AWS · SAA-C03

Vpc And Private Network Design — AWS Solutions Architect (SAA-C03)

4%of exam questions (8 of 200)

Private connectivity scope narrows the correct mechanism

"Privately connect to AWS services without internet" describes VPC endpoints — Gateway type for S3 and DynamoDB, Interface type for everything else. "Privately connect two VPCs" describes VPC peering or Transit Gateway. "On-premises to AWS private" describes Direct Connect or Site-to-Site VPN. Candidates confuse these because they all involve the word "private." The exam uses connectivity scope — single VPC, multi-VPC mesh, or hybrid on-premises — as the dividing constraint. Match scope to mechanism before selecting the service.

What This Pattern Tests

The exam describes a network requirement and tests VPC topology decisions. Public subnets have routes to an Internet Gateway. Private subnets route through NAT Gateway for internet access ($0.045/hour + $0.045/GB). VPC Gateway Endpoints provide free private access to S3 and DynamoDB (route table entries). Interface Endpoints (PrivateLink) provide private access to other AWS services and third-party services via ENIs ($0.01/hour per AZ). Security Groups are stateful (allow inbound, return traffic auto-allowed). NACLs are stateless (must explicitly allow both inbound and outbound). The trap is using NAT Gateway for S3 access from private subnets (Gateway Endpoint is free) or confusing Security Group statefulness with NACL statelessness.

Decision Axis

Network isolation requirements determine subnet design. Private access to AWS services: Gateway Endpoint (S3/DynamoDB, free) vs. Interface Endpoint (everything else, paid).

Associated Traps

Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.Cost Blind Spot (4)Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

More Top Traps on This Exam

Near-Right Architecture · 28%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

Decision Rules

Whether to enforce CIDR-range denial using a stateless subnet-level control (VPC NACL) versus an L7 content-inspection service (AWS WAF) — the decision turns on matching the enforcement layer (subnet boundary, stateless) to the stated requirement (IP-range block before instances are reached).

Amazon VPCAWS WAFAmazon EC2

Whether to continue routing S3 and DynamoDB traffic through NAT Gateway — which incurs per-GB data-processing fees that compound to thousands of dollars monthly at 10 TB/day — or replace that path with Gateway VPC Endpoints, which route the same traffic privately at zero incremental cost.

Amazon Virtual Private CloudAmazon Simple Storage ServiceAmazon DynamoDB

Domain Coverage

Design Secure ArchitecturesDesign Cost-Optimized Architectures

Difficulty Breakdown

Medium: 4Hard: 4

Build recognition speed →

See all SAA-C03 patterns →