SkarpSkarp

Chapter 25 of 26

Integrated Design Scenarios: Secure, Resilient, High-Performing, and Cost-Optimized

Bring everything together by walking through end-to-end architectures that force you to trade off security, resilience, performance, and cost the way the real exam does.

27 min readen

Bringing the Pillars Together in Real Architectures

Why This Module Matters

This module focuses on integration: designing end-to-end AWS architectures that balance security, resilience, performance, cost, and sustainability the way the SAA-C03 exam does.

Well-Architected as Your Lens

The AWS Well-Architected Framework defines six pillars: Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability. We will use these to evaluate designs.

Shared Responsibility Reminder

Under the AWS shared responsibility model, AWS secures of the cloud; you secure in the cloud by configuring services and protecting data. Exam scenarios often hinge on this boundary.

Goal for This Module

You will practice choosing and justifying architectures using core services (VPC, EC2, S3, RDS, ELB, Route 53, CloudFront, KMS, Auto Scaling) while managing tradeoffs between pillars.

Core Design Building Blocks for Integrated Scenarios

Network and Compute

Amazon VPC defines your network (subnets, routing, security groups). Amazon EC2 provides compute, with choices about instance family, size, AZ placement, and purchase option.

Traffic and Databases

Elastic Load Balancing spreads traffic across targets. Amazon RDS offers managed relational databases with options like Multi-AZ, read replicas, and different storage types.

Storage and Edge

Amazon S3 stores objects with multiple storage classes and lifecycle rules. Amazon Route 53 provides DNS and routing policies; Amazon CloudFront caches content at the edge.

Security and Scaling

AWS KMS manages encryption keys across services. AWS Auto Scaling adjusts capacity with demand, supporting performance efficiency and cost optimization.

Tradeoff Thinking with the Well-Architected Pillars

Key Pillar Definitions

Remember the exact wording for Security, Reliability, Performance efficiency, Cost optimization, and Sustainability. These phrases appear in AWS materials and align with exam language.

Mapping Requirements to Pillars

Example: "withstand AZ failure" → Reliability; "low global latency" → Performance efficiency; "encrypt all data" → Security; "minimize data transfer costs" → Cost optimization.

Spotting Conflicts

Multi-AZ RDS improves reliability but costs more. CloudFront boosts performance and may cut transfer cost but adds complexity. These tensions are the core of integrated design questions.

Choosing the Best Compromise

Use wording like "critical compliance requirement" or "strict budget" to rank pillars. The best answer satisfies top-priority requirements while making reasonable tradeoffs elsewhere.

Scenario 1: Secure, Highly Available Web App (Step-by-Step Design)

Scenario 1 Requirements

Public web app, regional users, spiky traffic, must survive AZ failure, encrypt data at rest and in transit, and be cost-conscious without sacrificing availability.

Network Layout

Design a VPC with public subnets for ALBs and private subnets for EC2 and RDS across at least two AZs. Lock down traffic using security groups, keeping RDS private.

Compute and Scaling

Place EC2 instances in an Auto Scaling group across AZs behind an ALB. Use scaling policies on CPU or request count. Mix On-Demand and Spot if interruption is acceptable.

Data and Encryption

Use RDS Multi-AZ with gp3 storage, automated backups, and optional read replicas. Encrypt RDS and EBS with KMS, terminate HTTPS at ALB, and enable S3 default encryption.

Cost and Sustainability Levers

Right-size instances, rely on Auto Scaling to avoid idle capacity, and use S3 lifecycle policies for logs to cut storage cost and reduce unnecessary resource usage.

Quick Check: Scenario 1 Tradeoffs

Test your understanding of the first integrated scenario.

In Scenario 1, which SINGLE change most directly improves reliability with the SMALLEST cost impact, assuming you already have Multi-AZ ALB+Auto Scaling in two AZs?

  1. Add a third AZ to the Auto Scaling group and ALB target group
  2. Upgrade EC2 instances from general purpose to compute-optimized
  3. Switch RDS storage from gp3 to io2 with high provisioned IOPS
  4. Enable S3 Intelligent-Tiering for static assets
Show Answer

Answer: A) Add a third AZ to the Auto Scaling group and ALB target group

Adding a third AZ to the Auto Scaling group and ALB target group directly improves reliability by providing additional fault isolation and capacity if an AZ fails. It has a moderate, controllable cost impact because you only pay for instances you actually run, and Auto Scaling can balance capacity. Upgrading instance families mainly affects performance, not reliability. Switching to io2 with high IOPS significantly increases database cost and mainly improves performance. S3 Intelligent-Tiering optimizes storage cost but does not materially improve availability of the web tier.

