Category: Best Practices

When you need to connect applications across Amazon Virtual Private Clouds (Amazon VPCs) to services that don’t fit the traditional AWS PrivateLink provider-consumer model, you face complex networking challenges that VPC peering and AWS Transit Gateway alone can’t easily solve. This is especially true for overlapping IP spaces. You can now connect to services that […]

For organizations operating multi-tenant environments, regulated environments, or multiple business units, maintaining strict network segmentation between SD-WAN and AWS is essential for meeting security, compliance, and operational requirements. This is Part 2 of the two-part series on extending SD-WAN segmentation into AWS Cloud WAN. In Part 1, the Generic Routing Encapsulation (GRE) based Connect attachment […]

For organizations operating multi-tenant environments, regulated environments, or multiple business units, maintaining strict network segmentation between SD-WAN and AWS is essential for meeting security, compliance, and operational requirements. Deploying SD-WAN virtual appliances and extending your segmentation through AWS Cloud WAN helps unify these segmented environments under a single, scalable global network. That said, segmentation is […]

Organizations often struggle with how to secure IPv6 network and application infrastructure on AWS based on what type of IPv6 addresses they are using. In this post, I cover the best practices and considerations for securing private IPv6 resources while maintaining the flexibility to adjust connectivity models as your infrastructure evolves. I also cover how […]

Private connectivity from AgentCore Gateway to your targets reduces compliance scope and simplifies auditing making it a common requirement in regulated environments. Whether your targets run inside an Amazon Virtual Private Cloud (Amazon VPC), across AWS accounts, in other AWS Regions, on-premises, or in multicloud environments, you need connectivity patterns that keep traffic off the public internet […]

With sixth-generation Nitro (Nitro V6) instances, launched in June 2025, the default TCP connection tracking idle timeout changed from 432,000 seconds (5 days) to 350 seconds. Applications that hold idle connections open for long periods, such as database connection pools, Internet of Things (IoT) telemetry, and persistent microservice connections, may experience unexpected connection drops after […]

Today, Amazon CloudFront is launching Invalidation by Cache Tag, a new capability that transforms how developers manage cached content. With this feature, you can invalidate groups of related cached objects using a single invalidation request, regardless of URL structure—making cache management more precise, efficient, and developer-friendly. In this post, we discuss the benefits of this […]

Introduction This post is intended for networking engineers and architects evaluating AWS VPN options (200-level content). It assumes familiarity with basic AWS networking concepts such as virtual private clouds (VPCs), virtual private gateways (VGWs), and transit gateways (TGWs). If you are new to AWS VPN, the AWS VPN User Guide provides foundational context. Organizations implementing […]

Following our previous post, Exploring Data Transfer Costs for AWS Network Load Balancers, this post explores architectural patterns to help optimize these expenses. Understanding inter-zone data transfer costs When network traffic flows across Amazon Web Services (AWS) Availability Zones (AZs), whether from clients to Network Load Balancers (NLBs) or from NLBs to targets, AWS applies […]

The Kubernetes SIG Network and Security Response Committee has announced that Ingress NGINX will be retired in March 2026. If your organization runs workloads on Kubernetes — whether on Amazon Elastic Kubernetes Service (Amazon EKS), self-managed clusters on EC2, or hybrid environments — this upcoming change requires immediate planning and attention. This change impacts approximately […]