4.59 out of 5
2062 reviews on Udemy

AWS VPC and Networking in depth: Learn practically in 8 hrs

AWS Networking from basics to advanced with 20+ simple to complex real life hands on exercises
Chetan Agrawal
11,717 students enrolled
Networking in AWS - Basic to Advanced Networking concepts by doing hands on exercises
Whiteboard sessions to see how various networking components work together
Understand how to secure your infrastructure by using appropriate Virtual Private Cloud (VPC) components and firewalls
AWS Public and Private Network connectivity options and their implementation
In depth understanding of VPC, CIDR, Subnets, Route Tables, Security Groups, NACL, NAT Gateway, NAT Instance, VPC Peering, VPC Endpoint, VPC PrivateLink, VPN connection, Direct Connect, Route53 Failover, Transit VPC and Transit Gateway

This course aims to build the complete understanding of Amazon Web Services (AWS) Networking from ground up where students will understand the networking core concepts by doing exercises on their own.

This course contains 2 sections. First section is about Understanding AWS Networking where I have explained starting from very basics the AWS VPC, VPC components and Private connectivity options in AWS . If you are already aware of AWS networking components, then you may want to skip this section and jump directly to hands on exercises section.

1. Understanding AWS Networking in depth

  • Physical on premises networking vs AWS VPC

  • Getting familiar with AWS VPC terminologies – VPC, Subnets, Route tables, Internet Gateway, Security Group, Network ACL

  • Understanding VPC CIDR

  • Understanding Subnets and Route Tables

  • Public Subnet vs Private Subnet

  • Understanding NAT (Network Address Translation) Concept

  • NAT Gateway and NAT instance

  • AWS Private Connectivity options

  • Understanding VPC Peering

  • VPC Endpoint and Privatelink for private connectivity to AWS Services

  • VPN connection / Direct Connect

  • Transit VPC

  • Transit Gateway

  • AWS Client VPN

2. AWS Networking Hands on exercises (Basics to Advance)

  1. Create VPC with single public subnet, launch EC2 instance and connect over internet

  2. Create VPC with Pubic and Private subnet, connect to EC2 instance in Private subnet via EC2 instance in Public subnet

  3. Create NAT Gateway and allow EC2 instances in Private subnet to access internet through NAT Gateway

  4. Create and use NAT EC2 instance instead of NAT Gateway

  5. Create VPC Peering between VPCs across AWS regions and connect to EC2 instance over private IP by using VPC peering connection

  6. Create VPC endpoint gateway for S3 and access S3 contents from EC2 instance in Private subnet without requiring internet connection

  7. Create and use VPC Private Link to expose your Web service privately to application hosted in another VPC

  8. Implement AWS region level failover using AWS Route53

  9. Hosting website on S3 using custom domain name from GoDaddy

  10. Hosting HTTPS enabled website using S3 and CloudFront

  11. Advanced Networking: Setup Site-To-Site VPN between AWS VPC and simulated on-premise network

  12. Advanced Networking: Setup AWS and Google Site to Site VPN using Dynamic BGP Routing

  13. Transit Gateway – Setup communication between multiple VPCs and On-premise network

  14. AWS Client VPN and various scenarios like accessing Internet, Split Tunnel, accessing Peered VPCs via Client VPN connection

Additional exercises:

  1. Application Load Balancer – distribute traffic to backend EC2 instances

  2. Enable Sticky session on ALB

  3. Enable HTTPS on Application Load Balancer

  4. ALB Path based Routing

Note: This course does not cover all minute details/limits/what if kind of contents which are required to be remembered for AWS networking certification exam however this course instead focuses on understanding the core concepts well by doing hands on exercise.

Understanding AWS Networking

Basics of AWS Networking (Part 1)

In this lecture, you will learn about Basics of AWS VPC, moving physical to virtual networking, VPC terminologies and how to calculate VPC, Subnets address in CIDR notation

Understanding VPC Subnets and Route Tables (Part 2)

In this lecture, understand how the routing works within VPC to allow communication between subnets or between subnets and internet. What are public subnets, what are private subnets and how to restrict network reaching to your EC2 instances using Security groups and Network ACLs.

Network ACL (Hands On)

As many of you asked for NACL exercise, just adding it here. Hope this helps you clearly understand the differences between Security group and Network ACL and how can you use NACL to allow or deny traffic.

Understanding NAT Gateway and NAT Instance (Part 3)

In this lecture, you will understand the very important network component "NAT". Why to use NAT, NAT benefits, the working of NAT (Network address translation) and how to use AWS NAT Gateway to allow instances in private subnets to access internet.