Scenario 2: Global Read-Heavy App – Performance vs Cost vs Security

Scenario 2 Requirements

Global news site, read-heavy, low-latency across continents, strict cost ceiling, HTTPS and content integrity required.

Edge and Origins

Place CloudFront in front, with S3 as origin for static content and an ALB for dynamic requests. Use Route 53 alias records to route users to CloudFront.

Database Strategy

Keep a primary RDS in one Region and add read replicas in key Regions, or Aurora Global Database if justified. Serve reads locally, writes go to primary.

Security at the Edge

Use ACM certs for HTTPS, lock S3 to CloudFront via OAC/OAI, and use signed URLs or field-level encryption if you must protect premium content.

Cost and Sustainability

Rely on CloudFront caching to reduce origin load and data transfer. Only deploy read replicas where latency matters, keeping footprint and energy use lower.

Thought Exercise: Choosing Between Multi-AZ and Multi-Region

Multi-AZ and multi-Region are two different reliability strategies that show up often in SAA-C03 scenarios.

Imagine this requirement set:

  • A financial reporting application used only in one country.
  • Regulatory requirement: data must not leave the country.
  • RPO (maximum acceptable data loss) of 5 minutes, RTO (maximum acceptable downtime) of 1 hour.
  • Strict budget; the business is not willing to pay for a full duplicate stack in another Region.

Reflect and answer for yourself (no grading, just reasoning practice):

  1. Would you choose Multi-AZ or multi-Region for the database? Why?
  2. How would you phrase your justification in Well-Architected terms (referencing reliability and cost optimization explicitly)?
  3. What additional security considerations arise from the data residency requirement?

Suggested reasoning path:

  • Multi-AZ within the same Region keeps data inside the country (assuming the Region is in that country) and provides automatic failover with minimal data loss, satisfying the RPO/RTO.
  • Multi-Region would violate data residency (if the second Region is outside the country) and significantly increase cost.
  • In Well-Architected language, you might say: "Multi-AZ RDS improves the reliability pillar by providing automatic failover across AZs while supporting the cost optimization pillar by avoiding the expense of a full multi-Region deployment. It also supports security and compliance by keeping data within the required jurisdiction."

Write down your own 2–3 sentence justification using this style. This is exactly the kind of explanation you should be able to think through during the exam, even if you never write it out.

Integrated Scenario MCQ Practice

Apply what you have learned to an exam-style question.

A startup is building an analytics dashboard on AWS. Requirements: - Users are mostly in one Region. - The app must withstand the loss of a single AZ. - Dashboards should load quickly even during peak hours. - Budget is limited; they want to avoid overprovisioning. - All customer data must be encrypted at rest. Which architecture BEST satisfies these requirements?

  1. Single-AZ VPC with EC2 instances behind an ALB, RDS Single-AZ, all data stored on encrypted EBS volumes, and manual scaling based on monthly reviews.
  2. VPC with public and private subnets across two AZs, ALB in public subnets, EC2 Auto Scaling group in private subnets, RDS Multi-AZ with KMS encryption, and CloudFront in front of the ALB.
  3. Multi-Region active-active deployment with EC2 and RDS in two Regions, Route 53 latency-based routing, RDS read replicas, and manual EC2 right-sizing every quarter.
  4. Serverless architecture using Lambda and API Gateway in a single AZ, RDS Single-AZ with encryption, and S3 for static assets without CloudFront.
Show Answer

Answer: B) VPC with public and private subnets across two AZs, ALB in public subnets, EC2 Auto Scaling group in private subnets, RDS Multi-AZ with KMS encryption, and CloudFront in front of the ALB.

Option 2 is best: it uses Multi-AZ for both the application tier (ALB + Auto Scaling across AZs) and RDS Multi-AZ for high availability, directly addressing the requirement to withstand AZ failure. KMS encryption ensures data at rest is protected. Auto Scaling and CloudFront improve performance efficiency and help avoid overprovisioning, supporting cost optimization. Option 1 fails the AZ-failure requirement and uses manual scaling. Option 3 over-engineers with multi-Region, exceeding the limited budget. Option 4 is not realistic: Lambda and API Gateway are Regional, not single-AZ, and it lacks explicit high-availability configuration for the database.

