Hands-On Lab: Building High-Performing & Scalable AWS Network Architectures
Determine high-performing and/or scalable network architectures
Prerequisites
Before starting this lab, ensure you have the following ready to successfully deploy a high-performing AWS network architecture:
- AWS Account: An active AWS account with Administrator or PowerUser access.
- AWS CLI: Installed and configured locally (
aws configure). - IAM Permissions: Privileges to create and manage VPCs, Subnets, Internet Gateways, Application Load Balancers (ALB), and CloudFront distributions.
- Knowledge Base: Basic understanding of IPv4 CIDR blocks, subnetting, and AWS Regions.
Learning Objectives
By completing this 30-minute guided lab, you will be able to:
- Create a Multi-Tier Network Topology: Provision a Virtual Private Cloud (VPC) with public subnets spanning multiple Availability Zones for high availability.
- Deploy Edge Networking: Configure Amazon CloudFront to cache content closer to end-users, dramatically reducing latency.
- Implement Load Balancing: Provision an Application Load Balancer (ALB) to dynamically distribute incoming web traffic across multiple network paths.
- Mitigate Bottlenecks: Understand how combining an edge content delivery network (CDN) with scalable local routing satisfies the SAA-C03 "Design High-Performing Architectures" domain.
Architecture Overview
This lab builds a highly scalable web-tier architecture. End-user traffic hits the edge network first. If the content isn't cached, it traverses the AWS backbone to an Application Load Balancer, which distributes traffic across two different Availability Zones.
Here is how traffic behaves under high load:
Step-by-Step Instructions
Step 1: Create a Custom VPC
First, we lay the foundation of our high-performing network by creating an isolated Virtual Private Cloud (VPC).
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc}]'📸 Screenshot: Note the
VpcIdfrom the JSON output (e.g.,vpc-0123456789abcdef0). You will need this for the next steps.
▶Console alternative
- Navigate to the VPC Console.
- Click Create VPC.
- Select VPC only.
- Name tag:
brainybee-lab-vpc. - IPv4 CIDR block:
10.0.0.0/16. - Click Create VPC.
Step 2: Provision Public Subnets in Multiple AZs
An Application Load Balancer requires at least two public subnets in different Availability Zones (AZs) for high availability and performance.
# Create Subnet 1 in AZ a
aws ec2 create-subnet \
--vpc-id <YOUR_VPC_ID> \
--cidr-block 10.0.1.0/24 \
--availability-zone <YOUR_REGION>a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=brainybee-public-subnet-a}]'
# Create Subnet 2 in AZ b
aws ec2 create-subnet \
--vpc-id <YOUR_VPC_ID> \
--cidr-block 10.0.2.0/24 \
--availability-zone <YOUR_REGION>b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=brainybee-public-subnet-b}]'[!TIP] Replace
<YOUR_REGION>aand<YOUR_REGION>bwith your actual region (e.g.,us-east-1aandus-east-1b).
▶Console alternative
- In the VPC Console, go to Subnets > Create subnet.
- Select your
brainybee-lab-vpc. - Add Subnet 1: Name
brainybee-public-subnet-a, AZus-east-1a, CIDR10.0.1.0/24. - Add Subnet 2: Name
brainybee-public-subnet-b, AZus-east-1b, CIDR10.0.2.0/24. - Click Create subnets.
Step 3: Attach an Internet Gateway
To make our subnets truly public (allowing the ALB to accept internet traffic), we need an Internet Gateway (IGW).
# Create the IGW
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=brainybee-lab-igw}]'
# Attach IGW to the VPC (Replace <YOUR_IGW_ID> and <YOUR_VPC_ID>)
aws ec2 attach-internet-gateway \
--internet-gateway-id <YOUR_IGW_ID> \
--vpc-id <YOUR_VPC_ID>▶Console alternative
- Go to Internet Gateways > Create internet gateway.
- Name it
brainybee-lab-igwand create. - Select the IGW, click Actions > Attach to VPC.
- Select your
brainybee-lab-vpcand attach.
