AWS · SAP-C02

Vpc And Private Network Design — AWS Solutions Architect Pro (SAP-C02)

5%of exam questions (10 of 200)

Gateway Endpoints Are Free; NAT Gateways Charge per GB

Gateway VPC Endpoints for S3 and DynamoDB route traffic entirely within the AWS network at no data transfer cost. NAT Gateways charge per gigabyte of data processed and route through an internet path even when the destination is an AWS service. Any scenario specifying 'private connectivity to S3 without traversing the internet' or 'eliminate data transfer charges for S3 access' describes a Gateway Endpoint, not a NAT Gateway. Interface VPC Endpoints apply to other AWS services that do not support the Gateway Endpoint model. Reading the connectivity requirement precisely determines which endpoint type is correct before comparing costs.

What This Pattern Tests

The exam describes a network requirement and tests VPC topology decisions. Public subnets have routes to an Internet Gateway. Private subnets route through NAT Gateway for internet access ($0.045/hour + $0.045/GB). VPC Gateway Endpoints provide free private access to S3 and DynamoDB (route table entries). Interface Endpoints (PrivateLink) provide private access to other AWS services and third-party services via ENIs ($0.01/hour per AZ). Security Groups are stateful (allow inbound, return traffic auto-allowed). NACLs are stateless (must explicitly allow both inbound and outbound). The trap is using NAT Gateway for S3 access from private subnets (Gateway Endpoint is free) or confusing Security Group statefulness with NACL statelessness.

Decision Axis

Network isolation requirements determine subnet design. Private access to AWS services: Gateway Endpoint (S3/DynamoDB, free) vs. Interface Endpoint (everything else, paid).

Associated Traps

Near-Right Architecture (10)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Operational Complexity Underestimation · 39%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Select Transit Gateway over VPC peering mesh when the topology requires transitive, centralized routing at scale, because VPC peering is non-transitive and cannot support hub-and-spoke inspection without an O(n²) peering explosion that also breaks the no-re-architecture-on-new-VPC constraint.

Amazon Virtual Private Cloud (Amazon VPC)AWS Transit GatewayAWS PrivateLink

Whether to use AWS Transit Gateway (scalable, cross-account, private, but grants transitive network-level routing into the full provider VPC) or AWS PrivateLink (service-scoped private endpoint that satisfies least-privilege-network-access by exposing a service rather than a network) when the dominant constraint is endpoint-only structural isolation.

AWS PrivateLinkAWS Transit GatewayAmazon Virtual Private Cloud (Amazon VPC)

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Medium: 5Expert: 5

Build recognition speed →

See all SAP-C02 patterns →