Well Architected Framework

Applying Well-Architected Framework Principles to a Network

AWS Well-Architected Framework Overview

When designing a VPC network, consider all future planned workloads in the VPC. Your network design should support workloads by meeting the same standards - being resilient, secure, performant, and cost effective.

The AWS Well-Architected Framework supplies best practices for workload design, operation, and maintenance. It helps you understand the pros and cons of decisions made while building workloads on AWS through foundational questions that determine whether a specific architecture aligns with cloud best practices.

Reliability Pillar: Foundations

Plan Your Network Topology

Best Practice Ensure IP subnet allocation accounts for expansion and availability

Resiliency measures the ability of a workload to perform its intended function correctly and consistently when expected. Your network should anticipate possible network failures and accommodate future traffic growth.

VPC CIDR Block Best Practices

Multi-AZ Planning

• Allow CIDR block space for multiple subnets spanning multiple AZs
• Always allocate unused CIDR block space for future expansion
• Account for five reserved IP addresses per subnet for AWS use

Service Considerations

• Consider services that allocate additional IP addresses (container services)
• Deploy large VPC CIDR blocks (can’t be changed after creation)
• Plan subnet CIDR ranges carefully (subnet IPv4 CIDRs can’t be changed)

Note

Shared Responsibility AWS is responsible for cloud infrastructure resiliency, while you are responsible for implementing resiliency in the cloud.

Security Pillar: Infrastructure Protection

Zero Trust Security Model

AWS recommends applying a Zero Trust approach where application components are considered separate from each other and no component trusts any other component.

Security Best Practices

1. Create Network Layers: Logically group workload components sharing the same sensitivity requirements

   • Place databases with no internet access in subnets with no internet routes
   • Traffic should only flow from adjacent, next least sensitive resources

2. Control Traffic at All Layers: Apply multiple security controls with defense-in-depth approach

   • Define allowed traffic paths using security groups, network ACLs, subnets, route tables
   • Configure internet gateways and NAT gateways appropriately

3. Implement Inspection and Protection: Inspect and filter traffic at each layer

   • Use VPC Network Access Analyzer to inspect configurations for unintended access
   • Apply traffic filtering at multiple network levels

Caution

Network Foundation Careful planning and management of network design forms the foundation for providing isolation and boundaries for resources within your workload.

Performance Efficiency Pillar: Selection

Network Architecture Selection

Each workload deployed in a VPC has different requirements for latency, throughput, jitter tolerance, and bandwidth. Jitter occurs when there’s time delay caused by network congestion or route changes.

Performance Optimization Best Practices

Impact Analysis

Understand How Networking Impacts Performance

• Analyze network-related decisions’ impact on workload performance
• Consider latency constraints (e.g., synchronous replication between Regions not possible due to latency)
• Leverage single-digit millisecond latency between AZs for synchronous replication

Feature Evaluation

Evaluate Available Networking Features

• Benchmark workload performance metrics including network metrics
• Continually evaluate for improvement areas and performance bottlenecks
• Use Network Access Analyzer to identify network paths and routes

Protocol Selection

Choose Network Protocols to Improve Performance

• Don’t use TCP for all workloads regardless of requirements
• Use TCP and UDP together for Virtual Desktop Infrastructure
• Leverage TCP reliability for critical data and UDP speed for real-time data

Cost Optimization Pillar: Pricing Models

Regional Cost Considerations

Best Practice Choose Regions based on cost

A workload on a network should fully utilize all resources, achieve outcomes at the lowest possible price point, and meet functional requirements. Network costs should be included in workload cost benchmarks.

Implementation Strategy

Choose Regions Based on Cost: Use the AWS Region that delivers the best overall global cost solution. Each AWS Region operates within local market conditions with different resource pricing due to:

• Cost of land, fiber, electricity, and taxes
• Local market conditions and regulations
• Geographic proximity to users

Geographic Selection Balance: Select locations based on:

• Business requirements
• Data privacy and sovereignty requirements
• Performance and latency needs
• Security requirements
• Overall cost optimization

Tip

Global Architecture For applications with global end users, use multiple locations while seeking to place computing resources closer to users for lower latency and strong data sovereignty.

Network Design Anti-Patterns and Solutions

Common Network Design Issues

Consider this scenario identifying network design mistakes:

Company A Scenario:

• Fitness shoe company based in Europe with US customer base
• Website and database servers deployed in Ireland AWS Region in single VPC with one public subnet
• VPC has /27 netmask (32 IP addresses), subnet has /28 netmask (16 IP addresses)
• Security group allows internet traffic to both website and database servers
• Projecting rapid growth

Anti-Patterns vs Patterns

Anti-Pattern 1

Small VPC with Small Subnets

• Limited IP addresses prevent future growth
• Inadequate space for expansion

Solution: Large VPCs with large public and private subnets

Anti-Pattern 2

Permissive Security Groups

• All servers have internet access
• No traffic segmentation

Solution: Strict security groups layered by server usage

Anti-Pattern 3

Direct Database Access

• Database servers accessible from internet
• No network isolation

Solution: No direct access to databases (private subnets)

Anti-Pattern 4

Distant AWS Region

• Region far from customer base
• High latency for users

Solution: AWS Region close to customers

Recommended Solutions

1. Network Sizing: Use large VPCs with sufficient IP addresses for future growth across multiple AZs

2. Security Segmentation:

   • Website servers: Own security group with internet access in public subnet
   • Database servers: Own security group allowing access only from website security group in private subnet

3. Database Protection:

   • Place database servers in private subnets
   • No direct internet access to databases
   • Configure maintenance access through security groups and NAT gateway for patching

4. Geographic Optimization: Use AWS Region closer to customer base for lower latency and data sovereignty

Well-Architected Network Principles Summary

Reliability

Foundations

• Ensure IP subnet allocation accounts for expansion and availability
• Plan for multiple AZs and future growth
• Deploy large VPC CIDR blocks that cannot be changed later

Security

Infrastructure Protection

• Create network layers based on sensitivity requirements
• Control traffic at all layers with defense-in-depth approach
• Implement inspection and protection mechanisms

Performance

Architecture Selection

• Understand how networking impacts performance
• Evaluate available networking features through benchmarking
• Choose appropriate network protocols for workload requirements

Cost

Pricing Optimization

• Choose Regions based on cost considerations
• Balance geographic proximity with cost optimization
• Consider data sovereignty and performance requirements

The AWS Well-Architected Framework provides comprehensive guidance for designing resilient, secure, performant, and cost-effective networks that support workload requirements while avoiding common anti-patterns through proper planning, security layering, performance optimization, and cost-conscious regional selection.