BrainyBeeBrainyBee
Study Guide1,085 words

AWS Network Architecture Design: Subnets, Routing, and IP Addressing

How to design network architecture (for example, subnet tiers, routing, IP addressing)

AWS Network Architecture Design: Subnets, Routing, and IP Addressing

Designing a resilient network is the foundation of any cloud architecture. This guide covers the critical aspects of Virtual Private Cloud (VPC) design, including IP addressing strategy, subnet tiering, and routing logic as required for the AWS Solutions Architect Associate (SAA-C03) exam.

Learning Objectives

After studying this guide, you should be able to:

  • Calculate CIDR block sizes and determine the number of available IP addresses.
  • Design multi-tier subnet architectures to isolate public and private resources.
  • Configure route tables to enable internet access via Internet Gateways (IGW) and NAT Gateways.
  • Evaluate connectivity options including VPC Peering, VPNs, and Direct Connect.
  • Implement high availability by distributing subnets across multiple Availability Zones (AZs).

Key Terms & Glossary

  • VPC (Virtual Private Cloud): A private, isolated section of the AWS Cloud where you can launch resources in a virtual network you define.
  • CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing. Example: 10.0.0.0/16.
  • Subnet: A range of IP addresses in your VPC. A subnet must reside within a single Availability Zone.
  • Internet Gateway (IGW): A horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
  • NAT Gateway: A Network Address Translation service that allows resources in a private subnet to connect to the internet but prevents the internet from initiating a connection with those resources.
  • Route Table: A set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

The "Big Idea"

In AWS, Network is Infrastructure. Your network design dictates your security posture and your ability to scale. A "Big Idea" in VPC design is the Principle of Separation of Concerns: by tiering subnets (Public, Private, Data), you can apply granular security controls (NACLs and Security Groups) and routing rules to ensure that only the necessary traffic reaches your sensitive workloads.

Formula / Concept Box

ConceptRule / ConstraintImpact
VPC CIDR Range/16 (max) to /28 (min)A /16 provides 65,536 IPs; a /28 provides 16 IPs.
AWS Reserved IPs5 IPs per subnetAWS reserves the first 4 and the last 1 IP in every subnet.
Subnet Scope1 Subnet = 1 AZYou cannot span a subnet across multiple Availability Zones.
VPC PeeringNo Transitive RoutingIf VPC A is peered with B, and B with C, A cannot talk to C through B.

[!IMPORTANT] The "Minus 5" Rule: If you create a /24 subnet (256 IPs), you only have 251 usable addresses because AWS reserves: .0 (Network), .1 (VPC Router), .2 (DNS), .3 (Future use), and .255 (Broadcast).

Hierarchical Outline

  1. VPC Sizing & IP Addressing
    • Primary CIDR Selection: Avoid overlapping with on-premises networks.
    • IPv4 vs IPv6: IPv4 is standard; IPv6 is used for global reachability.
  2. Subnet Tiering Strategy
    • Public Subnets: Contain an IGW route; host ELBs and NAT Gateways.
    • Private Subnets: No direct internet route; host application servers.
    • Database Subnets: Highly restricted private subnets for data persistence.
  3. Routing and Connectivity
    • Main Route Table: The default for new subnets; usually kept private for safety.
    • Custom Route Tables: Assigned to specific subnets (e.g., Public RT pointing to IGW).
    • NAT Strategy: Deploy one NAT Gateway per AZ for fault tolerance.
  4. External Connections
    • Direct Connect (DX): Dedicated physical link; consistent performance.
    • Site-to-Site VPN: Encrypted tunnel over the public internet.

Visual Anchors

Network Traffic Flow

This diagram illustrates how traffic moves from the public internet through different tiers of an AWS network.

Loading Diagram...

Subnet & AZ Distribution

This TikZ diagram visualizes the logical nesting of subnets within Availability Zones for high availability.

\begin{tikzpicture}[node distance=2cm, box/.style={draw, rectangle, minimum width=2.5cm, minimum height=1.5cm, align=center}] \draw[thick, dashed] (0,0) rectangle (10,5) node[pos=0.9, above] {VPC (10.0.0.0/16)};

code
% AZ 1 \draw[fill=blue!10] (0.5,0.5) rectangle (4.5,4) node[pos=0.5, above=1.2cm] {Availability Zone A}; \node[box, fill=green!20] at (2.5,1.5) {Private Subnet\$10.0.1.0/24)}; \node[box, fill=orange!20] at (2.5,3.2) {Public Subnet\$10.0.0.0/24)}; % AZ 2 \draw[fill=blue!10] (5.5,0.5) rectangle (9.5,4) node[pos=0.5, above=1.2cm] {Availability Zone B}; \node[box, fill=green!20] at (7.5,1.5) {Private Subnet\$10.0.3.0/24)}; \node[box, fill=orange!20] at (7.5,3.2) {Public Subnet\$10.0.2.0/24)};

\end{tikzpicture}

Definition-Example Pairs

  • Edge Networking: Using services to move traffic closer to the user to reduce latency.
    • Example: Using Amazon CloudFront to cache static images of a website in London for users in the UK, even if the origin server is in Ohio.
  • Stateful Filtering: A security mechanism that remembers the state of a connection.
    • Example: In an AWS Security Group, if you allow an inbound request on port 80, the return traffic is automatically allowed out, regardless of outbound rules.
  • Stateless Filtering: A security mechanism that does not remember connection state.
    • Example: In a Network ACL, you must explicitly create both an Inbound Rule and an Outbound Rule for the same traffic flow to work.

Worked Examples

Example 1: Calculating Subnet Capacity

Problem: You need to design a VPC that will eventually hold 1,000 EC2 instances. You want to use a single CIDR block. Which prefix should you choose? Solution:

  1. Check binary powers: 210=10242^{10} = 1024.
  2. A /22 prefix provides 2(3222)=210=10242^{(32-22)} = 2^{10} = 1024 addresses.
  3. Factor in AWS reserved IPs: $1024 - 5 = 1019$ usable IPs.
  4. Result: Use a /22 CIDR block.

Example 2: Configuring a Private Subnet for Updates

Scenario: An application server in a private subnet needs to download security patches from the internet. Steps:

  1. Create a NAT Gateway in a Public Subnet (associated with an Elastic IP).
  2. Go to the Private Subnet's Route Table.
  3. Add a route: Destination 0.0.0.0/0 -> Target nat-xxxxxxxxxx.
  4. Ensure the Security Group allows outbound HTTPS (Port 443) traffic.

Checkpoint Questions

  1. Question: Why should you avoid overlapping CIDR blocks when connecting a VPC to an on-premises data center?
    • Answer: Overlapping IP ranges cause routing conflicts, as the router won't know whether to send traffic to the local network or the remote VPC.
  2. Question: How many NAT Gateways are required for a highly available architecture across 3 Availability Zones?
    • Answer: 3. One per AZ ensures that if one AZ fails, resources in the other zones still have internet access through their local NAT Gateway.
  3. Question: True or False: A Subnet can be associated with multiple Route Tables.
    • Answer: False. A subnet can only be associated with one route table at a time, though one route table can be associated with multiple subnets.
All AWS Certified Solutions Architect - Associate (SAA-C03) Study Resources

Ready to study AWS Certified Solutions Architect - Associate (SAA-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free