Commonly Confused Services on ANS-C01

Deciding signal

VPC Peering creates a direct route between exactly two VPCs. Traffic does not traverse an intermediate hop, but peering is non-transitive — A-B and B-C does not create A-C. It has no bandwidth limit imposed by the service itself but requires a peering connection and route table entry for every pair. Transit Gateway is a regional hub: VPCs, VPNs, and Direct Connect attachments connect to it, enabling transitive routing between all attachments. It supports inter-Region peering and cross-account attachment. PrivateLink exposes a specific service endpoint (NLB-backed or VPCE service) to consumers in other VPCs or accounts — without granting full network routing access. When the scenario involves many VPCs needing transitive connectivity, Transit Gateway. When two specific VPCs need direct routing, Peering. When a service needs to be consumed privately without full VPC routing, PrivateLink.

Deciding signal

Site-to-Site VPN creates an encrypted IPsec tunnel between a customer gateway (on-premises router) and a Virtual Private Gateway or Transit Gateway — it connects entire networks over the public internet. Direct Connect provides a dedicated private network circuit from your data center to AWS, bypassing the public internet for consistent bandwidth and latency. Client VPN is OpenVPN-based and connects individual user devices (laptops, endpoints) to VPCs — it authenticates individual users, not networks. When the scenario describes an on-premises data center connecting to AWS with predictable latency and dedicated bandwidth, Direct Connect. When it describes employees or remote workers connecting to AWS resources from their devices, Client VPN.

Deciding signal

A Direct Connect Gateway allows a single Direct Connect connection (at a Direct Connect location) to reach VPCs across multiple AWS Regions and accounts. The VPCs must still be connected to the Direct Connect Gateway via Virtual Private Gateways — VPCs connected through it cannot route to each other through the Direct Connect Gateway (no transitive routing between VPCs). A Transit Gateway with a Direct Connect attachment (using a transit VIF) routes traffic between the on-premises network and all VPCs attached to the Transit Gateway, enabling transitive routing between VPCs in addition to on-premises access. When the scenario requires on-premises access to multiple Regions with no VPC-to-VPC routing through the Direct Connect path, Direct Connect Gateway. When transitive VPC-to-VPC routing through the on-premises path is needed, Transit Gateway with Direct Connect.

Deciding signal

Security Groups are stateful and attach to ENIs — return traffic for allowed requests is automatically allowed without an explicit outbound rule. They evaluate all rules (no explicit deny; deny is implicit by omission). Network ACLs are stateless and apply at the subnet boundary — you must explicitly allow both inbound and outbound traffic, including return traffic. Rules are evaluated in order by rule number. AWS Network Firewall is a managed, stateful VPC firewall service deployed in a firewall subnet. It supports Suricata-compatible IPS/IDS rules, domain-based filtering, and protocol inspection — capabilities that Security Groups and NACLs cannot provide. When the scenario requires deep packet inspection, URL filtering, or IDS/IPS signatures across VPC traffic, Network Firewall.

Deciding signal

Latency routing sends users to the AWS Region or endpoint with the lowest measured network latency — the decision is based on real-time latency, not geographic distance. Geolocation routing routes based on where the DNS query originates — country, continent, or default — regardless of latency. It is for legal or regulatory requirements (e.g., EU users must be served by EU endpoints). Geoproximity routing uses Traffic Flow and routes based on geographic distance, but you can apply a bias to expand or shrink the effective region for a specific endpoint. Weighted routing distributes traffic in proportions you define (e.g., 80/20 across two endpoints) regardless of geography or latency — used for canary deployments or A/B testing.

Deciding signal

An Internet Gateway enables bidirectional internet access for resources with public IPs in public subnets. NAT Gateway allows resources in private subnets to initiate outbound IPv4 connections to the internet without exposing those resources to inbound internet traffic — it is always deployed in a public subnet. An Egress-Only Internet Gateway serves the same purpose for IPv6 — it allows outbound-only IPv6 traffic from private resources but blocks inbound IPv6 connections initiated from the internet. When private resources need to download updates or reach internet services, NAT Gateway (IPv4) or Egress-Only IGW (IPv6). When public subnet resources need two-way internet access, Internet Gateway.

Deciding signal

ALB operates at Layer 7 and routes based on HTTP rules: path patterns, host headers, query strings, and HTTP methods. It terminates TLS and supports WebSocket. NLB operates at Layer 4 and handles TCP, UDP, and TLS at extreme throughput with static IP addresses and ultra-low latency. It preserves the client source IP address, which ALB does not by default. GWLB is not a general load balancer — it is purpose-built for inserting virtual network appliances inline. Traffic enters the GWLB, is forwarded to appliances (firewalls, IDS) via GENEVE tunneling, and returned to the GWLB for forwarding to the destination. When a scenario involves inline security appliances, GWLB is the specific answer.

Deciding signal

Route 53 Hosted Zones are authoritative DNS zones — public (for internet DNS) or private (for VPC DNS). They store resource records (A, CNAME, MX, etc.) and respond to queries for your domains. Route 53 Resolver is the DNS resolver built into every VPC (runs at the VPC+2 address). Route 53 Resolver Endpoints (inbound and outbound) are used to integrate VPC DNS resolution with on-premises DNS servers: inbound endpoints let on-premises servers resolve Route 53 private hosted zone records; outbound endpoints let VPC resources forward DNS queries to on-premises DNS servers. When the scenario involves hybrid DNS resolution between on-premises and AWS VPCs, Resolver Endpoints. When it involves managing DNS records, Hosted Zones.

Deciding signal

Gateway Endpoints are free, require only a route table entry, and work exclusively for S3 and DynamoDB. Interface Endpoints use PrivateLink to create ENIs with private IP addresses in your VPC and work for most AWS services (SSM, Secrets Manager, SQS, EC2 API, and many more). They have an hourly cost and support private DNS. PrivateLink Services (endpoint services) let you expose your own service (behind an NLB) to consumers in other VPCs or accounts — this is the publisher side of PrivateLink. When the scenario asks about consuming an AWS service privately, the answer is Gateway Endpoint (S3/DynamoDB) or Interface Endpoint (other AWS services). When a scenario describes sharing your own internal service across VPCs without VPC peering, PrivateLink Service is the answer.

Deciding signal

Network Firewall is deployed within VPCs and inspects all traffic passing through — not just HTTP. It supports stateful rules, IDS/IPS rule groups (Suricata-compatible), and domain-based filtering. It is for threats at the network and transport layers affecting all protocols. WAF is attached to CloudFront, ALB, API Gateway, or AppSync and inspects HTTP/HTTPS requests — it blocks web-layer threats like SQL injection, XSS, and rate abuse. Shield Advanced provides DDoS protection for elastic IPs, ELBs, CloudFront, Global Accelerator, and Route 53 — it absorbs volumetric attacks and provides access to the Shield Response Team. Each has a distinct threat model: VPC-level inspection (Network Firewall), HTTP application attacks (WAF), volumetric DDoS (Shield).