Task Statement 3.4: Determine high-performing and/or scalable network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
When we talk about network topology in AWS, we mean how resources like servers, databases, and applications are connected over the network. The design affects performance, security, and scalability. In AWS, you can create several types of network topologies depending on your needs: global, hybrid, and multi-tier.
1. Global Network Topology
Definition:
A global network topology connects AWS resources across multiple regions worldwide. This is used when applications need low latency and high availability for users in different locations.
Key AWS Services to Know:
- Amazon VPC – Each region has its own VPC.
- AWS Global Accelerator – Routes users to the nearest healthy endpoint globally.
- Amazon CloudFront – Caches content at edge locations for fast global access.
- AWS Transit Gateway – Connects multiple VPCs across regions (if you have complex architecture).
How it Works in AWS:
- You have VPCs in multiple AWS regions (e.g., US-East-1, EU-West-1).
- A global service like Global Accelerator ensures users are routed to the closest and healthiest AWS region.
- Data between regions can flow through VPC peering or Transit Gateway inter-region peering.
Exam Tips:
- Know that Global Accelerator improves performance and availability globally.
- CloudFront is primarily for static and dynamic content caching, not for private inter-region connectivity.
- Transit Gateway allows simpler inter-region network management compared to multiple VPC peering connections.
2. Hybrid Network Topology
Definition:
A hybrid network connects AWS cloud resources with on-premises data centers. This is common in enterprises that want some resources on-premises and others in AWS.
Key AWS Services to Know:
- AWS Direct Connect – Provides a dedicated, private network connection from on-premises to AWS.
- AWS VPN – Connects on-premises network to AWS over the internet (encrypted).
- AWS Transit Gateway – Can integrate multiple VPCs and on-premises networks in one place.
How it Works in AWS:
- On-premises servers connect to AWS VPCs using either VPN (secure over the internet) or Direct Connect (faster, more stable).
- VPCs are organized using subnets (public and private) to separate resources.
- Transit Gateway can simplify hybrid network management by acting as a hub.
Exam Tips:
- VPN is suitable for smaller, temporary, or backup connections.
- Direct Connect is suitable for high-throughput, low-latency, production connections.
- Hybrid architecture often involves redundancy—using multiple Direct Connect connections or VPN tunnels.
3. Multi-Tier Network Topology
Definition:
A multi-tier topology separates resources into logical layers, usually: presentation layer, application layer, and database layer. This improves security, performance, and scalability.
Key AWS Concepts:
- Public and private subnets – Public for web servers; private for application servers and databases.
- Security groups and NACLs – Control access between tiers.
- Load Balancers – Distribute traffic to the web/application tier.
- Amazon RDS or DynamoDB – Hosts the database tier.
Example in AWS Terms:
- Presentation Layer (Web Tier)
- EC2 instances or containers in a public subnet.
- Fronted by an Application Load Balancer.
- Application Layer (Business Logic Tier)
- EC2 instances in a private subnet.
- Accessed only by the web tier.
- Can autoscale using Auto Scaling Groups.
- Database Layer (Data Tier)
- RDS in a private subnet with Multi-AZ for high availability.
- Not directly accessible from the internet.
Exam Tips:
- Multi-tier architectures always use private subnets for sensitive resources.
- Security groups are applied to instances; NACLs are applied at subnet level.
- ALB is often in the public subnet, routing traffic to private subnets.
4. Combining Topologies
In real AWS exam scenarios, you might need to combine these topologies:
- A global multi-tier architecture: Multi-tier apps deployed across regions with CloudFront for caching.
- A hybrid multi-tier architecture: On-premises database connects to AWS app and web servers in multiple tiers.
Key AWS Services to Consider When Designing:
| Topology | AWS Services | Use Cases in Exam |
|---|---|---|
| Global | CloudFront, Global Accelerator, Transit Gateway | Low-latency global access |
| Hybrid | Direct Connect, VPN, Transit Gateway | On-premises + cloud connectivity |
| Multi-tier | VPC (subnets), ALB/NLB, Security Groups, RDS/DynamoDB | Secure, scalable, layered architecture |
5. Important Exam Considerations
- Subnet Placement
- Public subnet → internet-facing resources.
- Private subnet → backend resources, no direct internet access.
- High Availability & Scalability
- Multi-AZ deployments for DBs.
- Auto Scaling Groups for app servers.
- Load balancers distribute traffic across AZs.
- Security Best Practices
- Use private subnets for sensitive data.
- Limit cross-tier access using security groups.
- VPN or Direct Connect for hybrid security.
- Cost Efficiency
- Global Accelerator improves performance but costs more than CloudFront.
- Transit Gateway simplifies management but is priced per hour and per GB.
✅ In Simple Terms for Non-IT Students:
- Global → Think “many AWS regions worldwide connected.”
- Hybrid → Think “AWS + on-premises network connected securely.”
- Multi-tier → Think “web servers talk to app servers, which talk to database servers.”
These topologies determine how fast, secure, and scalable your AWS application will be, which is exactly what the SAA-C03 exam tests.
