Exam Guide: Solutions Architect - Associate
⚡ Domain 3: Design High-Performing Architectures
📘 Task Statement 3.4
🎯 Determining High-Performing And / Or Scalable Network Architectures is about designing networks that:
1 Perform well: low latency, high throughput, predictable routing
2 Scale cleanly: more users, more subnets, more Regions
3 Support common patterns: multi-tier, hybrid, global
4 Use the right “front door”: CloudFront/ALB/API Gateway and the right connectivity (VPN/DX/PrivateLink)
Start with where users are (global vs regional), then pick the ingress pattern, then design the VPC topology, then pick connectivity and load balancing.
Knowledge
1 | Edge Networking Services
CloudFront & Global Accelerator
1.1 Amazon CloudFront (CDN)
Use CloudFront when you need:
1 Lower latency for global users: cache close to them
2 Reduced load on origins: cache + compression
3 Better security integrations: WAF, Shield, TLS
4 Static content acceleration: and some dynamic acceleration patterns
“Global users downloading static content” → CloudFront.
1.2 AWS Global Accelerator
Use Global Accelerator when you need:
1 Faster, more reliable global routing for TCP/UDP or non-cacheable traffic
2 Improved latency by using the AWS global network (Anycast IPs)
3 Health-based routing to regional endpoints
“Improve global performance for a latency-sensitive app that can’t be cached” → Global Accelerator.
2 | How To Design Network Architecture (
Subnet Tiers, Routing, IP Addressing
2.1 Subnet Tiers
1 Public subnet: route to an Internet Gateway (IGW). Often hosts ALB, NAT GW.
2 Private subnet: no IGW route because the app tier typically lives here.
3 Isolated subnet: no IGW route and often no NAT route because the DB tier often lives here.
2.2 Routing
Routing decides where traffic can go:
1 IGW for public inbound/outbound
2 NAT GW for private outbound
3 VPC endpoints for private access to AWS services
2.3 IP Addressing
You should plan CIDR ranges so you can grow:
1 Enough IPs per subnet for scaling targets: ECS tasks, EKS pods, EC2
2 Room for future subnets: new tiers, new AZs, new services
3 Avoid overlapping CIDRs if you’ll connect VPCs/on-prem later
3 | Load Balancing Concepts
3.1 Application Load Balancer (ALB)
1 HTTP/HTTPS workloads
2 Path/host-based routing: microservices routing
3 Integrations: WAF, authentication, target groups
“HTTP routing based on path /api vs /images” → ALB
3.2 Network Load Balancer (NLB)
1 Very high performance / low latency L4 traffic like TCP/UDP/TLS.
2 Static IP support which is often helpful for allowlists
3 Non-HTTP protocols
“TCP, extreme performance, static IP, or non-HTTP” → *NLB *
4 | Network Connection Options
VPN, Direct Connect, PrivateLink
4.1 AWS Site-to-Site VPN
- Encrypted tunnel over the internet
- Fast to deploy, good baseline hybrid connectivity
4.2 AWS Direct Connect
- Dedicated private connection, more consistent latency/throughput
- Often used for large data transfer or steady hybrid traffic
“Consistent throughput / private circuit” → Direct Connect.
4.3 AWS PrivateLink
- Private connectivity to services across VPCs/accounts without exposing to the public internet
- Often used for “consumer VPC connects to provider service privately”
“Expose an internal service to other VPCs privately” → PrivateLink.
Skills
A | Create A Network Topology For Various Architectures
Global, Hybrid, Multi-tier
Multi-Tier Regional Topology
- CloudFront → ALB in public subnets → app in private subnets → DB in isolated subnets
Hybrid Topology
- On-prem ↔ (VPN or Direct Connect) ↔ VPC private subnets
- Use routing and security to restrict what on-prem can reach
Global Topology
- CloudFront (cacheable) or Global Accelerator (non-cacheable/latency-sensitive)
- Multi-region endpoints with health-based routing
B | Determine Network Configurations That Scale For Future Needs
1 Plan CIDR blocks with growth in mind
2 Use multiple subnets across AZs
3 Avoid hard dependencies on single IPs (use load balancers/DNS)
4 Consider VPC endpoint usage to reduce NAT bottlenecks and cost
C | Determine Appropriate Placement Of Resources
Common Placement Rules:
1 Public-facing entry points (ALB, CloudFront origin) are public
2 App tiers and databases are private/isolated
3 Use separate subnets per AZ for HA and scaling
4 Put NAT Gateways in public subnets (often one per AZ for resilience)
D | Select The Appropriate Load Balancing Strategy
Choose Based On Protocol And Routing Needs:
1 ALB for HTTP/HTTPS and advanced routing
2 NLB for TCP/UDP/TLS and extreme performance
3 Gateway Load Balancer for virtual appliances
Cheat Sheet
| Requirement | Choice |
|---|---|
| Global users, cacheable content | CloudFront |
| Global users, non-cacheable TCP/UDP or low-latency routing | Global Accelerator |
| HTTP/HTTPS, path-based routing | ALB |
| TCP/UDP, static IPs, extreme performance | NLB |
| On-prem to AWS quickly (encrypted) | Site-to-Site VPN |
| On-prem to AWS with consistent bandwidth/latency | Direct Connect |
| Private service exposure across VPCs/accounts | PrivateLink |
| Need private access to AWS services (S3, etc.) | VPC endpoints |
Recap Checklist ✅
1. [ ] I can choose CloudFront vs Global Accelerator based on caching vs routing needs
2. [ ] VPCs are designed with public/private/isolated subnet tiers where appropriate
3. [ ] Route tables, NAT, and endpoints are used intentionally (not accidentally)
4. [ ] IP addressing (CIDR) is planned for scaling and future connectivity (no overlaps)
5. [ ] Resource placement matches requirements (public entry, private app/data)
6. [ ] Load balancer choice matches protocol and routing needs (ALB vs NLB)
7. [ ] Hybrid connectivity uses the right option (VPN vs Direct Connect vs PrivateLink)
AWS Whitepapers And Official Documentation
Edge Networking
1. CloudFront
2. Global Accelerator
VPC Design Fundamentals
1. Amazon VPC
2. Route tables
3. VPC CIDR blocks
4. NAT gateway
5. VPC endpoints
6. AWS PrivateLink
Load Balancing
Hybrid Connectivity
🚀
Top comments (0)