SAP-C02 Study Guide: Unit 2 - Design for New Solutions

This study guide covers the architectural requirements for designing new workloads on AWS, as defined in the SAP-C02 Content Domain 2. It focuses on the intersection of performance, cost-efficiency, reliability, and multi-account governance.

---

Learning Objectives

After studying this guide, you should be able to:

• Evaluate the optimal account structure and governance model for new organizational requirements.
• Design deployment strategies that balance business agility with security controls.
• Determine cost-optimization strategies using appropriate purchasing options (Spot, RI, Savings Plans).
• Architect hybrid network connectivity (VPN vs. Direct Connect) and multi-account event routing.
• Apply the Well-Architected Framework principles to achieve specific RPO/RTO targets.

---

Key Terms & Glossary

• Service Control Policy (SCP): A type of organization policy used to manage permissions in your organization, acting as a guardrail rather than granting permissions.
• RTO (Recovery Time Objective): The maximum acceptable delay between the interruption of service and restoration.
• RPO (Recovery Point Objective): The maximum acceptable amount of data loss measured in time.
• VPC Endpoint (PrivateLink): A service that allows private connection between your VPC and supported AWS services without using an internet gateway.
• AWS Transit Gateway: A network transit hub used to interconnect Virtual Private Clouds (VPCs) and on-premises networks.

---

The "Big Idea"

Designing for new solutions in a Professional context is not just about making things work; it is about simultaneous optimization. A successful architect must balance the "Performance Efficiency" pillar against the "Cost Optimization" pillar. Increasing performance is trivial with an infinite budget; the challenge is achieving high-performance targets while maintaining frugality through right-sizing, appropriate purchasing models, and automated governance.

---

Formula / Concept Box

[!TIP] Pro-Tip: Always choose Savings Plans over Reserved Instances (RIs) for compute workloads that are expected to change instance families, as Savings Plans offer significantly more flexibility for the same discount level.

---

Hierarchical Outline

• I. Multi-Account Governance
  • Organizational Units (OUs): Logical grouping of accounts for policy application.
  • Centralized Logging: S3 buckets and CloudWatch Logs destinations for cross-account auditing.
  • Resource Sharing: Utilizing AWS Resource Access Manager (RAM) for VPC subnets and Transit Gateways.
• II. Network Design for Hybrid Clouds
  • AWS Direct Connect (DX): Consistent performance, bypasses the public internet.
  • Site-to-Site VPN: Fast setup, encrypted over the internet, variable performance.
  • Transit Gateway: Simplifies "hub-and-spoke" topologies for multi-VPC environments.
• III. Cost Optimization & Visibility
  • Visibility Tools: S3 Storage Lens, AWS Compute Optimizer, Cost Explorer.
  • Tagging Strategy: Mapping costs to business units and cost centers for chargeback/showback.
• IV. Business Continuity
  • Disaster Recovery (DR) Patterns: Backup & Restore, Pilot Light, Warm Standby, Multi-Site Active/Active.

---

Visual Anchors

Hybrid Connectivity Decision Flow

Availability vs. Cost Trade-off

---

Definition-Example Pairs

• Right-sizing: The process of matching instance types and sizes to your workload performance and capacity requirements at the lowest possible cost.
  • Example: Converting an m5.4xlarge instance running at 10% CPU utilization to an m5.large based on AWS Compute Optimizer recommendations.
• Multi-Account Event Notification: Using Amazon EventBridge to route events from child accounts to a central security or operations account.
  • Example: Sending a "GuardDuty Finding" event from a Production account to a Central Security account for automated remediation.

---

Worked Examples

Problem: Selecting Connectivity for a Global Financial Solution

A company requires a 10 Gbps connection between their data center and AWS. They require consistent latency for high-frequency trading data and must ensure all traffic is encrypted in transit.

Step-by-Step Solution:

1. Identify Bandwidth Requirement: 10 Gbps exceeds standard VPN capabilities (typically 1.25 Gbps per tunnel).
2. Identify Latency Requirement: "Consistent latency" eliminates the public internet, pointing towards AWS Direct Connect.
3. Address Encryption: Standard Direct Connect is not encrypted. To meet the requirement, the architect must deploy MACsec (if the hardware supports it) or run a VPN over a Public VIF on Direct Connect.
4. Final Recommendation: A 10 Gbps Dedicated Direct Connect connection with MACsec encryption for high performance and security.

---

Checkpoint Questions

1. What is the main difference between an Interface VPC Endpoint and a Gateway VPC Endpoint?
2. Which AWS tool provides specific recommendations to move EBS volumes from gp2 to gp3 for cost savings?
3. In a multi-account environment, which service allows you to share a single Transit Gateway across different AWS Organizations? (Trick question: Can you share it?)
4. How does the "Pilot Light" DR strategy differ from "Warm Standby" in terms of cost and RTO?

---

Muddy Points & Cross-Refs

• SCPs vs. IAM Policies: Remember that SCPs define the maximum available permissions. Even if an IAM policy says Allow *, if the SCP says Deny S3, the user cannot access S3. See: IAM Policy Evaluation Logic.
• Transit Gateway vs. VPC Peering: Peering is cheaper (no hourly processing fee) but doesn't scale linearly. Transit Gateway is for complexity. See: Networking Domain for Pricing Comparison Tables.

---

Comparison Tables

AWS Purchasing Options

VPC Endpoint Comparison