Then we will see how to configure EC2 instance as a NAT and what all it takes to launch and configure EC2 instance to function as NAT.

Understanding VPC Peering, VPC Endpoint, VPN and Direct Connect (Part 4)

In this lecture, understand advanced networking features of AWS. To start with, we will see how to connect two VPCs over a private network using VPC peering followed by VPC Endpoint. We will also see an overview of AWS and On-premise connectivity options in the form of VPN connection and DirectConnect. In the exercises section, you will find an exercise for setting up VPN connection using AWS Virtual Private Gateway.

That's all you need to know as an intermediary level AWS solution architect or devops engineer or developer when it comes to Networking in AWS.

Please move on to Section 2 and complete all Hands on exercises. This should definitely give you confidence to design and create network architecture for any given requirements.

AWS VPC - Hands On Exercises

VPC with Public Subnet (Hands On)

This is our first exercise and its very simple. Make sure you follow each step carefully and remember what we did so that while doing next exercises, it will be easy for you to set the things up quickly.

In this exercise, learn how to setup VPC with Public Subnet and connect to EC2 instance launched in this Subnet.

Here, we are not using default VPC. In the real world scenario, when you would require a Web application to be accessible over internet, typically you will create this kind of the setup. Optionally, you may choose to assign Elastic IP to EC2 instance instead of Public IP as Elastic IPs remains associated with the instance even after instance restart or you can detach and re-attach to another EC2 instance.

VPC with Public and Private Subnets (Hands On)

In this exercise, learn how to setup VPC with Public and Private subnets. We then create EC2 instances in each subnet and connect to Private EC2 instance via EC2 instance in Public Subnet.

In real life, you would have Web server or public facing instances in Public subnets and Application servers/Database servers in private subnet. You can build your network as explained in this video and achieve the desired network security and isolation.

NAT Gateway (Hands On)

In this exercise, learn how to NAT Gateway to allow EC2 instances in Private subnet to access internet.

In real life, you will have Application servers/Database servers in private subnet but still need to have internet connectivity to download packages from the internet. For this NAT can be used where it allows instances in private subnet to access internet but we can not reach to these instances from over the internet

NAT EC2 Instance (Hands On)

In this exercise, learn how to use EC2 instance as NAT instead of NAT Gateway.

Understand that NAT Gateway is managed AWS service which automatically scales and is highly available in the AZ. When we use EC2 instance as NAT, its called NAT Instance. In that case, the availability and bandwidth scaling is limited and hence NAT Instance might not be a good choice for deploying in production environment. Typically people deploy NAT instance in Dev/QA environments and use NAT Gateway in Production environment.

VPC Peering across AWS Regions (Hands On)

In this exercise, learn how to setup VPC peering between 2 VPCs across AWS Regions. VPC Peering is very important feature of AWS networking by which you can create private connectivity between 2 VPC. The EC2 instances in these VPCs can communicate with each other over Private IP addresses.

With VPC Peering, you don't require to have VPN connection and no need to expose your applications over internet if only other customers in AWS need to access it securely.

VPC Peering Use cases and Limitations

This lecture captures the VPC peering features, limitations and use cases. Though VPC Peering is an important offering from AWS, it has been designed in a way that it does not allow transitive access. Due to this, VPC peering is a safe networking construct which you can use to allow private communication between workloads hosted in same or different AWS accounts in same  or different AWS regions.

VPC Endpoint to connect to S3 over Private network (Hands On)

In this exercise, we will see how to use VPC Endpoint gateway which enables a private connection between VPC and another AWS service (currently only S3 and DynamoDB). If enabled, you do not require IGW or NAT when EC2 needs to access S3 or DynamoDB in same AWS region. The traffic between VPC & AWS service does not leave the Amazon network.

VPC endpoint gateway scales automatically and provides consistent bandwidth for S3 or DynamoDB access. Using VPC endpoint gateway instead of internet to access S3. It saves you considerable data transfer cost (and NAT charges). Also VPC endpoint gateway scales automatically as more bandwidth is required.

VPC PrivateLink to expose Application services privately (Hands On)

In this exercise, you will learn how your applications hosted privately in AWS  can be exposed securely to other AWS services.

By definition, AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

In this exercise, we will host a Webserver service in one of the VPC in private subnet and will expose this service to service consumer in other VPC.

