How to design network architecture (for example, subnet tiers, routing, IPaddressing)

Task Statement 3.4: Determine high-performing and/or scalable network

📘AWS Certified Solutions Architect – (SAA-C03)

1. Introduction to Network Architecture in AWS

Network architecture is how you plan and organize your cloud resources so they can communicate efficiently, securely, and reliably. A well-designed network ensures:

  • High performance: Fast and reliable communication between services.
  • Scalability: Ability to handle more traffic without redesigning the network.
  • Security: Proper isolation of resources and controlled access.
  • Availability: Minimal downtime or disruptions.

AWS provides Amazon VPC (Virtual Private Cloud) as the foundation to design your network.

2. Core Components of Network Architecture

a) Subnet Tiers (Public, Private, and Isolated)

  • Public Subnet: Accessible from the Internet. Usually hosts services like load balancers or web servers that users need to reach.
  • Private Subnet: Not directly accessible from the Internet. Typically used for application servers or databases. Access to the Internet can be via NAT Gateway for updates or external communication.
  • Isolated Subnet: No Internet access. Ideal for sensitive systems like databases storing confidential data.

Key Exam Tip: Know when to use public vs private subnets and how NAT Gateways allow private subnets to reach the Internet securely.

b) Routing

Routing defines how network traffic flows between subnets, VPCs, and external networks.

  • Route Tables: Each subnet must be associated with a route table. It defines paths for traffic.
    • Example: A private subnet route table might send 0.0.0.0/0 (all Internet traffic) through a NAT Gateway.
    • Public subnet route table sends Internet traffic through an Internet Gateway.
  • Internet Gateway (IGW): Enables communication between a VPC and the Internet. Required for public subnets.
  • NAT Gateway: Allows private subnets to initiate Internet requests (like software updates) but prevents inbound Internet access.
  • VPC Peering / Transit Gateway: Connects multiple VPCs so services in different VPCs can communicate securely.

Exam Tip: Understand how routing works with public/private subnets and NAT/Internet Gateways.

c) IP Addressing

IP addressing ensures each resource has a unique address to communicate.

  • CIDR Blocks: Define the IP range of a VPC.
    • Example: 10.0.0.0/16 gives 65,536 IPs.
  • Subnetting: Divides the VPC into smaller subnets.
    • Example: 10.0.1.0/24 gives 256 IPs for a subnet.
  • Elastic IP: Static public IP address, usually for servers that must be accessible from the Internet.

Exam Tip: Be familiar with CIDR notation and subnetting logic.

3. Designing for High Performance

High-performing networks are designed to minimize latency and maximize throughput:

  • Use multiple Availability Zones (AZs): Place resources in different AZs for redundancy.
    • Example: Deploy EC2 instances in multiple AZs behind an Application Load Balancer.
  • Load Balancing: Distributes traffic evenly to prevent overloading a single server.
    • Elastic Load Balancer (ELB): Automatically distributes incoming application traffic.
  • Direct Connect / VPN: Reduces latency between on-premises data centers and AWS.

Exam Tip: Know why multi-AZ deployments improve performance and availability.

4. Designing for Scalability

Scalable networks grow without disruption:

  • Auto Scaling Groups (ASG): Automatically add/remove instances based on demand.
  • Elastic IPs & DNS: Use Route 53 for scalable DNS routing across multiple regions.
  • Decoupled Architecture: Use SQS (Simple Queue Service) or SNS (Simple Notification Service) to handle traffic spikes asynchronously.

Exam Tip: Scalability often involves a combination of load balancing, auto-scaling, and decoupled services.

5. Security in Network Design

Security is part of a high-performing, scalable architecture:

  • Security Groups: Stateful firewall for EC2 instances. Control inbound/outbound traffic.
  • Network ACLs (NACLs): Stateless firewall at the subnet level. Useful for controlling traffic at a broader level.
  • Private Subnets for sensitive resources: Keep databases or internal APIs isolated.

Exam Tip: Understand the difference between Security Groups (instance level) and NACLs (subnet level).

6. Exam Focus: Best Practices

  1. Multi-Tier Architecture: Separate public-facing and private resources into different subnets.
  2. High Availability: Use multiple AZs and load balancers.
  3. Elasticity: Use Auto Scaling and ELB to handle variable traffic.
  4. Proper IP Planning: Avoid overlaps, plan subnet sizes for growth.
  5. Secure by Design: Use private subnets, Security Groups, NACLs, and VPC endpoints.

7. Quick Summary Table for Exam

ConceptKey Points
Subnet TierPublic (Internet), Private (NAT), Isolated (no Internet)
RoutingRoute tables, IGW, NAT Gateway, VPC Peering
IP AddressingCIDR blocks, subnetting, Elastic IP
High PerformanceMulti-AZ, ELB, Direct Connect
ScalabilityAuto Scaling, Route 53, decoupled services
SecuritySecurity Groups (instance), NACLs (subnet), private subnets

Tip for the Exam: AWS often asks scenario questions like:

  • “Which subnet should you place your database in?” → Private or Isolated.
  • “How does a private subnet access the Internet?” → Through a NAT Gateway.
  • “How to improve application availability?” → Multi-AZ + ELB.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by