AWS NETWORKING WORKBOOK

(Hands-on, Step-by-Step)
Author: ChatGPT • Version: 2025-10-30 • Region suggestion: eu-central-1 (Frankfurt)

Audience: Network engineers learning AWS networking by doing.

Guardrails first (do these once):

- Create an AWS Budget alert at 5 €, 20 €, 50 €.

- Enable Cost Explorer. Tag all lab resources with: Project=AwsNetworkingWorkbook,

Owner=<your_email>.

- Always run “CLEANUP” after each lab.

Prerequisites you’ll reuse

- One key pair, one default VPC (or create a dedicated “lab-landing-zone” VPC).

- AWS CLI v2 installed and configured; IAM user/role with admin for lab.

- A small Amazon Linux 2023 [Link] (ARM) or [Link] (x86) in public subnet for tests.

- Security test tools: curl, dig/bind-utils, tcpdump (optional).

LAB 0 — Warmup & Reachability Analyzer

Objective: Validate your account setup and learn “why path is blocked?” the AWS-native way.

Steps:

1) Launch a [Link] in a public subnet with SG allowing SSH from your IP only.

2) Create a private subnet and a second [Link] without public IP.

3) Open VPC → Reachability Analyzer, create a path (Public EC2 → Private EC2 on TCP/22)
and run an analysis.

4) Review the explanation (missing route/NAT/SG/NACL). Fix, re-run.

Verify: Reachability Analyzer shows “reachable”; SSH from public → private via SSM Session
Manager or bastion (bonus).
Cleanup: Terminate instances you don’t need.

LAB 1 — VPC Baseline: Public & Private Subnets + IGW + (Optional) NAT
Gateway
Objective: Build a production-like two-tier network.

Architecture: 1 VPC, 2 AZs, public subnets with IGW, private subnets with default-deny.

Steps:

1) Create VPC ([Link]/16). Create 2× public (/24) and 2× private (/24) subnets across AZs.

2) Route tables: Public RT → route [Link]/0 to IGW; Private RT has no [Link]/0 (or to NAT
GW if you add one).

3) Launch “web” in public; “app” in private. Test ping/curl to Internet from app (fails without
NAT, succeeds with NAT).

4) SG: web allows 80/443 from your IP; app allows 8080 from web’s SG (SG-to-SG reference).

Verify: Web reachable from your IP; app reachable only from web SG; Internet egress works as
designed.

Cleanup: Remove NAT GW if created (it charges); delete instances if done.

LAB 2 — Security Groups vs. NACLs (stateful vs. stateless)

Objective: See the difference and when to use which.

Steps:

1) Keep LAB 1 infra. Add an inbound NACL rule to block TCP/80 on the public subnet.

2) Try curl to web → blocked despite SG allowing it.

3) Remove NACL block; instead, remove SG port 80 → blocked again.

4) Use Reachability Analyzer to compare findings.

Verify: You can explain stateful SGs vs stateless NACLs and show evidence.

Cleanup: Revert NACL to default, keep only SG rules you need.

LAB 3 — VPC Endpoints: Gateway (S3) + Interface (SSM) for Private
Subnets
Objective: Give private subnets Internet-less access to AWS services.

Steps:

1) Create a Gateway Endpoint (S3) and attach to private route tables (adds prefix-list routes).

2) Create Interface Endpoints for SSM + EC2 Messages; enable private DNS.

3) On private instance: `aws s3 ls s3://aws-publicdatasets` and `sudo yum update` via SSM (no
NAT needed).

Verify: Endpoint connections succeed without NAT/IGW. DNS resolves to

vpce-*.[Link].

Cleanup: Remove endpoints if you’re cost-sensitive (interface endpoints bill per hour + data).

LAB 4 — VPC Peering (Cross-VPC East-West)

Objective: Connect two VPCs without TGW, see route propagation is manual and non-transitive.

Steps:

1) Create VPC-A ([Link]/16) and VPC-B ([Link]/16). Peer A↔B (request/accept).

2) Add static routes in each VPC route table to the other VPC via the peering.

3) SGs must allow the traffic (e.g., ICMP/SSH). Test A↔B.

Verify: Instances in A and B communicate; no transit via B→C (non-transitive).

Cleanup: Delete the peering if you’ll move to TGW next.

LAB 5 — Transit Gateway (TGW) Hub-and-Spoke with Segmentation

Objective: Connect three VPCs via TGW and enforce segmentation using TGW route tables.

Architecture: TGW with 2 route tables (ProdSeg/SharedSeg); VPC-Prod, VPC-Shared,

VPC-Tools.

Steps:

1) Create TGW. Attach three VPCs (one attachment per VPC).

