Networking & Content Delivery

Category: Advanced (300)

Private AI agent with WebSocket streaming over CloudFront VPC Origins and the next generation of OpenSearch Serverless for knowledge retrieval

Reviewing partner contracts by hand is slow and repetitive, so teams want an AI agent to do the first pass. In the example used throughout this post, a company called Example Corp reviews incoming partner agreements against its own standard operating procedures. A partner uploads an agreement, the agent checks it against those procedures, and […]

Automating CIDR expansion: Reducing IP exhaustion downtime

Automating CIDR expansion: Reducing IP exhaustion downtime

Learn how to build a serverless automation that monitors VPC IP utilization and expands CIDR capacity within minutes. This solution uses AWS Lambda, Step Functions, and IPAM to detect IP exhaustion risk and add secondary CIDRs with new subnets automatically. Three operating modes support environments with full IPAM management, IPAM for subnets only, or no IPAM at all. Deploy with a single SAM command and configure through VPC tags.

Intelligent VPN observability: Decoding AWS Site-to-Site VPN logs

When an AWS Site-to-Site VPN connection degrades, you sift through hundreds of log entries, correlate Border Gateway Protocol (BGP) state transitions with Internet Key Exchange (IKE) phase changes and decide whether the cause is a prefix quota violation, an autonomous system (AS) path loop, or a hold timer expiry. That repetitive manual work prolongs recovery. […]

Extending NLB health checks for RADIUS using an Amazon ECS witness

Extending NLB health checks for RADIUS using an Amazon ECS witness

Network Load Balancer health checks confirm that a RADIUS server is reachable, not that it can authenticate a user, so a server with a failed identity store keeps receiving traffic. This post walks through an open-source reference solution that closes the gap with a single Amazon ECS witness that runs application-layer RADIUS probes and reconciles NLB target group membership directly.

Deploying internal DNS zones for internet-facing load balancers

Since the launch of Elastic Load Balancing (ELB) in 2009, Amazon Web Service (AWS) customers of all sizes, regardless of the size or the complexity of their technical requirements, have utilized ELB as a fundamental service. The service continues to evolve with more deployment options like Network Load Balancers, Application Load Balancers, and Gateway Load […]

Migrate from Static Routing to Dynamic BGP Routing on AWS Site-to-Site VPN

Migrate from Static Routing to Dynamic BGP Routing on AWS Site-to-Site VPN

Introduction AWS Site-to-Site (S2S) VPN is a fully managed service that enables you to establish secure connections between your on-premises networks and AWS using IP Security (IPSec) tunnels. When configuring these connections AWS Site-to-Site (S2S) VPN offers two routing options: static and dynamic routing with Border Gateway Protocol (BGP). While static routing offers simplicity for […]

Centralized ingress inspection architecture in AWS Cloud WAN

Centralized ingress inspection architecture in AWS Cloud WAN

In this post, we explore architectural patterns for implementing centralized internet ingress with inspection using AWS Cloud WAN. We examine different design considerations and integration strategies with centralized internet egress while walking through practical examples and deployment scenarios. We demonstrate how to use the AWS Cloud WAN core networking capabilities alongside other AWS networking services […]

FeaturedImage-Automated network incident response with AWS DevOps Agent

Automated network incident response with AWS DevOps Agent

Your on-call engineer gets paged at 2 AM. A payment service in Workload Account cannot reach a shared database in Shared Services Account. The Amazon CloudWatch alarm fired eight minutes ago. The engineer starts by checking route tables across two accounts, Amazon Virtual Private Cloud (Amazon VPC) attachment states, security group rules on both sides, […]

Nginx Ingress Migration

Navigating the NGINX Ingress retirement: A practical guide to migration on AWS

The Kubernetes SIG Network and Security Response Committee has announced that Ingress NGINX will be retired in March 2026. If your organization runs workloads on Kubernetes — whether on Amazon Elastic Kubernetes Service (Amazon EKS), self-managed clusters on EC2, or hybrid environments — this upcoming change requires immediate planning and attention. This change impacts approximately […]

Migrate Amazon CloudFront public origins to private VPC origins

Introduction This post demonstrates how to migrate your Amazon CloudFront public origins to Amazon Virtual Private Cloud (Amazon VPC) origins using different strategies. You can also use VPC origins with cross-accounts to support security-first architectures. When designing network architecture for CloudFront workloads, organizations must choose between centralized or distributed models. In a centralized architecture, a […]