Mastering AWS Network Topologies: Global, Hybrid, and Multi-Tier Architectures

Designing a robust network is the prerequisite for any scalable cloud application. This guide covers the essential patterns for structuring Virtual Private Clouds (VPCs), connecting on-premises environments, and deploying global-scale applications.

Learning Objectives

After studying this guide, you should be able to:

Design a multi-tier VPC architecture with appropriate public and private subnets.
Evaluate the trade-offs between AWS Site-to-Site VPN and AWS Direct Connect for hybrid connectivity.
Architect global network topologies using Amazon CloudFront and AWS Global Accelerator.
Calculate CIDR block requirements to ensure sufficient IP address headroom for scaling.

Key Terms & Glossary

VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing (e.g., 10.0.0.0/16).
Subnet: A range of IP addresses in your VPC; can be public (has a route to an Internet Gateway) or private (does not).
NAT Gateway: A highly available AWS managed service that allows resources in a private subnet to connect to the internet while preventing the internet from initiating a connection with those resources.
Direct Connect (DX): A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

The "Big Idea"

[!IMPORTANT] Network topology is the skeleton of your architecture. Just as a physical building requires a foundation before the walls go up, your AWS environment requires a well-structured VPC before compute or database resources are deployed. A "good" topology isolates sensitive data (security), removes single points of failure (availability), and minimizes latency for the end-user (performance).

Formula / Concept Box

Concept	Rule / Property	Use Case
IPv4 CIDR Range	`/16` (max 65,536 IPs) to `/28` (min 16 IPs)	Defining VPC size
AWS Reserved IPs	5 IPs per subnet (first 4 and last 1)	Planning address space
Route Table Limit	1 Internet Gateway (IGW) per VPC	Enabling public internet access
Multi-Tier Rule	1 Subnet per Availability Zone (AZ) per Tier	High availability and isolation

Hierarchical Outline

VPC Fundamentals
- CIDR Selection: Choosing blocks that don't overlap with on-premises or peered VPCs.
- AZ Selection: Spreading subnets across multiple AZs for fault tolerance.
Multi-Tier Architecture
- Web/Public Tier: Hosts ELBs and Bastion hosts.
- Application/Private Tier: Hosts EC2 instances (no direct internet access).
- Data/Private Tier: Hosts RDS and ElastiCache; strictly restricted access.
Hybrid Connectivity
- AWS VPN: Fast to deploy, encrypted over the public internet.
- Direct Connect: Dedicated physical line, consistent performance, high cost.
- Transit Gateway: Hub-and-spoke model for connecting thousands of VPCs and on-premises networks.
Global Edge Networking
- Route 53: Global DNS with latency/failover routing.
- CloudFront: CDN for caching static/dynamic content.
- Global Accelerator: Optimizes the path from users to applications using the AWS global network.

Visual Anchors

3-Tier Multi-AZ Architecture

Loading Diagram...

Hybrid Connectivity Model

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, minimum height=1cm}] \node (OnPrem) [fill=gray!20] {\textbf{On-Premises Data Center} \ (192.168.0.0/16)}; \node (DX) [right=of OnPrem, rounded corners, fill=blue!10] {\textbf{AWS Direct Connect} \ (Dedicated Fiber)}; \node (VPC) [right=of DX, fill=orange!20] {\textbf{AWS VPC} \ (10.0.0.0/16)};

code

\draw[<->, thick] (OnPrem) -- (DX);
\draw[<->, thick] (DX) -- (VPC);

\node (VPN) [below=1cm of DX, style={dashed}] {\textbf{Site-to-Site VPN} \\ (Public Internet)};
\draw[<->, dashed] (OnPrem) |- (VPN);
\draw[<->, dashed] (VPN) -| (VPC);

\end{tikzpicture}

Definition-Example Pairs

Horizontal Scaling: Adding more instances of a resource (e.g., adding 5 more EC2 instances to an Auto Scaling group during a Black Friday sale).
Loose Coupling: Designing components to work independently (e.g., using Amazon SQS between a web server and a processing worker so the web server doesn't crash if the worker is busy).
Immutable Infrastructure: Replacing resources instead of updating them (e.g., instead of patching a live server, you terminate it and launch a new one from an updated Amazon Machine Image (AMI)).

Worked Examples

Example 1: Designing a Secure 3-Tier Web App

Scenario: You need to host a WordPress site that handles sensitive customer data.

Public Tier: Create two subnets (AZ-A, AZ-B). Place an Application Load Balancer (ALB) here. The Route Table points 0.0.0.0/0 to the Internet Gateway (IGW).
Application Tier: Create two private subnets. Place EC2 instances here. These instances have Security Groups allowing traffic only from the ALB.
Database Tier: Create two private subnets. Place an Amazon RDS (Multi-AZ) instance here. The Security Group allows traffic only from the Application Tier instances.
Internet Access: For the Application Tier to download updates, place a NAT Gateway in the Public Tier and point the Application Tier's route table to it.

Checkpoint Questions

Why is it a best practice to leave unused CIDR space when first creating a VPC?
Which service would you use to reduce latency for global users by providing them with static entry-point IP addresses?
In a hybrid setup, which connection type provides 1 Gbps or 10 Gbps dedicated bandwidth?
True/False: A NAT Gateway must be placed in a private subnet to function correctly.

▶Click for Answers

To allow for future expansion, such as adding subnets for new Availability Zones or specialized services.
AWS Global Accelerator.
AWS Direct Connect.
False. A NAT Gateway must be placed in a public subnet (so it can reach the IGW) to provide internet access to private resources.