Mastering AWS Network Topologies: Global, Hybrid, and Multi-Tier Architectures

Designing a robust network is the prerequisite for any scalable cloud application. This guide covers the essential patterns for structuring Virtual Private Clouds (VPCs), connecting on-premises environments, and deploying global-scale applications.

Learning Objectives

After studying this guide, you should be able to:

• Design a multi-tier VPC architecture with appropriate public and private subnets.
• Evaluate the trade-offs between AWS Site-to-Site VPN and AWS Direct Connect for hybrid connectivity.
• Architect global network topologies using Amazon CloudFront and AWS Global Accelerator.
• Calculate CIDR block requirements to ensure sufficient IP address headroom for scaling.

Key Terms & Glossary

• VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
• CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing (e.g., 10.0.0.0/16).
• Subnet: A range of IP addresses in your VPC; can be public (has a route to an Internet Gateway) or private (does not).
• NAT Gateway: A highly available AWS managed service that allows resources in a private subnet to connect to the internet while preventing the internet from initiating a connection with those resources.
• Direct Connect (DX): A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

The "Big Idea"

[!IMPORTANT] Network topology is the skeleton of your architecture. Just as a physical building requires a foundation before the walls go up, your AWS environment requires a well-structured VPC before compute or database resources are deployed. A "good" topology isolates sensitive data (security), removes single points of failure (availability), and minimizes latency for the end-user (performance).

Formula / Concept Box

Hierarchical Outline

1. VPC Fundamentals
   • CIDR Selection: Choosing blocks that don't overlap with on-premises or peered VPCs.
   • AZ Selection: Spreading subnets across multiple AZs for fault tolerance.
2. Multi-Tier Architecture
   • Web/Public Tier: Hosts ELBs and Bastion hosts.
   • Application/Private Tier: Hosts EC2 instances (no direct internet access).
   • Data/Private Tier: Hosts RDS and ElastiCache; strictly restricted access.
3. Hybrid Connectivity
   • AWS VPN: Fast to deploy, encrypted over the public internet.
   • Direct Connect: Dedicated physical line, consistent performance, high cost.
   • Transit Gateway: Hub-and-spoke model for connecting thousands of VPCs and on-premises networks.
4. Global Edge Networking
   • Route 53: Global DNS with latency/failover routing.
   • CloudFront: CDN for caching static/dynamic content.
   • Global Accelerator: Optimizes the path from users to applications using the AWS global network.

Visual Anchors

3-Tier Multi-AZ Architecture

Hybrid Connectivity Model

Definition-Example Pairs

• Horizontal Scaling: Adding more instances of a resource (e.g., adding 5 more EC2 instances to an Auto Scaling group during a Black Friday sale).
• Loose Coupling: Designing components to work independently (e.g., using Amazon SQS between a web server and a processing worker so the web server doesn't crash if the worker is busy).
• Immutable Infrastructure: Replacing resources instead of updating them (e.g., instead of patching a live server, you terminate it and launch a new one from an updated Amazon Machine Image (AMI)).

Worked Examples

Example 1: Designing a Secure 3-Tier Web App

Scenario: You need to host a WordPress site that handles sensitive customer data.

1. Public Tier: Create two subnets (AZ-A, AZ-B). Place an Application Load Balancer (ALB) here. The Route Table points 0.0.0.0/0 to the Internet Gateway (IGW).
2. Application Tier: Create two private subnets. Place EC2 instances here. These instances have Security Groups allowing traffic only from the ALB.
3. Database Tier: Create two private subnets. Place an Amazon RDS (Multi-AZ) instance here. The Security Group allows traffic only from the Application Tier instances.
4. Internet Access: For the Application Tier to download updates, place a NAT Gateway in the Public Tier and point the Application Tier's route table to it.

Checkpoint Questions

1. Why is it a best practice to leave unused CIDR space when first creating a VPC?
2. Which service would you use to reduce latency for global users by providing them with static entry-point IP addresses?
3. In a hybrid setup, which connection type provides 1 Gbps or 10 Gbps dedicated bandwidth?
4. True/False: A NAT Gateway must be placed in a private subnet to function correctly.

▶Click for Answers

1. To allow for future expansion, such as adding subnets for new Availability Zones or specialized services.
2. AWS Global Accelerator.
3. AWS Direct Connect.
4. False. A NAT Gateway must be placed in a public subnet (so it can reach the IGW) to provide internet access to private resources.