AWS Cloud Practitioner

AWS Route 53
Amazon Route 53 is used to register new domains, transfer existing domains,
route traffic for your domain to your AWS and external resources, and monitor
the health of your resources.

AWS Route 53 functions:-

DNS management
Traffic management
Availability monitoring (health check)
Registration of domain

2
AWS Route 53
Route 53 performs three main functions

(i) Register a domain

(ii) As a DNS, it routes internet traffic to the resources for your domain
(iii) Check the health of your resources
(i) Route 53 sends the automated requests over the internet to a
resource (can be a webserver) to verify that server is reachable,
functional and available.
(ii) Also you can choose to receive notification when a resource
becomes unavailable and choose to route internet traffic away from
unhealthy resources.

3
AWS Route 53
 When you register a domain with route 53,the service automatically
makes itself the DNS service for the domain by doing the following-

 It creates a hosted zone that has the same name as your domain

 It assigns a set of four name servers to the hosted zone, unique to the
account.
 When someone uses a browser to access your website, the name
server inform the browser where to find your resources, such as a
web server or an amazon S3 bucket.
 It gets the name server from the hosted zone and add them to the
domain

4
AWS Route 53
 AWS supports
 Generic Top level domains (.com,.org…
 Geographic Top level domain(.in,.uk…

 Registering a domain with Route 53

 You can register a domain with route 53. if the TLD is included on
the supported TLD list
 If the TLD is not included, you can’t register the domain with route
53

5
AWS Route 53
 Using Route 53 as your service

 You can use route 53 as the DNS service for any domain, even if the
TLD for the domain is not included on the supported TLD list

 Note- Each amazon Route 53 account is limited to a maximum of

500 hosted zones and 10,000 resource record sets per hosted zone.
You can increase this limit by requesting to AWS.

 A record set (now called a DNS record) in Amazon Route 53 is a

configuration that maps a domain name (like example.com) to an IP
address, AWS service, or another domain.

6
AWS Route 53
 Hosted zone-A hosted zone in Amazon Route 53 is a container for
DNS records that define how internet traffic is routed for a specific
domain or subdomain.

 Types of Hosted Zones in Route 53

1.Public Hosted Zone
•Used for domains that are accessible on the internet.
•Example: If you own example.com, you create a public hosted zone to
manage records for example.com, www.example.com, etc.

2.Private Hosted Zone

•Used within Amazon VPC (Virtual Private Cloud) for internal DNS
resolution.
•Example: If you have internal applications running inside AWS, you can
create a private hosted zone for internal.example.com to resolve names
within your VPC.
7
AWS Route 53
How a Hosted Zone Works

1.You register a domain (e.g., example.com) or use an existing one.

2.You create a hosted zone for that domain in Route 53.

3.Route 53 provides a set of name servers, which you update at your

domain registrar.

4.You add DNS records (A, CNAME, etc.) to route traffic to websites,
applications, or AWS services.

8
Virtual Private Cloud (VPC)
A VPC (Virtual Private Cloud) is a logically isolated private network in a
cloud environment, allowing you to launch and manage cloud resources securely.
It functions like a virtual data center within a cloud provider such as AWS,
Azure, or Google Cloud.

Key Features of a VPC

1.Isolation & Security

•Resources inside a VPC are isolated from other VPCs and the public internet
(unless explicitly configured).
•Security is enforced using Security Groups and Network ACLs.

2.Custom IP Addressing
•You define a CIDR block (e.g., 10.0.0.0/16) to allocate private IPs to
your resources.
•The CIDR block determines how many subnets can be created inside the
9
VPC.
Virtual Private Cloud (VPC)
3. Subnets
A VPC is divided into subnets, which can be either public (accessible
from the internet) or private (isolated from the internet).
•Subnets help in organizing and distributing resources across Availability
Zones (AZs).

4. Routing & Connectivity

•Route tables control network traffic inside and outside the VPC.
•Internet Gateway (IGW) enables public internet access.
•NAT Gateway/NAT Instance allows private subnets to access the
internet securely.
•VPC Peering & Transit Gateway allow inter-VPC communication.

10
Virtual Private Cloud (VPC)
5. Scalability & Flexibility

•Multiple subnets can be created inside a VPC.