Advanced: AWS VPN Connectivity - Hands on exercises

AWS Site-To-Site VPN Connection (Hands On)

In this exercise, we will see how to setup Site-To-Site IPSec VPN connection between AWS VPC and simulated data center.  As we don't have our own datacenter (physical) router on the other end, we will use EC2 instance as VPN endpoint which has OpenSWAN VPN software installed.

After completing this exercise, you will know how VPN works in real world. As a next step, you may also want to  setup VPN connectivity between AWS and Google Cloud or AWS and Azure cloud.

Advanced Networking: AWS and Google Cloup Site to Site VPN using BGP Routing

In this lecture, we are going to see how to setup site to site VPN using BGP routing. BGP stands for Border Gateway Protocol and used widely for dynamic routing between different AS (Autonomous Systems). BGP stabilizes the network by identifying optimal network paths using Path vector protocol, policy based and rules based routing. If the routing is done within AS then its called internal BGP or iBGP however when its between different AS then its called external BGP or eBGP.

In this lecture, we will setup eBGP between AWS and Google network. This kind of hybrid networks are always seen in big enterprises where there are multiple ISP networks.

Advanced Networking: AWS Client VPN (Hands On)

Introduction to Client VPN (Client to Site) VPN

We earlier learnt about AWS Site-to-Site to VPN. In this lecture we will understand the basics of Client to Site VPN and then AWS Client VPN service, its components and architecture.

How to setup AWS Client VPN (Hands On)

Let's setup the AWS Client VPN from our local workstation to AWS VPC. AWS Client VPN setup is slightly more complicated the site to site VPN and have few more components like Authorization Rules, Authentication etc. But we will see all these components one by one and then will create those as we progress through the lab.

In this lab, you should be able to setup Client to Site VPN successfully.

AWS Client VPN Scenario 1: Access Internet via VPC IGW (Hands On)

When we setup Client to Site VPN, by default all the traffic from local workstation is routed to VPN including your outbound internet traffic. Now if the VPC to which we are connecting does not have explicit outbound internet connectivity via the IGW then we also can not access internet from our local workstation while we are connected to VPN.

In this lecture we will see how to enable internet connectivity by two available options.

1. Via VPC VGW

2. Using local workstation internet (Split Tunnel)

AWS Client VPN Scenario 2: Access Internet using Split Tunnel (Hands On)

In earlier lecture, we saw how to access internet via VPC IGW however this is probably not the correct approach in all scenarios. In many cases you might have to access other networks from your local workstations e.g may be home network or you want to use internet connection directly from your workstation. In such situations you can configure split tunnel on your openvpn client. In that case you route only the desired traffic through VPN tunnel and rest of the traffic is routed through your local network.

In this lecture, we will see how to configure Split Tunnel while using AWS Client VPN.

AWS Client VPN Scenario 3: Access Peered VPC (Hands On)

In earlier lectures we saw few scenarios where we can access internet via IGW or use local internet using Split Tunnel method. However as you now know the Client VPN traffic lands into your VPC's target subnet and from there you can literally access any other network connected to your VPC. You can access IGW, Peered VPC, other IPSec VPN connected to your VPC, transit gateway , VPC endpoints etc.

In this lecture, we will see how to access peered vpc while you are connencted to base VPC via AWS Client VPN.

Advanced: Transit VPC and Transit Gateway (Hands on)

Transit VPC

Transit VPC is a solution by which we can greatly simplifies the network topology when it comes to connection multiple VPCs or VPCs and On-premises networks. Transit VPC is not a gateway or any service from AWS but its a solution deployed on EC2 instances in centralized VPC using CISCO CSR 1000V routers. Many companies used Transit VPC solution to solve their networking challenges and it has been a great solution so far. However you should rather look at moving to newly launched service Transit Gateway which essentially solves the same problem natively in AWS.

Transit Gateway - Part 1 (Hands on)

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. As you grow the number of workloads running on AWS, you need to be able to scale your networks across multiple accounts and Amazon VPCs to keep up with the growth. Today, you can connect pairs of Amazon VPCs using peering. However, managing point-to-point connectivity across many Amazon VPCs, without the ability to centrally manage the connectivity policies, can be operationally costly and cumbersome. For on-premises connectivity, you need to attach your AWS VPN to each individual Amazon VPC. This solution can be time consuming to build and hard to manage when the number of VPCs grows into the hundreds.

