Task Statement 1.2: Design secure workloads and applications.
📘AWS Certified Solutions Architect – (SAA-C03)
For the SAA-C03 exam, you must clearly understand how to design a secure VPC architecture using different networking and security components inside AWS.
The most important service in this topic is:
👉 Amazon Virtual Private Cloud (Amazon VPC)
Everything in this section is built inside a VPC.
1. What is Amazon VPC?
A VPC is your private network inside AWS.
It allows you to:
- Launch servers (EC2 instances)
- Create subnets
- Control IP addressing
- Control traffic using security components
- Connect securely to the internet or other networks
You design the network layout and decide:
- Which resources are public
- Which resources are private
- How traffic flows
- What traffic is allowed or denied
For the exam, remember:
A secure workload starts with a properly designed VPC.
2. Core VPC Security Components (Very Important for Exam)
You must fully understand these four:
- Security Groups
- Network ACLs
- Route Tables
- NAT Gateways
These work together to control traffic.
3. Security Groups (Instance-Level Firewall)
Security Groups are virtual firewalls attached to resources, such as:
👉 Amazon EC2 instances
Key Characteristics
- Operate at the instance level
- Are stateful
- Only contain allow rules
- Default: deny everything unless allowed
What Does “Stateful” Mean?
If inbound traffic is allowed:
- The response traffic is automatically allowed.
You do NOT need to create a separate outbound rule for the response.
This is extremely important for the exam.
Example in IT Environment
If you deploy:
- A web server
- A database server
You would design security groups like:
Web Server SG:
- Allow inbound HTTP (port 80)
- Allow inbound HTTPS (port 443)
Database SG:
- Allow inbound database port (e.g., 3306)
- Only from the Web Server security group
This is called security group referencing, and it is strongly tested in the exam.
Exam Tips for Security Groups
- Stateful ✔
- Attached to instances ✔
- Only allow rules ✔
- Can reference other security groups ✔
- More granular control ✔
4. Network ACLs (Subnet-Level Firewall)
Network ACLs (NACLs) operate at the subnet level.
They are another layer of security.
Key Characteristics
- Operate at subnet level
- Are stateless
- Contain both allow and deny rules
- Rules are processed in number order
- Default NACL allows all traffic
- Custom NACL denies all traffic by default
What Does “Stateless” Mean?
If inbound traffic is allowed:
- You must explicitly allow outbound traffic.
- Return traffic is NOT automatically allowed.
This is one of the most tested differences between Security Groups and NACLs.
Security Groups vs NACLs (Exam Comparison Table)
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance | Subnet |
| Stateful? | Yes | No |
| Allow rules | Yes | Yes |
| Deny rules | No | Yes |
| Rule order matters? | No | Yes |
| Default behavior | Deny all inbound | Allow all (default NACL) |
Memorize this table for the exam.
5. Route Tables (Traffic Direction Control)
Route Tables control where traffic goes.
Each subnet must be associated with a route table.
What Is Inside a Route Table?
It contains:
- Destination
- Target
Example entries:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | Local |
| 0.0.0.0/0 | Internet Gateway |
Important Targets for Exam
Internet Gateway
👉 Internet Gateway
Allows communication between VPC and the internet.
If a subnet route table contains:
0.0.0.0/0 → Internet Gateway
That subnet is considered public.
NAT Gateway
👉 NAT Gateway
Used to allow private instances to access the internet without being exposed publicly.
Private subnets use:
0.0.0.0/0 → NAT Gateway
Very important exam concept.
6. Public vs Private Subnets (Critical Exam Topic)
Public Subnet
A subnet is public if:
- It has a route to Internet Gateway
- Instances have public IP addresses
Used for:
- Web servers
- Load balancers
Private Subnet
A subnet is private if:
- It does NOT have a direct route to Internet Gateway
- It uses NAT Gateway for outbound internet
Used for:
- Databases
- Internal application servers
7. NAT Gateway (Secure Outbound Internet Access)
A NAT Gateway is deployed in a public subnet.
Private instances send traffic to NAT Gateway.
NAT Gateway sends traffic to Internet Gateway.
Return traffic flows back automatically.
Why NAT Gateway Is Important
- Allows software updates
- Allows API calls to external services
- Prevents inbound internet traffic
- Improves security posture
Exam Points
- NAT Gateway must be in a public subnet.
- It requires an Elastic IP.
- It is managed and highly available within an AZ.
8. Designing a Secure VPC Architecture (Exam Scenario Design)
For SAA-C03, you must design layered security.
Typical secure design:
Step 1 – Create VPC
Define CIDR block (e.g., 10.0.0.0/16)
Step 2 – Create Subnets
- Public Subnet (for load balancers or web servers)
- Private Subnet (for application servers)
- Private Subnet (for databases)
Spread across multiple Availability Zones for high availability.
Step 3 – Attach Internet Gateway
Required for public access.
Step 4 – Configure Route Tables
Public subnet:
0.0.0.0/0 → Internet Gateway
Private subnet:
0.0.0.0/0 → NAT Gateway
Step 5 – Configure Security Groups
Web tier:
- Allow HTTP/HTTPS from internet
App tier:
- Allow traffic only from web tier SG
Database tier:
- Allow traffic only from app tier SG
Step 6 – Configure NACLs (Optional Extra Layer)
- Allow necessary ports
- Block unwanted IP ranges
- Add explicit deny rules
9. Layered Security Model (Defense in Depth)
The exam expects you to understand layered security:
- Route Tables (traffic direction)
- NACLs (subnet filtering)
- Security Groups (instance filtering)
- IAM (identity control – separate topic)
Each layer increases protection.
10. Common Exam Traps
Be careful with:
❌ Thinking NACLs are stateful
They are stateless.
❌ Thinking Security Groups allow deny rules
They do not.
❌ Placing NAT Gateway in private subnet
It must be in public subnet.
❌ Assuming subnet becomes public automatically
It must:
- Have route to Internet Gateway
- Have public IP assigned
11. High Availability Considerations (Exam Critical)
- Deploy NAT Gateway per Availability Zone.
- Use multiple subnets in different AZs.
- Associate correct route tables per subnet.
If one AZ fails, the application continues working.
12. When to Use What (Exam Logic Questions)
Use Security Groups:
- To restrict traffic between application tiers.
Use NACLs:
- To block specific IP ranges.
- To add an extra protection layer.
Use Route Tables:
- To control internet access.
- To route to NAT, IGW, VPC Peering, etc.
Use NAT Gateway:
- For private instances needing outbound internet.
13. Key Architecture Pattern for Exam
Secure 3-tier architecture inside a VPC:
- Public Subnet → Load Balancer
- Private Subnet → Application servers
- Private Subnet → Database
- NAT Gateway for outbound access
- Security group referencing between tiers
You must be comfortable identifying misconfigurations.
Final Exam Checklist
Make sure you can answer:
✔ Difference between Security Groups and NACLs
✔ What makes a subnet public
✔ How NAT Gateway works
✔ Where NAT Gateway must be deployed
✔ How route tables affect traffic
✔ How to isolate database tier
✔ How to design multi-AZ secure architecture
If you master this section, you will confidently answer most VPC security questions in SAA-C03 Task Statement 1.2.
