Skip to main content

Skillber v1.0 is here!

Learn more

Module Project: Multi-Tier VPC Architecture

Checking access...

Project Overview

Design a multi-tier VPC architecture for a production web application. This is a conceptual design exercise — you will produce a written architecture decision record (ADR) with an accompanying network diagram description.

Scenario: You work for a fintech startup that is launching a personal finance dashboard. The application consists of:

  • A React frontend served from an S3 bucket through CloudFront
  • A Node.js API running on EC2 (or ECS Fargate)
  • A PostgreSQL database on RDS
  • Redis for session caching on ElastiCache
  • All traffic must be encrypted in transit

Requirements

  1. High availability — Survive an availability zone failure
  2. Security — No direct internet access to application servers or databases
  3. Cost efficiency — Minimize NAT Gateway costs in development
  4. Scalability — Application tier must auto scale based on CPU
  5. Compliance — Financial data must stay within us-east-1

Architecture Design

VPC and CIDR

Allocate 10.0.0.0/16 — this provides room for growth. Reserve the top half (10.0.128.0/17) for future use (e.g., a second VPC or expansion).

Subnet Layout

Deploy across two availability zones (us-east-1a and us-east-1b):

TierSubnet CIDRAZRoute to IGW?Route to NAT?
Public A10.0.1.0/24us-east-1aYesN/A
Public B10.0.2.0/24us-east-1bYesN/A
Private App A10.0.10.0/24us-east-1aNoYes
Private App B10.0.11.0/24us-east-1bNoYes
Private DB A10.0.20.0/24us-east-1aNoNo
Private DB B10.0.21.0/24us-east-1bNoNo

Info

Database subnets have no route to the internet at all — not even through a NAT Gateway. This ensures the database cannot make outbound connections and cannot be reached from outside the VPC.

Security Groups

Security GroupInbound RulesOutbound Rules
ALB SGHTTP (80), HTTPS (443) from 0.0.0.0/0All traffic to App SG
App SGHTTP (8080) from ALB SGHTTPS to RDS SG (port 5432), Redis SG (port 6379), NAT for updates
RDS SGPostgreSQL (5432) from App SGNone
ElastiCache SGRedis (6379) from App SGNone

Route Tables

Route TableRoutes
Public RT10.0.0.0/16 → local, 0.0.0.0/0 → igw-xxx
Private App RT10.0.0.0/16 → local, 0.0.0.0/0 → nat-xxx
Private DB RT10.0.0.0/16 → local only

Traffic Flow

User → CloudFront → ALB (public subnet A + B)
├── EC2 / ECS (private app A + B)
├── ElastiCache Redis (private db A + B)
└── RDS PostgreSQL (private db A + B)
  • CloudFront terminates TLS at the edge, forwards HTTPS to the ALB.
  • ALB terminates TLS and forwards HTTP to the application servers.
  • Application servers connect to RDS and ElastiCache within the private database subnets.
  • NAT Gateway in public subnet A provides outbound internet for app servers (patch downloads, external API calls).

Caution

A single NAT Gateway in one AZ is a single point of failure for outbound traffic. For production, deploy a NAT Gateway in each AZ and add corresponding route table entries for private subnets in that AZ.

Cost Optimization

StrategySavings
Use a single NAT Gateway in dev, one per AZ in prod~$30/month per NAT gateway in dev
Use reserved instances for RDS if workload is predictableUp to 60% vs. on-demand
Right-size EC2 instance types based on load testingVariable
Use S3 for CloudFront origin with OAI (no ALB needed for static requests)Reduces ALB data processing costs

Reflection Questions

  1. Why place the NAT Gateway in a public subnet? It needs an IGW route to reach the internet for the private subnets it serves.
  2. What happens if us-east-1a fails? ALB, app instances, and RDS in us-east-1b continue serving traffic. ElastiCache requires careful replication setup for multi-AZ.
  3. How would you handle database failover? RDS Multi-AZ automatically provisions a standby in the other AZ and fails over if the primary becomes unavailable.
  4. If you needed to peer this VPC with a corporate data center, what must be true about CIDR ranges? They must not overlap — which is why we chose 10.0.0.0/16 from a range that does not conflict with typical corporate networks.

Deliverable

Write an ADR covering: VPC CIDR justification, subnet layout, security group rules, routing strategy, and cost optimization decisions. Include a text-based network diagram (or draw.io / Lucidchart) showing traffic flow across all tiers.