•You can connect on-premises networks using VPN or Direct
Connect.
•Supports integration with Load Balancers, Firewalls, and Private
Endpoints

11
Virtual Private Cloud (VPC)

12
VPC Subnet
5. Scalability & Flexibility

•Multiple subnets can be created inside a VPC.

•You can connect on-premises networks using VPN or Direct
Connect.
•Supports integration with Load Balancers, Firewalls, and Private
Endpoints

13
VPC Subnet

14
Virtual Private Cloud (VPC)

It is logically isolated from other virtual network in the AWS cloud.

Max 5 VPCs can be created and 200 subnets in 1 VPC

Once we created VPC, DHCP, NACL and security group will be automatically
created.

A VPC is confined to an AWS region and does not extend between regions.

15
16
Virtual Private Cloud (VPC)

NAT gateway is always made in public subnet and used for private subnet.

Router is made inside VPC or region

Once the VPC is created, you can not change its CIDR block range.

The different subnets within a VPC cannot overlap.

You can expand your VPC CIDR by adding new/extra IP address ranges

17
Components of VPC

Implied routes and routing table

Internet gateway
Security groups
Network ACL
Virtual Private Gateway
Peering connection
Elastic IP

18
Types of VPC

1. Default VPC
1. Created in each AWS region when an AWS account is created
2. Has default CIDR, security group, NACL and routing table settings.
3. Has an Internet gateway by default

2. Custom VPC
1. It is a VPC on AWS account owner creates
2. AWS user creating custom VPC can decide the CIDR
3. Has its own default security group, network ACL, and routing tables
4. Does not have an Internet gateway by default, one needs to be created if
needed

19
Steps to create VPC

1. Create a VPC
2. Create a subnet
3. Crate internet gateway
4. Create routing table

20
Subnet
1. Public subnet (IGW is connected)
1. If a subnet’s traffic is routed to an IGW, the subnet is known as a public
subnet.
2. If you want your instance in a public subnet to communicate with the
internet over IPV4, it must have a public IPV4 address (dynamic) or on
Elastic IP address (doesn’t changed).

2. Private subnet (not connected with IGW)

1. If a subnet does not have a route to the internet gateway, the subnet is
known as a private subnet.
2. When you create a VPC, you must specify on IPV4 CIDR block for the
VPC. The allowed block size is between /16 to /28 netmask.
3. The first four and last IP address of subnet can not be changed.

21
Subnet

Suppose CIDR=10.0.0.0/16

10.0.0.0- network address

10.0.0.1-reserved by AWS for the VPC router
10.0.0.2- reserved by AWS. The IP address of DNS server
10.0.0.3-reserved for future use
10.0.0.255-Broadcast address

22
Implied Router and Router Table
It is the central routing function inside the VPC

It connects the different AZ together and connects the VPC to the IGW

You can have upto 200 route tables per VPC

You can have upto 50 routes entries per route table

Each subnet must be associated with only one rote table at any given time

If you don not specify a subnet to route table association, the subnet will be
associated with the default VPC route table.

23
Internet Gateway
IGW is a virtual router that connects a VPC to the Internet

Default VPC is already attached with an IGW

If you create a new VPC then you must attach the IGW in order to access the
Internet

Ensure that your subnet’s route table points to the IGW

It performs NAT between your private and public IPV4 address.

It supports both IPV4 and IPV6

24
NAT Gateway
You can use a Network Address Translation (NAT) gateway to enable instances in a
private subnet to connect to the internet or other AWS services, but prevent the
internet from initiating a connection with those instances.

You are charged for creating and using a NAT gateway in your account.

NAT gateway uses elastic IP and not public IP.

Generally web servers are stored in a public subnet so user can access my web
site.
Database servers are stored in private subnet, so no one can access my database.

To create a subnet gateway, you must specify the public subnet in which the NAT
gateway should reside.
25
NAT Gateway

You must also specify an Elastic IP address to associate with NAT gateway when
you create it

No need to assign public IP address to your private instance

After you created a NAT gateway, you must update the route table associated with
one or more of your private subnets to pint Internet bound traffic to the NAT
gateway. This enables instances in your private subnet to communicate with the
Internet.

Deleting a NAT gateway, disassociates its Elastic IP address, but does not release
the address from your account.

26
Few questions

Q1. I created a NAT gateway, attached with private subnet, but getting error.
Instances are not accessed over Internet.