 2) Create TGW-RT-ProdSeg and TGW-RT-SharedSeg. Associate Prod to ProdSeg;
Shared/Tools to SharedSeg.

3) Add TGW-RT associations/propagations so Prod ↔ Shared works, Tools ↔ Shared works,

but Prod ✕ Tools is blocked.

4) Test ICMP/SSH across spokes; confirm blocked paths.

Verify: Intended paths succeed; blocked paths fail. Explain attachment hourly + per-GB costs.

Cleanup: Detach VPCs; delete TGW to stop charges.

LAB 6 — AWS Network Firewall (Centralized Egress)

Objective: Force all Internet egress from private subnets through ANFW for L3/L4 filtering.

Architecture: Inspection VPC with firewall endpoints in subnets per AZ; spoke VPC routes
default to the firewall endpoint → NAT GW → IGW.

Steps:

1) Deploy inspection VPC and firewall subnets (min 2 AZs). Create Network Firewall + rule
groups (block *.[Link] or TCP/23 as demo).

2) In spoke VPCs, route [Link]/0 to the firewall endpoint in the same AZ (GWLB endpoints are
an alternative design).

3) Verify egress from spoke private instance → filtered by rules.

Verify: Blocked domains/ports fail; allowed traffic passes.

Cleanup: Delete firewall, endpoints, extra NAT GWs (to avoid cost).

LAB 7 — Amazon VPC Lattice (Service-to-Service Across VPCs)

Objective: Publish a service in VPC-A and consume it from VPC-B without VPC peering or
TGW-level routing.

Steps:

1) Create two VPCs and two services (e.g., frontend in A, backend in B on port 8080).

2) Create a VPC Lattice service network; attach both VPCs.

3) Register targets (ALB/instances) and add auth/routing policy (allow only from frontend’s
VPC).
 4) Test HTTP calls frontend → backend via Lattice DNS.

Verify: Cross-VPC call works; SG/NACL remain local; policies are at Lattice layer.

Cleanup: Delete lattice resources after tests.

LAB 8 — NLB + PrivateLink (Interface Endpoint Service)

Objective: Expose a service privately to other accounts/VPCs using NLB + PrivateLink.

Steps:

1) In Provider VPC, deploy NLB in front of a simple HTTP app.

2) Create an Endpoint Service; allow principal = your account ID (or Organization).

3) In Consumer VPC, create Interface Endpoint to that service; test curl to vpce DNS name.

Verify: No IGW, no peering/TGW required; traffic stays on AWS backbone.

Cleanup: Delete endpoint service/endpoints and NLB.

LAB 9 — Route 53 Resolver Inbound/Outbound + Conditional Forwarding

Objective: Hybrid-style name resolution across VPCs (or to on-prem simulator).

Steps:

1) Create a private hosted zone ([Link]). Attach to VPC-App.

2) In VPC-Shared, create Resolver inbound endpoint; allow SG from VPC-App.

3) Create conditional forwarder in VPC-App pointing to VPC-Shared inbound endpoint for

[Link].

4) Optionally run a BIND server on EC2 in VPC-Shared to answer [Link].

Verify: `dig [Link]` works in App; `dig [Link]` forwards to

Shared/inbound/BIND.

Cleanup: Remove endpoints/EC2 if not needed.

LAB 10 — Observability: VPC Flow Logs + Athena Queries
Objective: Capture and query network traffic metadata.

Steps:

1) Enable VPC Flow Logs to S3 (AWS default format v5).

2) In Athena, create external table using AWS blog DDL (or Glue crawler).

3) Run queries: top talkers, rejects by SG/NACL, bytes by dstaddr.

Verify: You can correlate blocked connections to SG/NACL/TGW decisions.

Cleanup: Stop flow logs and remove the S3 bucket if created just for lab.

Appendix — Optional extras to try

- Site-to-Site VPN to a software CGW (strongSwan on EC2) and route to TGW.

- Gateway Load Balancer (GWLB) with IDS/IPS appliance for distributed inspection.

- Cloud WAN lab via official workshop code (costs apply).

Suggested official references (read alongside the labs)

- AWS Workshops (Networking): [Link]

- Hands-on Network Firewall Workshop:

[Link]
025fa0d1de2f/en-US

- VPC Lattice resources: [Link]

- Transit Gateway lab (community): [Link]

- Well-Architected Labs: [Link]

COST NOTES
- NAT Gateway, Transit Gateway, Interface Endpoints, Network Firewall, and Resolver
endpoints charge hourly and/or per-GB. Always delete after use.

- Use [Link]/[Link] where possible; stop instances when idle.