Task Statement 4.4: Design cost-optimized network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
This topic is mainly about how networks (VPCs) connect and communicate inside AWS in a scalable and cost-efficient way.
1. Core Idea (What this topic means in AWS)
In AWS, you often create multiple isolated networks called VPCs (Virtual Private Clouds).
These VPCs need to communicate with:
- Other VPCs (same or different accounts/regions)
- On-premises networks (data centers)
- Shared services (security, logging, APIs)
To connect them, AWS uses:
- Routing (how traffic flows)
- Topology (how networks are structured)
- Peering (how VPCs connect)
2. Network Routing in AWS
What is routing?
Routing is the set of rules that decides where network traffic goes.
In AWS:
- Each subnet has a route table
- Route tables define:
- Local VPC traffic
- Internet Gateway (IGW)
- NAT Gateway
- Peering connections
- Transit Gateway
Key exam point:
If a route is missing in a route table → traffic will not flow
Example (IT environment)
- App servers in private subnet need database access
- Route table sends traffic internally within VPC
- If database is in another VPC → need peering or Transit Gateway route
3. Network Topology in AWS
Topology means how networks are connected together.
A. Full Mesh Topology
Each VPC connects directly to every other VPC.
Problem:
- Too many connections
- Hard to manage
- Expensive at scale
Formula (important exam concept):
For N VPCs:
- Connections = N(N−1)/2
B. Hub-and-Spoke Topology (Recommended)
This is the most important exam concept.
- One central hub connects all VPCs
- VPCs (spokes) do not connect directly to each other
AWS service used:
AWS Transit Gateway
Benefits:
- Scales easily
- Central control of routing
- Lower operational complexity
- Easier security inspection
4. VPC Peering (Direct VPC Connection)
VPC Peering is a direct network connection between two VPCs.
Key properties:
- Private connection (no internet)
- Works across same or different accounts
- Works across regions (inter-region peering)
Important exam limitations (VERY IMPORTANT)
VPC Peering:
❌ Does NOT support transitive routing
❌ No central hub routing
❌ Requires route table updates on both sides
❌ Becomes complex at scale
Transitive routing means:
If A is peered with B, and B is peered with C
👉 A cannot talk to C automatically
When to use VPC Peering:
- Simple architectures
- Few VPCs (2–3)
- Low-cost requirement
- Direct communication needed
5. AWS Transit Gateway (Hub Model)
AWS Transit Gateway is the main solution for scalable networking.
How it works:
- All VPCs connect to a central gateway
- Transit Gateway handles routing between them
- Supports thousands of VPCs
Key advantages:
1. Transitive routing (IMPORTANT)
- VPC A → TGW → VPC B → VPC C
2. Central management
- One routing hub instead of many connections
3. Supports hybrid networks
- Connects:
- Multiple VPCs
- On-premises networks via VPN/Direct Connect
Cost consideration (EXAM FOCUS)
Transit Gateway:
- Has hourly cost per attachment
- Has data processing cost
BUT:
- Still cheaper than managing many peering connections at scale
6. VPC Peering vs Transit Gateway (Very Important Exam Table)
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Architecture | Point-to-point | Hub-and-spoke |
| Scalability | Low | High |
| Transitive routing | ❌ No | ✅ Yes |
| Management | Complex at scale | Centralized |
| Cost (small scale) | Cheaper | More expensive |
| Cost (large scale) | Expensive (many connections) | More cost-efficient |
7. Routing Behavior (Exam Key Points)
In VPC Peering:
- You must manually add routes in route tables
- Both VPCs must allow traffic
In Transit Gateway:
- Route tables inside TGW control traffic flow
- Easier segmentation (production, dev, shared services)
8. Network Design Patterns (Exam Scenarios)
Scenario 1: Few VPCs (2–3)
✔ Use VPC Peering
✔ Simple and cheap
Scenario 2: Many VPCs (10+)
✔ Use Transit Gateway
✔ Avoid peering mesh explosion
Scenario 3: Shared services (security, logging, DNS)
✔ Use Transit Gateway hub
✔ Centralized access control
Scenario 4: Multi-account AWS organization
✔ Transit Gateway is best practice
✔ Works with AWS Organizations
9. Cost-Optimized Design Strategy (VERY IMPORTANT)
To design cost-optimized networks:
Step 1: Avoid unnecessary connections
- Do not create full mesh peering
Step 2: Use correct architecture
- Small scale → VPC Peering
- Large scale → Transit Gateway
Step 3: Reduce data transfer costs
- Keep traffic inside AWS backbone
- Avoid routing through internet when possible
Step 4: Segment traffic
- Use separate route tables for:
- Production
- Development
- Shared services
10. Common Exam Traps
Trap 1:
“Choose VPC Peering for 20 VPCs”
❌ Wrong → becomes unmanageable
Trap 2:
“Need transitive routing”
✔ Always choose Transit Gateway
Trap 3:
“Lowest cost for 2 VPCs”
✔ VPC Peering is correct
11. Summary (Must Remember for Exam)
- Routing = defines traffic paths using route tables
- Topology = structure of network (mesh vs hub)
- Peering = direct VPC-to-VPC connection
- VPC Peering = simple, cheap, but not scalable
- Transit Gateway = scalable hub, supports transitive routing
Final Exam Shortcut
👉 If question says:
- “simple, few VPCs” → VPC Peering
- “many VPCs / scalable / centralized” → Transit Gateway
- “transitive routing needed” → Transit Gateway