Q2. I have created NAT gateway, assigned public IP, it is in public subnet, still the
same problem.

27
Security Groups
In AWS (Amazon Web Services), a Security Group (SG) in a VPC
(Virtual Private Cloud) acts as a virtual firewall that controls inbound and
outbound traffic for AWS resources like EC2 instances, RDS databases, and
Lambda functions (when using VPC networking).

Key Features of AWS Security Groups:

1. Stateful:
1. If an inbound rule allows traffic, the outbound response is automatically
allowed.
2. If an outbound rule allows traffic, the inbound response is automatically
allowed.
2. Inbound and Outbound Rules:
1. You can define allow rules for both directions.
2. Deny rules are not supported (use Network ACLs for explicit
28 denies).
Security Groups
•Attached to Resources:
•Each resource (e.g., EC2 instance) can have multiple Security Groups.
•One Security Group can be assigned to multiple resources.

•Default Behavior:
•By default, all inbound traffic is denied.
•All outbound traffic is allowed unless restricted.

29
AWS Identity and Access Management (IAM)
•AWS Identity and Access Management (IAM) is a service that helps
securely control access to AWS resources. It allows you to create and manage
users, groups, roles, and permissions to enforce least privilege access.

Key Components of IAM

1. IAM Users
•A user represents an individual person or application that needs access to
AWS.
•Each user has credentials (username/password, access keys).
•Users can be assigned permissions via policies.

2. IAM Groups
•A group is a collection of IAM users.
•Policies assigned to a group apply to all members.
•Example groups: Developers, Admins, ReadOnlyUsers.
30
AWS Identity and Access Management (IAM)
3. IAM Roles
•Roles grant temporary access to AWS resources.
•Used for:
•Cross-account access (e.g., an AWS service accessing another AWS
service).
•EC2 instances to access S3, DynamoDB, etc.
•AWS Lambda to interact with other services.

4. IAM Policies
•JSON-based documents that define permissions.
•Can be attached to users, groups, or roles.
•Two types:
1.AWS Managed Policies – Predefined by AWS (e.g.,
AdministratorAccess).
2.Customer Managed Policies – Created by users.

31
AWS Identity and Access Management (IAM)
Example IAM Policy (Allow S3 Access):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}

5. IAM Identity Center (AWS SSO)

•Helps manage single sign-on (SSO) for multiple AWS accounts.
•Integrates with Active Directory, Okta, Google Workspace, etc.

32
AWS Certificate Manager (ACM)
AWS Certificate Manager (ACM) is a service that helps you provision,
manage, and deploy SSL/TLS certificates for securing AWS-based
applications and websites.

Key Features of ACM

1. Free Public Certificates
1. ACM provides free SSL/TLS certificates for AWS services like Elastic
Load Balancer (ELB), CloudFront, and API Gateway.
2. These certificates auto-renew, eliminating manual renewal tasks.

2. Private Certificate Authority (CA)

1. ACM can issue private certificates for internal applications and
services.
2. Used for securing private networks, IoT devices, and internal APIs.
33
AWS Certificate Manager (ACM)
3. Automatic Renewal and Deployment
1. ACM automatically renews certificates before expiration.
2. Certificates integrate directly with AWS services (ELB, CloudFront,
API Gateway, etc.).

4. Managed Certificate Lifecycle

1. ACM handles certificate issuance, renewal, and revocation.
2. You don’t need to manually upload or rotate certificates.

5. Custom Certificate Upload

1. You can import third-party SSL/TLS certificates from providers like
GoDaddy, DigiCert, and Let’s Encrypt.
2. Uploaded certificates must be manually renewed.

34
AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed encryption service

that allows you to create, manage, and control cryptographic keys used
to encrypt and decrypt data across AWS services and applications.

Key Features of AWS KMS

Centralized Key Management

• Manage all your encryption keys securely in one place.

Integration with AWS Services

• Seamlessly integrates with services like S3, EBS, RDS, Lambda,
DynamoDB, CloudTrail, and more.

35
AWS Key Management Service (KMS)

Automatic Key Rotation

• AWS automatically rotates keys to improve security (optional for
customer-managed keys).

Logging and Auditing

• AWS CloudTrail logs all key usage, helping with compliance and auditing.

FIPS 140-2 Compliance

• KMS is FIPS 140-2 validated, making it compliant for government and
enterprise security standards.

36