Design Cost-Optimized Network Architectures for SAA-C03
Study NAT placement, VPC endpoints, CDN use, transfer-path design, and hybrid connectivity trade-offs for SAA-C03 network-cost scenarios.
This objective is where AWS checks whether you understand that network design changes cost dramatically. NAT placement, cross-AZ traffic, CDN use, endpoint selection, and hybrid connectivity choices can turn a technically correct architecture into an unnecessarily expensive one.
What AWS is explicitly testing
The current exam guide points to cost-management tools, load balancing, NAT gateways, connectivity options such as Direct Connect and VPN, routing and topology, DNS, transfer-cost minimization, CDN and edge caching strategy, and throttling choices.
Cost-aware network chooser
| Requirement | Strongest first fit | Why |
|---|---|---|
| Private S3 or DynamoDB access from private subnets | Gateway endpoint | Often cheaper and simpler than NAT egress |
| Broad public-content delivery | CloudFront | Can reduce origin load and transfer cost while improving latency |
| Predictable dedicated hybrid path | Direct Connect | Strong fit when scale and consistency justify it |
| Faster low-cost connectivity setup | VPN | Usually faster to establish than Direct Connect |
The network-cost question behind the services
AWS is usually asking one of these:
- is the architecture paying for public egress where a private path exists?
- is traffic crossing AZ or Region boundaries more than the workload actually needs?
- is the team paying for premium connectivity before the traffic shape justifies it?
- is repeated content delivery hitting the origin when an edge layer should absorb it?
- is the load-balancing choice heavier or broader than the requirement demands?
Transfer-cost checklist
| Cost driver | What to ask first |
|---|---|
| NAT gateway traffic | Could this traffic stay private through an endpoint instead? |
| Cross-AZ traffic | Is the path unintentionally crossing AZ boundaries? |
| Region-to-Region transfer | Does the architecture really need cross-Region data movement on the hot path? |
| Edge delivery | Should CloudFront or another edge layer absorb repeated origin traffic? |
| Hybrid connectivity | Is fast setup more important than long-term predictable throughput, or the reverse? |
NAT and transfer cost are repeat offenders
SAA-C03 repeatedly tests whether you notice:
- one shared NAT can become both a resilience problem and a transfer-cost problem
- private access to S3 or DynamoDB often points to gateway endpoints
- cross-AZ traffic and unnecessary public egress can quietly dominate the monthly bill
Load balancer fit can also be a cost choice
Cost optimization is not only about endpoints and transfer. AWS can also test whether the chosen load-balancing layer is heavier than the workload needs.
| Requirement | Strongest first fit | Why |
|---|---|---|
| HTTP or HTTPS routing with host or path logic | ALB | Layer 7 features justify the service |
| High-throughput TCP or UDP path with simpler transport-level routing | NLB | Avoids paying for Layer 7 features that are not needed |
| Inline traffic inspection through virtual appliances | Gateway Load Balancer | Strong fit only when appliance insertion is actually required |
If the question only needs TCP distribution, a Layer 7 answer may be unnecessary. If the question needs deep appliance insertion, ALB or NLB alone may miss the architecture need.
Network cost pattern
flowchart LR
P["Private subnets"] --> N["NAT path if needed"]
P --> E["VPC endpoint where supported"]
U["Users"] --> C["CloudFront when edge caching fits"]
P --> X["Cross-AZ or cross-Region transfer if the path is careless"]
What to notice:
- not every private service path should go through NAT
- not every global content path should hit the origin directly
- careless topology can add transfer charges even when the service choices themselves look fine
- the cheapest correct answer often reduces both transfer distance and repeated origin work
Example: use a gateway endpoint instead of paying NAT for S3 access
1Resources:
2 S3GatewayEndpoint:
3 Type: AWS::EC2::VPCEndpoint
4 Properties:
5 VpcEndpointType: Gateway
6 VpcId: vpc-1234567890abcdef0
7 ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
8 RouteTableIds:
9 - rtb-private-a
10 - rtb-private-b
What to notice:
- the route stays private inside the VPC path for S3
- this often improves both cost and security
- SAA-C03 repeatedly rewards endpoint thinking over “send everything through NAT” habits
Transfer-distance decisions matter
The same service can cost very different amounts depending on the path.
| Pattern | Cost question AWS is really asking |
|---|---|
| One NAT gateway serving private subnets in multiple AZs | Are you creating cross-AZ transfer plus a shared dependency? |
| Cross-Region replication or data access on the hot path | Does the workload really need live cross-Region movement for this use case? |
| Global users pulling static assets from the origin repeatedly | Should CloudFront absorb those requests instead? |
| Private workloads reaching AWS services through public internet egress | Could an endpoint or private path remove that charge pattern? |
The exam often hides the cost problem inside phrases like “monthly network charges increased,” “traffic is mostly static content,” or “private subnets access S3 constantly.”
Direct Connect versus VPN is usually a time-horizon trade-off
| If the scenario emphasizes… | Strongest first fit |
|---|---|
| quick setup, lower entry cost, or backup connectivity | Site-to-Site VPN |
| predictable throughput, lower variability, or sustained larger hybrid demand | Direct Connect |
Do not choose Direct Connect just because it sounds more “enterprise.” SAA-C03 usually wants the connection model that fits the traffic profile and the timeline.
Throttling can be a cost-control pattern too
The task statement also includes throttling strategy. That matters because uncontrolled request volume can inflate downstream compute, NAT, and origin-transfer cost.
| Requirement | Strongest first fit | Why |
|---|---|---|
| Public API needs controlled request rate | API Gateway throttling or edge/request controls | Reduces waste before it reaches backend tiers |
| Repeated abusive or bursty HTTP requests | Edge controls plus cache strategy where appropriate | Protects origin cost as well as stability |
If the scenario says requests are exploding backend cost, the best answer may include request shaping, not only more bandwidth.
Failure patterns worth recognizing
| Symptom | Strongest first check | Why |
|---|---|---|
| Private-subnet data-transfer cost is unexpectedly high | Endpoint eligibility and NAT path | Public egress may be being used where a private path exists |
| One NAT gateway seems cheap at first but the bill grows with scale | Cross-AZ traffic and single-egress design | The architecture may be paying transfer charges plus taking resilience risk |
| Global users keep hitting the origin directly | Edge caching and content-delivery fit | CloudFront may reduce both latency and transfer cost |
| Hybrid traffic costs and complexity keep growing | Direct Connect versus VPN fit | The wrong connection model may be driving both expense and instability |
| API traffic spikes are inflating backend and transfer cost | Throttling and edge-request controls | The architecture may need request shaping, not only more network capacity |
Common traps
- paying NAT charges for S3 or DynamoDB access that could use gateway endpoints
- ignoring cross-AZ or Region-to-Region transfer charges in “best architecture” questions
- using Direct Connect when the requirement really prioritizes fast setup over steady throughput
- choosing a heavier load-balancing layer than the protocol and routing requirement actually needs
- scaling network paths without considering request throttling at the front door
- skipping CloudFront even when the workload is globally distributed and cacheable
Quiz
Use the cheat sheet and resources next for final review, then switch into timed mixed scenario practice.