few customers who want to give orders directly to the barista? It disturbs the barista who focuses on brewing beverages. It also disrupts the entire chain.

So what do we do? We make sure that the customers do not meet the barista directly but give their orders to the cashier. So the customers interact with the orders but cannot do so with baristas.

Now we can apply the same analogy to Networking. We do not want the clients to send requests or access our database or any other important resource directly. So we keep those resources in a private subnet so that their access is restricted. The resources or servers which are open to clients are kept in public subnet. In the coffee shop, you can think of the counter area as a VPC. The counter area divides into two separate areas for the cashier's workstation and the barista's workstation. In a VPC, subnets are separate areas that are used to group together resources.

A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private. Public subnets contain resources that need to be accessible by the public, such as an online store's website. Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers' personal information and order histories.

It is done through AWS Virtual Private Cloud (AWS VPC). You can create a public-facing subnet for your web servers that have access to the internet. It also lets you place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access.

Internet Gateway: In order for the traffic from public to flow into and out of our VPC, an Internet gateway is used.

Virtual Private Gateway: A Virtual Private gateway allows traffic only if it is coming from an approved network. If you have a private subnet you can access it using Virtual Private Cloud connection between your computer and the cloud via the virtual private gateway.

AWS Direct Connect: If for your coffee shop you want a dedicated route that only you can access, you build a route between your apartment building and the coffee shop and only you know about it. AWS Direct connect is similar to this.

It is a service that enables you to have a dedicated connection between your on-premise resources and cloud. Direct Connect is not a VPN. It is more secure than a VPN. The encrypted connection in Direct Connect is created between the user's router and AWS Direct Connect's router. In VPN, the connection is between the user's network to the VPN network.

AWS Network Access Control List(NACL): A network access control list (ACL) is a virtual firewall that controls inbound and outbound traffic at the subnet level. It is stateless i.e does not keep track of the packets.

Every packet that comes in or goes out has to pass through NACL and only when it allows a packet can continue in its transfer.

AWS Security Group: A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. It is stateful. It checks for every packet that comes in or goes out at an instance and approves them. Since it is stateful it only checks the packet once i.e for a request coming into EC2 instance, it validates the request and allows it in and since it is stateful it keeps track that the request is allowed and doesn't validate it while the request goes back from EC2 instance.

Amazon Route 53: It is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS.

CloudFront: CloudFront is AWS content delivery network(CDN). A CDN (Content Delivery Network) is a highly-distributed platform of servers that helps minimize delays in loading web page content by reducing the physical distance between the server and the user. This helps users around the world view the same high-quality content without slow loading times.

How Amazon Route 53 and Amazon CloudFront deliver content 1.A customer requests data from the an application by going to the website. 2.Amazon Route 53 uses DNS resolution to identify the corresponding IP address and that is sent back to the customer. 3.The customer's request is sent to the nearest edge location through Amazon CloudFront. 4.Amazon CloudFront connects to the Application Load Balancer, which sends the incoming packet to an Amazon EC2 instance.

---

References: aws.training/Details/eLearning?id=60697 docs.aws.amazon.com