Why This Phase Exists
Networking is the first thing you design and the last thing you can easily change. Every architectural decision you make from this point forward sits on top of your network topology. Get CIDR allocation wrong and you cannot peer VPCs without rebuilding them. Put a database in a public subnet and no amount of application-layer security will save you. Choose the wrong connectivity model between accounts and you will spend six months in a migration project that should have been a two-hour planning session.
I have reviewed hundreds of Well-Architected Reviews where the root cause of cost overrun, security exposure, or performance degradation traced back to a networking decision made in week one that nobody revisited. An SA who does not understand networking is not an SA. They are a console operator following a tutorial. This phase exists to make sure you are the former.
Networking is the skeleton of every architecture. Compute instances, containers, databases, serverless functions, and managed services all depend on the network paths you define here. You will not simply learn what these services do. You will learn why specific configurations exist, what tradeoffs they encode, and how to reason about traffic flow from packet to policy.
What You Will Master
By the end of Phase 2, you will be able to:
- Design multi-tier VPC architectures with proper CIDR planning for growth and peering
- Implement internet connectivity patterns that balance accessibility with security posture
- Build route table configurations that control traffic flow between subnets, VPCs, and external networks
- Layer security controls at both the subnet boundary (NACLs) and instance boundary (Security Groups)
- Configure DNS resolution with failover, latency-based routing, and health checks
- Deploy content delivery architectures that reduce latency and offload origin servers
- Connect multiple VPCs, on-premises data centers, and remote offices using enterprise-grade networking
You will think in terms of data paths. When someone describes an architecture, you will immediately trace the network path each request takes, identify where latency lives, where single points of failure exist, and where security boundaries are enforced or absent.
Modules in This Phase
| Module | Title | Key Services & Concepts |
|---|---|---|
| 06 | VPC Fundamentals | VPC creation, CIDR blocks, subnets, Availability Zones, IPv4/IPv6 dual-stack |
| 07 | Internet Connectivity | Internet Gateway, NAT Gateway, Elastic IP, Egress-Only Internet Gateway |
| 08 | Route Tables & Traffic Flow | Route tables, route propagation, VPC peering, VPC endpoints, prefix lists |
| 09 | Network Security | Security Groups, NACLs, VPC Flow Logs, AWS Network Firewall |
| 10 | DNS with Route 53 | Hosted zones, record types, routing policies, health checks, DNS failover |
| 11 | Content Delivery with CloudFront | Distributions, origins, cache behaviors, OAC, Lambda@Edge |
| 12 | Advanced Networking | Transit Gateway, PrivateLink, Direct Connect, Site-to-Site VPN, Global Accelerator |
The Progressive Path
These modules are sequenced deliberately. Each one builds on the layer beneath it.
Module 06 establishes the foundation. You cannot configure internet access, routing, or security until you have a VPC with properly planned CIDR blocks and subnets distributed across Availability Zones. This is where architectural mistakes are most expensive because CIDR ranges cannot be changed after creation without rebuilding.
Module 07 introduces connectivity to the outside world. You will understand why public subnets use Internet Gateways while private subnets use NAT Gateways, and you will internalize the cost and availability implications of each pattern. This is where you learn the difference between "accessible from the internet" and "can reach the internet."
Module 08 adds routing intelligence. Route tables determine where traffic goes after it leaves an ENI. You will learn how VPC peering connects networks without traversing the public internet, how VPC endpoints keep AWS API traffic on the AWS backbone, and how prefix lists simplify route management at scale.
Module 09 layers security on top of your routing decisions. Security Groups provide stateful instance-level filtering. NACLs provide stateless subnet-level filtering. VPC Flow Logs give you visibility into what traffic is actually flowing. Network Firewall gives you deep packet inspection when Security Groups and NACLs are insufficient.
Module 10 moves into DNS. Every application needs name resolution. Route 53 is not just a DNS service; it is a global traffic management layer. Routing policies let you direct users to the nearest healthy endpoint. Health checks let you automate failover without human intervention.
Module 11 extends your architecture to the edge. CloudFront caches content at 400+ edge locations worldwide, reducing latency for end users and reducing load on your origin infrastructure. You will learn how cache behaviors, origin failover, and Lambda@Edge let you build sophisticated delivery architectures.
Module 12 brings it all together with enterprise-scale connectivity. Transit Gateway replaces the mesh of VPC peering connections that becomes unmanageable beyond three or four VPCs. PrivateLink exposes services across account boundaries without VPC peering. Direct Connect and Site-to-Site VPN extend your cloud network to physical data centers. Global Accelerator optimizes the network path for latency-sensitive applications.
Services You Will Command
Amazon VPC
Virtual Private Cloud is the logical network isolation layer that contains all your AWS resources. You define the IP address range, create subnets, and control every aspect of routing and access. A VPC is region-scoped. Subnets are AZ-scoped. Understanding this hierarchy is fundamental to building highly available architectures. You will learn CIDR planning strategies that accommodate growth without requiring a rebuild, how to use secondary CIDR blocks when you run out of space, and how IPv6 changes your addressing model entirely.
Internet Gateway & NAT Gateway
Internet Gateway enables bidirectional communication between instances in your VPC and the internet. It is horizontally scaled, redundant, and highly available by default. NAT Gateway enables instances in private subnets to initiate outbound connections to the internet while preventing unsolicited inbound traffic. You will learn why NAT Gateway costs are one of the most common surprises on AWS bills, how to architect around them using VPC endpoints, and when a NAT instance still makes economic sense for development environments.
