Browse AWS Certification Guides

Design Cost-Optimized Network Architectures for SAA-C03

Fuad Efendi March 28, 2026 3 min read

Study NAT placement, VPC endpoints, CDN use, transfer-path design, and hybrid connectivity trade-offs for SAA-C03 network-cost scenarios.

On this page

This objective is where AWS checks whether you understand that network design changes cost dramatically. NAT placement, cross-AZ traffic, CDN use, endpoint selection, and hybrid connectivity choices can turn a technically correct architecture into an unnecessarily expensive one.

What AWS is explicitly testing

The current exam guide points to cost-management tools, load balancing, NAT gateways, connectivity options such as Direct Connect and VPN, routing and topology, DNS, transfer-cost minimization, CDN and edge caching strategy, and throttling choices.

Cost-aware network chooser

RequirementStrongest first fitWhy
Private S3 or DynamoDB access from private subnetsGateway endpointOften cheaper and simpler than NAT egress
Broad public-content deliveryCloudFrontCan reduce origin load and transfer cost while improving latency
Predictable dedicated hybrid pathDirect ConnectStrong fit when scale and consistency justify it
Faster low-cost connectivity setupVPNUsually faster to establish than Direct Connect

Transfer-cost checklist

Cost driverWhat to ask first
NAT gateway trafficCould this traffic stay private through an endpoint instead?
Cross-AZ trafficIs the path unintentionally crossing AZ boundaries?
Region-to-Region transferDoes the architecture really need cross-Region data movement on the hot path?
Edge deliveryShould CloudFront or another edge layer absorb repeated origin traffic?
Hybrid connectivityIs fast setup more important than long-term predictable throughput, or the reverse?

NAT and transfer cost are repeat offenders

SAA-C03 repeatedly tests whether you notice:

  • one shared NAT can become both a resilience problem and a transfer-cost problem
  • private access to S3 or DynamoDB often points to gateway endpoints
  • cross-AZ traffic and unnecessary public egress can quietly dominate the monthly bill

Network cost pattern

    flowchart LR
	  P["Private subnets"] --> N["NAT path if needed"]
	  P --> E["VPC endpoint where supported"]
	  U["Users"] --> C["CloudFront when edge caching fits"]

What to notice:

  • not every private service path should go through NAT
  • not every global content path should hit the origin directly
  • the cheapest correct answer often reduces both transfer distance and repeated origin work

Example: use a gateway endpoint instead of paying NAT for S3 access

 1Resources:
 2  S3GatewayEndpoint:
 3    Type: AWS::EC2::VPCEndpoint
 4    Properties:
 5      VpcEndpointType: Gateway
 6      VpcId: vpc-1234567890abcdef0
 7      ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
 8      RouteTableIds:
 9        - rtb-private-a
10        - rtb-private-b

What to notice:

  • the route stays private inside the VPC path for S3
  • this often improves both cost and security
  • SAA-C03 repeatedly rewards endpoint thinking over “send everything through NAT” habits

Failure patterns worth recognizing

SymptomStrongest first checkWhy
Private-subnet data-transfer cost is unexpectedly highEndpoint eligibility and NAT pathPublic egress may be being used where a private path exists
One NAT gateway seems cheap at first but the bill grows with scaleCross-AZ traffic and single-egress designThe architecture may be paying transfer charges plus taking resilience risk
Global users keep hitting the origin directlyEdge caching and content-delivery fitCloudFront may reduce both latency and transfer cost
Hybrid traffic costs and complexity keep growingDirect Connect versus VPN fitThe wrong connection model may be driving both expense and instability

Common traps

  • paying NAT charges for S3 or DynamoDB access that could use gateway endpoints
  • ignoring cross-AZ or Region-to-Region transfer charges in “best architecture” questions
  • using Direct Connect when the requirement really prioritizes fast setup over steady throughput
  • skipping CloudFront even when the workload is globally distributed and cacheable

Quiz

Loading quiz…

Use the cheat sheet and resources next for final review, then switch into timed mixed scenario practice.

4.3 Database Solutions