Determine High-Performing and Scalable Network Architectures for SAA-C03
Cover CloudFront, Global Accelerator, Direct Connect, VPN, PrivateLink, load balancing, and scalable VPC topology choices for SAA-C03 networking scenarios.
Performance in AWS networking is about placing traffic on the right path. SAA-C03 wants to know whether you can choose the right load balancer, edge service, hybrid link, and VPC topology so the network supports scale instead of quietly becoming the bottleneck.
What AWS is explicitly testing
The exam guide points to edge networking services, subnet tiers and routing, load balancing, network connection options such as VPN, Direct Connect, and PrivateLink, and scalable topology design.
Network chooser
| Requirement | Strongest first fit | Why |
|---|---|---|
| HTTP or HTTPS routing with host or path logic | ALB | Layer 7 routing and web-aware features |
| Very high-throughput TCP or UDP path with static IP style needs | NLB | Layer 4 fit with low overhead |
| Global HTTP content acceleration and caching | CloudFront | Edge caching and origin acceleration |
| Global non-HTTP entry with fast regional failover | Global Accelerator | Anycast entry and network-path optimization |
| Predictable private hybrid connectivity | Direct Connect | Better fit than internet VPN when consistency matters |
Load balancer and edge chooser
| Pattern | Usually strongest fit | What SAA-C03 is really testing |
|---|---|---|
| Host-based or path-based web routing | ALB | Whether the answer needs Layer 7 awareness |
| Static-IP style, TCP or UDP, or extreme throughput | NLB | Whether the path is transport-level rather than HTTP-aware |
| Global cacheable web delivery | CloudFront | Whether edge caching and origin offload matter more than raw routing |
| Global application entry with fast regional failover | Global Accelerator | Whether the answer is network-path optimization rather than CDN caching |
| Private service exposure without full VPC connectivity | PrivateLink | Whether one service should be exposed privately without broad routing |
The architecture question behind the services
SAA-C03 often hides the decision inside one of these phrases:
- “global users need lower latency”
- “hybrid network needs predictable performance”
- “the app must expose only one service privately across VPCs”
- “the traffic is TCP, not HTTP”
Those are not generic networking clues. They usually point directly toward CloudFront, Global Accelerator, Direct Connect, PrivateLink, ALB, or NLB.
Request-path pattern you should recognize
flowchart LR
U["Global users"] --> E["CloudFront or Global Accelerator"]
E --> L["ALB or NLB"]
L --> A["Application tiers in the right subnets"]
What matters here is not the exact shape. It is the separation of concerns:
- edge service for global entry or caching
- load balancer for protocol-aware distribution
- application placement and subnet routing behind it
Example: choose an interface endpoint for private service access
This is the kind of network configuration SAA-C03 expects you to reason about:
1Resources:
2 ApiEndpoint:
3 Type: AWS::EC2::VPCEndpoint
4 Properties:
5 VpcEndpointType: Interface
6 VpcId: vpc-1234567890abcdef0
7 ServiceName: com.amazonaws.us-east-1.execute-api
8 SubnetIds:
9 - subnet-app-a
10 - subnet-app-b
11 SecurityGroupIds:
12 - sg-endpoint
What to notice:
- this is a private service access pattern, not broad network peering
- the endpoint spans subnets and uses attached security groups, which makes it operationally different from a simple public path
- SAA-C03 often prefers this kind of narrow private exposure over opening wider connectivity than the requirement justifies
Failure patterns worth recognizing
| Symptom | Strongest first check | Why |
|---|---|---|
| Global users still see high latency for cacheable content | CloudFront fit and origin path | The workload may need edge caching, not just a bigger backend |
| Regional failover is slow for a TCP application | Global entry strategy | DNS-only thinking may be weaker than a network accelerator approach |
| The service needs only one private endpoint across VPCs | PrivateLink versus broader topology | Full VPC connectivity may be more than the requirement needs |
| The load balancer works, but the routing logic is wrong | ALB versus NLB fit | The chosen load balancer may not match the protocol or routing requirement |
Common traps
- choosing ALB for a requirement that really needs NLB characteristics
- assuming CloudFront and Global Accelerator solve the same problem
- using broad VPC connectivity where a private service exposure model is enough
- focusing on bandwidth only when the real issue is placement, protocol, or edge routing
Quiz
Continue with 3.5 Data Ingestion & Transformation to finish the performance domain with transfer, stream, analytics, and transformation paths.