Study SOA-C03 VPC Connectivity and Network Protection: key concepts, common traps, and exam decision cues.
This lesson is about building and protecting the network path that workloads depend on. SOA-C03 expects CloudOps engineers to know how subnets, route tables, gateways, private connectivity, and network-protection services fit together, and how those choices affect both security and cost.
Private connectivity: Network path that avoids ordinary public internet exposure, such as through VPN or dedicated private links.
Egress-only path: Outbound-only network design that limits unwanted inbound internet access for specific workloads.
VPC endpoint: Private path from a VPC to supported AWS services without routing ordinary traffic through the public internet.
AWS wants you to distinguish:
| Need | Strongest first fit | Why |
|---|---|---|
| public web ingress to a workload | internet gateway plus a public frontend such as an ALB | The entry lane is internet-facing on purpose |
| outbound internet access from private instances | NAT gateway | Private workloads can reach the internet without becoming directly reachable |
| private access to supported AWS services | VPC endpoint | Keeps the service path off the ordinary internet lane |
| encrypted site-to-site extension from on-premises | Site-to-Site VPN | Strongest first for private hybrid reachability without dedicated circuits |
| predictable dedicated private network path from on-premises | Direct Connect | Higher commitment hybrid lane with more predictable connectivity |
| cross-account or service-style private consumption | AWS PrivateLink | Designed for private service exposure rather than full network routing |
flowchart TD
Internet["Internet Users"] --> Public["Public Ingress via IGW / ALB"]
Private["Private Subnets"] --> NAT["NAT Gateway for Outbound Internet"]
Private --> Endpoint["VPC Endpoint to AWS Service"]
OnPrem["On-Premises"] --> Hybrid["VPN or Direct Connect"]
Hybrid --> Private
Public --> Private
| If the stem is really about… | Strongest first service or control |
|---|---|
| instance or ENI traffic allow/deny | security groups |
| subnet-edge stateless filtering | network ACLs |
| Layer 7 web attack filtering | AWS WAF |
| DDoS protection for exposed resources | AWS Shield |
| centralized packet inspection and rule-based network filtering | AWS Network Firewall |
Protection questions become much easier when you first decide whether the problem lives at the workload, subnet edge, web layer, or central inspection lane.
| Cost pressure | Strongest first move |
|---|---|
| too much NAT traffic to AWS-managed services | move supported traffic to VPC endpoints |
| unnecessary internet exposure for internal dependencies | keep the path private instead of routing through public endpoints |
| overcomplicated hybrid design for a small requirement | pick the smallest private-connectivity lane that meets the requirement |
| recurring data-transfer surprises | check whether the traffic is crossing zones, regions, NAT paths, or public egress unnecessarily |
When SOA-C03 mixes connectivity, protection, and cost in one stem, work in this order:
If you optimize too early, you often choose a cheaper path that violates the connectivity or protection requirement the stem actually cares about.
| If the requirement says… | Read it as… |
|---|---|
| “reachable from the internet” | internet-facing ingress lane |
| “private access to AWS services” | endpoint or PrivateLink lane |
| “private extension from on-premises” | VPN or Direct Connect lane |
| “private workloads still need outbound updates” | controlled egress lane, often via NAT |