Service 61

Networking Architecture

ArchitectureNetworkingDesign

Individual networking services (VPC, Transit Gateway, Direct Connect, PrivateLink) are the building blocks; this is about the shapes they compose into at scale — multi-VPC topologies, multi-account networking, hybrid connectivity, and Zero Trust. Most AWS accounts start as one VPC and grow into something more complicated.

The trick is recognizing when a topology is hitting its limits and choosing the next shape deliberately, rather than letting it sprawl.

Single-VPC and Hub-and-Spoke

Inside one VPC, the three-tier pattern is the default: public subnets for load balancers and NAT, private subnets for application servers, isolated subnets for databases — defense in depth where compromising one layer does not expose the next. Most teams over-allocate CIDR; a /16 VPC with /24 subnets is plenty except for EKS's per-pod ENI model.

Past a handful of VPCs, mesh peering (N(N-1)/2 connections) gives way to a Transit Gateway hub-and-spoke: every VPC attaches once to a central gateway, usually in a dedicated network account that also owns centralized DNS, egress, and inspection.

Multi-Account Landing Zones

For organizations with many accounts, networking is part of a Landing Zone — the accounts, OUs, identity, logging, and guardrails any new workload lands into, often built with AWS Control Tower. The shape typically includes a network account (Transit Gateway, DNS, egress), a shared-services account, a security-tooling account, and a log-archive account, with workload accounts attached to the central gateway.

Set up the Landing Zone before the organization has many accounts, not after — the investment is a few weeks but the savings compound, and a new account becomes an account-factory operation.

Hybrid, Centralized Egress, and Zero Trust

Hybrid connectivity uses Site-to-Site VPN for small or backup links and Direct Connect for production, with a Direct Connect Gateway extending one link to many Regions. Centralized egress routes workload VPCs through a single NAT in an egress VPC to cut NAT-Gateway count; centralized inspection uses a Gateway Load Balancer fronting firewall appliances where compliance requires it.

Zero Trust replaces "trusted internal network" with "verify every request": AWS Verified Access, PrivateLink, IAM-based service auth (IRSA), and Identity Center move you toward it. It is more discipline than technology — the hard work is removing network-location trust from existing systems, incrementally.

VPC Peering vs Transit Gateway vs PrivateLink

VPC Peering — two or three VPCs needing full connectivity — simplest and cheapest at small scale.

Transit Gateway — many VPCs and hybrid links through a central hub — the standard past five or six VPCs.

PrivateLink — exposing one specific service across boundaries, not connecting whole networks.

Common Mistakes

Over-allocating CIDR ranges out of caution, or under-sizing subnets for EKS's per-pod ENI model.
Meshing VPC peering past five or six VPCs instead of moving to a Transit Gateway hub-and-spoke.
Building a multi-account organization without a Landing Zone, then retrofitting governance painfully later.
Running a NAT Gateway in every workload VPC instead of centralized egress when you have many VPCs.
Assuming Direct Connect is encrypted, or running a single link with no VPN backup for production hybrid.
Adding centralized inspection (Gateway Load Balancer + appliances) when no compliance requirement justifies its latency and operational weight.

Best Practices

Use the three-tier subnet pattern (public/private/isolated) as the single-VPC default.
Move to a Transit Gateway hub-and-spoke in a dedicated network account past a handful of VPCs.
Stand up a Landing Zone (often via Control Tower) before the organization grows many accounts.
Use Direct Connect for production hybrid with a VPN backup; Direct Connect Gateway for multi-Region reach.
Use centralized egress and shared VPC endpoints to cut NAT-Gateway cost at multi-VPC scale.
Move toward Zero Trust incrementally with Verified Access, PrivateLink, and IAM-based service auth.

Comparable services GCP Network Connectivity Center, Shared VPC, hub-and-spokeAzure Virtual WAN, hub-and-spoke

Knowledge Check

What is the three-tier subnet pattern inside a VPC?

Public subnets for load balancers/NAT, private for application servers, isolated for databases
Three entirely separate VPCs, one each for the development, staging, and production environments
Three Availability Zones with one subnet each
Public, private, and Direct Connect subnets

When should you move from VPC peering to a Transit Gateway?

Past about five or six VPCs, where mesh peering's N(N-1)/2 connections become unmanageable
As soon as you have two VPCs
Only when you start connecting VPCs that live in different Regions across the globe, never before then
Never — peering scales indefinitely

What is a Landing Zone?

The accounts, networking, identity, logging, and guardrails any new workload lands into, often built with Control Tower
The first subnet created inside a single VPC, where the initial application instances and load balancers are launched on day one
A Direct Connect colocation facility where a physical cross-connect terminates your on-premises fiber into the AWS network
The default VPC that AWS auto-creates in each Region of a brand-new account, with its pre-made subnets and internet gateway

What does Zero Trust replace?

'Trusted internal network' with 'verify every request' through identity, regardless of network location
Encryption at rest with encryption in transit
VPCs as the unit of isolation, with Transit Gateways stitching all of them together into one flat network
IAM with security groups

You got correct