AWS Architecture & Services Deep Dive
AWS Networking: VPC, Route 53 & CloudFront
Networking questions appear in nearly every cloud architect interview. Mastering VPC design, DNS, and CDN patterns is essential.
VPC Architecture Deep Dive
Core Components
| Component | Purpose | Key Considerations |
|---|---|---|
| VPC | Isolated network | CIDR sizing (can't change later) |
| Subnet | AZ-specific segment | Public vs. Private |
| Route Table | Traffic routing | One per subnet |
| Internet Gateway | Public internet access | One per VPC |
| NAT Gateway | Private subnet outbound | Per-AZ for HA |
| Security Group | Instance-level firewall | Stateful |
| NACL | Subnet-level firewall | Stateless |
Interview Question: VPC CIDR Design
Q: "Design a VPC CIDR strategy for a company with 3 AWS regions and potential for 100+ VPCs."
A: Use a hierarchical CIDR allocation:
Company: 10.0.0.0/8 (16M addresses total)
Region Allocation (/16 each = 65K addresses):
- us-east-1: 10.0.0.0/16
- us-west-2: 10.1.0.0/16
- eu-west-1: 10.2.0.0/16
VPC Allocation (/20 each = 4K addresses):
- us-east-1-prod: 10.0.0.0/20
- us-east-1-dev: 10.0.16.0/20
- us-east-1-staging: 10.0.32.0/20
Subnet Allocation (/24 each = 256 addresses):
- public-1a: 10.0.0.0/24
- public-1b: 10.0.1.0/24
- private-1a: 10.0.2.0/24
- private-1b: 10.0.3.0/24
Key Principles:
- Reserve /16 per region for growth
- Use /20 for VPCs (supports ~4,000 hosts)
- Leave gaps for future expansion
- Document allocations in IPAM
VPC Connectivity Options
| Option | Use Case | Latency | Cost |
|---|---|---|---|
| VPC Peering | VPC-to-VPC, same/cross-region | Low | $0.01/GB |
| Transit Gateway | Hub-and-spoke, 5K+ VPCs | Low | $0.05/hour + $0.02/GB |
| PrivateLink | Service exposure, no VPC peering | Lowest | $0.01/hour + $0.01/GB |
| VPN | Encrypted, on-prem connectivity | Variable | $0.05/hour |
| Direct Connect | Dedicated, on-prem connectivity | Lowest | Port fee + $0.02/GB |
Interview Question: Transit Gateway vs VPC Peering
Q: "You have 15 VPCs that need to communicate. Would you use VPC Peering or Transit Gateway?"
A: With 15 VPCs:
- VPC Peering: 15 × 14 / 2 = 105 peering connections (n×(n-1)/2)
- Transit Gateway: 15 attachments to single hub
Recommendation: Transit Gateway because:
- Simpler management (15 vs 105 connections)
- Centralized routing control
- Easier to add new VPCs
- Supports transitive routing
VPC Peering still wins when:
- Only 2-3 VPCs need connectivity
- Cross-region with lowest latency needed
- Cost is critical (no hourly charge)
Route 53: DNS & Routing
Routing Policies
| Policy | Use Case | Example |
|---|---|---|
| Simple | Single resource | One ALB endpoint |
| Weighted | Traffic splitting | 90% v1, 10% v2 |
| Latency | Global performance | Route to nearest region |
| Failover | Active-passive HA | Primary → DR |
| Geolocation | Compliance/localization | EU users → EU region |
| Geoproximity | Fine-grained geo | Bias toward specific regions |
| Multivalue Answer | Simple load balancing | Up to 8 healthy records |
Interview Question: Blue-Green with Route 53
Q: "Describe how you'd implement blue-green deployments using Route 53."
A: Weighted routing approach:
- Deploy green environment (v2) alongside blue (v1)
- Configure weighted policy:
- Blue: 100%, Green: 0% (initial)
- Gradually shift traffic:
- Blue: 90%, Green: 10% (canary)
- Blue: 50%, Green: 50% (validation)
- Blue: 0%, Green: 100% (complete)
- Keep blue for instant rollback
- Delete blue after confidence period
TTL Consideration: Set low TTL (60s) before deployment to enable quick failover.
CloudFront: CDN & Edge
Distribution Configuration
| Setting | Options | Impact |
|---|---|---|
| Price Class | All / 200 / 100 | Cost vs. global coverage |
| Origin | S3 / ALB / Custom | Content source |
| Cache Policy | Managed / Custom | Cache behavior |
| Edge Functions | CloudFront Functions / Lambda@Edge | Request manipulation |
Interview Question: CloudFront Caching Strategy
Q: "Your application serves dynamic content with some cacheable elements. How do you configure CloudFront?"
A: Multi-tier caching strategy:
Path Patterns:
/static/* → Cache for 1 year (immutable assets)
/api/* → No cache, forward all headers
/images/* → Cache 24 hours, vary by Accept header
Default → Cache 1 hour, origin cache headers
Cache Keys:
- Include query strings for dynamic content
- Whitelist necessary headers only
- Use cache policies for consistency
CloudFront Security Features
- OAC (Origin Access Control): Secure S3 access (replaces OAI)
- Field-Level Encryption: Encrypt sensitive form fields at edge
- AWS WAF Integration: Layer 7 protection at edge
- Signed URLs/Cookies: Private content access control
Interview Question: Global Architecture
Q: "Design a globally distributed application with low latency for users in US, EU, and APAC."
A: Multi-region active-active architecture:
DNS: Route 53 Latency-Based Routing
└── US: us-east-1
└── EU: eu-west-1
└── APAC: ap-southeast-1
Each Region:
CloudFront → ALB → ECS/EKS
↓
Regional DynamoDB Global Table
↓
ElastiCache (per-region)
Cross-Region:
- DynamoDB Global Tables for data sync
- S3 Cross-Region Replication for assets
- Aurora Global Database for relational data
Key Pattern: Keep data close to users. Use asynchronous replication between regions and design for eventual consistency.
Next, we'll explore AWS database services and selection criteria. :::