Transit Gateway - Part 2 (Hands on)
Transit Gateway - Part 3 (Hands on)

AWS Route53 DNS Management and Website hosting - Hands on exercises

Hosting website on S3 with custom domain name from Godaddy (Hands On)

In this lecture, we will see how to host static website on S3. However AWS provides custom aws dns names for website hence we need to map our own domain name to AWS provided dns name. This is done using AWS Route53 service. Here for this exercise, I have got my domain from Godaddy and I updated godaddy DNS to resolve to AWS Route53 DNS. Then added record set in AWS Route53 to point the my custom domain to S3.

Note that AWS S3 does not provide a single IP address for websites hosted on S3, hence we have to use Route53 Alias record set to point our domain name to S3 DNS.

Secure website with HTTPS using S3 and CloudFront (Hands on)

In this lecture, we will see how to enable HTTPS for websites hosted on S3. In the last lecture we hosted static website on S3 however we can't make it HTTPS as S3 does not support uploading SSL certificates. For this we need to have CloudFront (CDN) which acts as a front end for our website. We can deploy SSL certificate on CloudFront and it also caches the static contents like Pictures/Media giving user better experience by serving the contents from the nearest edge location.

For this exercise, we need to have your own domain name. You can buy that either from AWS or from any other domain registrar like Godaddy or namecheap etc. To know how to redirect your DNS queries from domain registrar to AWS Route53, please refer earlier lecture "Hosting website on S3 using custom domain name.."

Route53 DNS Region Level Failover (Hands On)

In this exercise, we will see how to use Route53 to achieve AWS Region level failover. As you already know we can use ELB with backend EC2 instances to achieve high availability within same AWS region. However many a times its required to distribute your workloads across AWS regions e.g for failover, country specific regulations, providing lower latency to endusers etc. In this case, we need to manage the traffic at DNS level and its done using different AWS Route53 routing policies.

In this exercise, we will be using Failover routing policy where we configure the Primary and Secondary sites in different AWS regions and then simulate the primary site failure which results in DNS switching to secondary site.

Application Load Balancer (ALB) - Routing, Stickiness, Custom Domain and HTTPS

ALB with 2 backend EC2 instances (Round Robin Routing)

In this lecture, we will start with basic ALB with two backend EC2 instances. Important thing here is the VPC network setup. Note that ALB is internet facing and hence should be launched in Public Subnets across AZs however the backend EC2 instances need not be public facing and ideally they should be launched inside Private subnets across AZs.

In this lecture, we will setup the VPC and launch ALB and backend EC2 instances. Also, we will see that by default  ALB does the round robin routing to backend ec2 instances.

ALB Session Stickiness

In this lecture we will see how to enable session stickiness so that the request from any particular client will be served by same backend EC2 instance. This is often required when you are doing any transaction or session data has to be persisted for some time till user takes some action. Here AWS Application load balancer using AWSALB cookie.

ALB with Custom Domain Name using Route53

In this lecture we will see how to use our own domain name to serve application hosted using Load Balancer. For this we need to have our own domain name purchased and use AWS Route53 DNS service. In Route53, we will create A record (Alias) and point our custom domain or subdomain to ALB DNS.


In this lecture, we will extend the earlier setup and server our application over HTTPS instead of HTTP. As you already know, in order to enable HTTPS (SSL) communication, we need to deploy SSL certificate for the domain. Hence, we will acquire the SSL certificate for our custom domain from ACM (Amazon Certificate Manager) and deploy it on ALB.

ALB URL or Path based Routing

In this lecture, we will see how can we use Application Load Balancer to route traffic to different backend EC2 instances based on URL/Path of the HTTP request. As you know ALB works at Layer7 and hence HTTP requests can be intercepted by ALB. Further based on certain string in the path e.g /image /vidoes etc, we can configure the Rules in ALB listener to route traffic to different Target groups which eventually distributes traffic to different group of backend EC2 instances.

You can view and review the lecture materials indefinitely, like an on-demand channel.
Definitely! If you have an internet connection, courses on Udemy are available on any device at any time. If you don't have an internet connection, some instructors also let their students download course lectures. That's up to the instructor though, so make sure you get on their good side!
4.6 out of 5
2062 Ratings

Detailed Rating

Stars 5
Stars 4
Stars 3
Stars 2
Stars 1
30-Day Money-Back Guarantee


9 hours on-demand video
Full lifetime access
Access on mobile and TV
Certificate of Completion
AWS VPC and Networking in depth: Learn practically in 8 hrs
$108.98 $89


For Professionals

For Businesses

We support Sales, Marketing, Account Management and CX professionals. Learn new skills. Share your expertise. Connect with experts. Get inspired.


Partnership Opportunities

Layer 1
Register New Account
Compare items
  • Total (0)