Step 4: Provision an Application Load Balancer
Now we create an ALB to automatically distribute incoming traffic. ALBs scale elastically to handle high performance demands.
aws elbv2 create-load-balancer \
--name brainybee-lab-alb \
--subnets <SUBNET_1_ID> <SUBNET_2_ID> \
--security-groups <DEFAULT_SECURITY_GROUP_ID> \
--scheme internet-facing📸 Screenshot: The output will contain a
DNSName. Copy this! It is the endpoint you will map to CloudFront.
▶Console alternative
- Navigate to the EC2 Console, scroll down to Load Balancers.
- Click Create Load Balancer, select Application Load Balancer.
- Name it
brainybee-lab-alb. Ensure scheme is Internet-facing. - In Network mapping, select your VPC and check both AZs and subnets created in Step 2.
- Select the default security group, and skip listener configuration for this lab.
- Click Create load balancer.
Step 5: Accelerate with CloudFront Edge Networking
To meet the exam objective of determining scalable network architectures, we use an edge networking service. CloudFront will cache content closer to users globally.
# Replace <ALB_DNS_NAME> with the DNS Name of the ALB created in Step 4
aws cloudfront create-distribution \
--origin-domain-name <ALB_DNS_NAME>[!NOTE] CloudFront distributions can take 5-10 minutes to deploy fully. The status will show as
InProgress.
▶Console alternative
- Navigate to the CloudFront Console.
- Click Create Distribution.
- In the Origin domain field, paste your ALB's DNS Name.
- Under Default cache behavior, set Viewer protocol policy to HTTP and HTTPS.
- Scroll down and click Create Distribution.
Checkpoints
Verify your high-performing architecture is configured correctly using these checkpoints:
- VPC Verification: Run
aws ec2 describe-vpcs --filters "Name=tag:Name,Values=brainybee-lab-vpc"and ensure the state isavailable. - ALB State Check: Run
aws elbv2 describe-load-balancers --names brainybee-lab-alb. TheState.Codeshould beactive. - CloudFront DNS Resolution: Once CloudFront status is
Deployed, runnslookup <YOUR_CLOUDFRONT_DOMAIN.cloudfront.net>. You should see IP addresses corresponding to global edge locations, proving your network is now distributed.
Troubleshooting
| Issue / Error | Potential Cause | Fix |
|---|---|---|
| ALB creation fails with "Requires two distinct Availability Zones" | You passed two subnets that reside in the same AZ. | Create the second subnet in a different AZ (us-east-1b instead of us-east-1a). |
| CloudFront distribution shows "Access Denied" when accessed | ALB does not have a backend target group configured to serve content. | This is expected for this purely network-focused lab. In production, attach an Auto Scaling Group of EC2s with a web server to the ALB. |
| Cannot attach IGW to VPC | The VPC already has an Internet Gateway attached. | Run aws ec2 describe-internet-gateways to find and detach the old one. |
Clean-Up / Teardown
[!WARNING] Remember to run the teardown commands to avoid ongoing charges. CloudFront and Application Load Balancers incur hourly costs even if no traffic is routed through them.
Execute the following commands in order to destroy the provisioned lab environment. Note: You must wait for the CloudFront distribution to be disabled before you can delete it.
# 1. Disable and Delete CloudFront (This takes several minutes)
# First, obtain the ETag of the distribution config to update it
aws cloudfront get-distribution-config --id <DISTRIBUTION_ID>
# (Console is recommended for CloudFront deletion due to ETag tracking requirements)
# 2. Delete the Application Load Balancer
aws elbv2 delete-load-balancer \
--load-balancer-arn <YOUR_ALB_ARN>
# 3. Detach and Delete Internet Gateway
aws ec2 detach-internet-gateway \
--internet-gateway-id <YOUR_IGW_ID> \
--vpc-id <YOUR_VPC_ID>
aws ec2 delete-internet-gateway \
--internet-gateway-id <YOUR_IGW_ID>
# 4. Delete Subnets
aws ec2 delete-subnet --subnet-id <SUBNET_1_ID>
aws ec2 delete-subnet --subnet-id <SUBNET_2_ID>
# 5. Delete VPC
aws ec2 delete-vpc --vpc-id <YOUR_VPC_ID>[!TIP] To easily clean up CloudFront via the console: Go to the CloudFront console, select your distribution, click Disable, wait ~5 minutes for the status to update, then click Delete.