Route Tables & VPC Peering
Route tables are the traffic directors of your VPC. Every subnet has exactly one route table association, and every packet leaving a network interface is evaluated against that route table. VPC peering creates a private network connection between two VPCs using AWS backbone infrastructure. You will learn route priority and specificity rules, how to avoid asymmetric routing, and why transitive peering is not supported (and what to use instead).
Security Groups & NACLs
Security Groups are stateful firewalls attached to elastic network interfaces. They evaluate rules only on inbound or outbound initiation; return traffic is automatically allowed. NACLs are stateless firewalls at the subnet boundary that evaluate every packet in both directions independently. You will learn defense-in-depth patterns that combine both, how to use Security Group referencing to build self-documenting rules, and how VPC Flow Logs provide the forensic evidence you need when something is blocked and you cannot determine why.
Amazon Route 53
Route 53 is a globally distributed DNS service with 100% availability SLA. It supports public hosted zones (internet-facing) and private hosted zones (VPC-internal). Beyond basic name resolution, Route 53 provides traffic management through routing policies: simple, weighted, latency-based, failover, geolocation, geoproximity, and multivalue answer. You will learn how health checks monitor endpoint availability and trigger automated failover, how alias records eliminate unnecessary lookups, and how to design DNS architectures that support blue-green deployments.
Amazon CloudFront
CloudFront is a content delivery network with edge locations on every populated continent. It caches content close to users, reducing latency from hundreds of milliseconds to single digits. You will learn how distributions map to origins, how cache behaviors route requests based on path patterns, how Origin Access Control restricts S3 access to CloudFront only, and how Lambda@Edge and CloudFront Functions let you execute code at the edge for header manipulation, URL rewrites, A/B testing, and authentication.
AWS Transit Gateway
Transit Gateway is a regional network hub that connects VPCs, VPN connections, and Direct Connect gateways through a central point. It replaces full-mesh VPC peering topologies with a hub-and-spoke model that scales to thousands of connections. You will learn route table segmentation for network isolation, how inter-region peering extends transit connectivity globally, and how Transit Gateway simplifies network architecture for organizations with dozens or hundreds of VPCs.
AWS PrivateLink
PrivateLink provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet. Interface VPC endpoints create elastic network interfaces in your subnets with private IP addresses. Gateway endpoints (for S3 and DynamoDB) add routes to your route table. You will learn how PrivateLink enables service provider/consumer models across accounts without VPC peering, and why it is the preferred pattern for SaaS integrations in regulated environments.
AWS Direct Connect
Direct Connect establishes a dedicated network connection from your premises to AWS. It bypasses the public internet entirely, providing consistent network performance, reduced bandwidth costs for high-volume workloads, and a private path to AWS services. You will learn the difference between dedicated connections and hosted connections, how virtual interfaces (private, public, transit) map to different use cases, and how to design redundant Direct Connect architectures that maintain connectivity during facility failures.
AWS Global Accelerator
Global Accelerator uses the AWS global network to route traffic to the optimal endpoint based on health, proximity, and routing policies. It provides two static anycast IP addresses that serve as a fixed entry point to your application. You will learn how Global Accelerator differs from CloudFront (network layer vs. application layer), when to use it for TCP/UDP workloads that cannot benefit from caching, and how endpoint groups and traffic dials enable gradual deployments across regions.
Architecture Context
Everything you build after this phase depends on the networking decisions you make here. Consider what comes next in your learning path:
Compute (EC2, ECS, EKS, Lambda) requires subnets to place instances and tasks. An Auto Scaling group spans subnets across AZs. ECS tasks need network mode configuration. Lambda functions in a VPC consume ENIs from your subnets and are constrained by your available IP space.
Databases (RDS, Aurora, DynamoDB) require subnet groups that span multiple AZs. RDS instances sit in private subnets, accessible only through Security Group rules. DynamoDB is accessed via VPC endpoints to avoid NAT Gateway costs and improve latency.
Load Balancing (ALB, NLB) requires subnets in each AZ you want to serve traffic from. ALBs need public subnets with internet gateway routing for internet-facing configurations, and route traffic to targets in private subnets.
Serverless (Lambda, API Gateway, Step Functions) can operate outside a VPC for public API patterns, but the moment your function needs to reach a database or internal service, it needs VPC networking. Understanding this boundary is critical to Lambda cold start performance.
Containers (ECS, EKS) require careful subnet planning. Fargate tasks each consume an IP address from your subnet CIDR. A cluster running hundreds of tasks can exhaust a /24 subnet quickly. EKS adds its own networking layer (VPC CNI plugin) that consumes even more addresses.
The networking patterns you learn in Phase 2 are not isolated knowledge. They are the connective tissue between every service you will use for the remainder of this program and throughout your career as a Solutions Architect.
Phase Exam
After completing all seven modules in this phase, you will take the Phase 2 certification exam:
- 35 multiple-choice questions covering all networking services and concepts
- 55 minutes to complete
- 70% pass threshold (25/35 correct)
- Questions test both conceptual understanding and practical application
- Expect scenario-based questions: "A customer needs private connectivity between two VPCs in different accounts without overlapping CIDR ranges. Which solution meets this requirement?"
- You must demonstrate understanding of tradeoffs, not just feature recall
The exam validates that you can design networking architectures, not just describe them. Passing means you are ready to build on top of this foundation with confidence that your network layer will not become the bottleneck, the security gap, or the cost surprise that derails everything above it.