Cost-Optimized RDS and Database Patterns in Integrated Designs

RDS Deployment Models

Single-AZ is cheaper but less available; Multi-AZ adds a synchronous standby and automatic failover. Multi-AZ is about availability, not read scaling.

Sizing and Storage

Pick instance classes to match workload and prefer gp3 storage with tuned IOPS. Reserve io2 for workloads needing very high, consistent I/O.

Scaling Reads

Use RDS read replicas and caching (CloudFront or ElastiCache) to handle read-heavy workloads before jumping to larger, more expensive instances.

Cost and Sustainability

Backups to S3 with lifecycle rules, plus right-sized RDS instances and storage, support cost optimization, sustainability, and operational excellence together.

Key Concept Flashcards: Pillars and Patterns

Flip through these cards to reinforce critical definitions and patterns for integrated design scenarios.

AWS Well-Architected Framework
The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
Security pillar
The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Reliability pillar
The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Performance efficiency pillar
The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.
Cost optimization pillar
The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.
Sustainability pillar
The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads by maximizing utilization and minimizing the resources required, and by reducing the energy required to deliver business value.
Shared responsibility model
The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
When to use RDS Multi-AZ
Use RDS Multi-AZ when you need higher availability and automatic failover across AZs. It is primarily an availability feature, not a read-scaling feature.
Read replicas vs Multi-AZ
Read replicas scale read traffic and can be in the same or different Regions. Multi-AZ provides synchronous standby for failover but does not offload reads by default.
CloudFront benefits in integrated designs
CloudFront improves global performance by caching content at edge locations and often reduces data transfer and origin load, supporting both performance efficiency and cost optimization.
VPC public vs private subnets
Public subnets have a route to an internet gateway and typically host load balancers or NAT gateways. Private subnets host application servers and databases without direct inbound internet access.

Putting It All Together for the Exam and Next Steps

Integrated Design Skills

You have practiced combining VPC, EC2, S3, RDS, ELB, Route 53, CloudFront, KMS, and Auto Scaling while balancing the Well-Architected pillars.

Exam Checklist

On each scenario: identify dominant pillars, pick appropriate building blocks, and mentally explain tradeoffs in Well-Architected language.

Avoiding Traps

Watch for overusing multi-Region, confusing Multi-AZ with read scaling, or neglecting encryption and private subnets when data sensitivity is clear.

Your Next Steps in Skarp

Take the domain diagnostic, then the next mock exam. Use your gap guide to target weak areas so integrated designs become automatic under exam timing.

Key Terms

gp3
A general-purpose SSD storage type for Amazon EBS and RDS that allows independent tuning of IOPS and throughput, offering a balance of performance and cost.
Amazon VPC
A logically isolated virtual network in AWS where you define your own IP address ranges, subnets, route tables, and network gateways.
Read replica
An asynchronous copy of an RDS database used to offload read traffic and, in some engines, support cross-Region read scaling and disaster recovery.
Multi-AZ (RDS)
A deployment option for Amazon RDS where a primary database synchronously replicates to a standby instance in another Availability Zone, providing automatic failover for higher availability.
Amazon Route 53
A scalable Domain Name System (DNS) web service that provides domain registration, DNS routing, and health checking, supporting policies like weighted, latency-based, and failover routing.
Security pillar
The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Amazon CloudFront
AWS’s content delivery network (CDN) that caches content at edge locations to improve performance and often reduce data transfer costs.
Auto Scaling group
A logical grouping of EC2 instances that can automatically increase or decrease capacity based on defined policies, schedules, or health checks.
Reliability pillar
The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Sustainability pillar
The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads by maximizing utilization and minimizing the resources required, and by reducing the energy required to deliver business value.
Cost optimization pillar
The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.
Shared responsibility model
The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
Performance efficiency pillar
The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.
AWS Well-Architected Framework
The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
Application Load Balancer (ALB)
A Layer 7 load balancer in the Elastic Load Balancing family that routes HTTP/HTTPS traffic based on host, path, and headers, and integrates with services like AWS WAF.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself