Browse AWS Certification Guides

Determine High-Performing and Scalable Network Architectures for SAA-C03

Fuad Efendi March 28, 2026 4 min read

Cover CloudFront, Global Accelerator, Direct Connect, VPN, PrivateLink, load balancing, and scalable VPC topology choices for SAA-C03 networking scenarios.

On this page

Performance in AWS networking is about placing traffic on the right path. SAA-C03 wants to know whether you can choose the right load balancer, edge service, hybrid link, and VPC topology so the network supports scale instead of quietly becoming the bottleneck.

What AWS is explicitly testing

The exam guide points to edge networking services, subnet tiers and routing, load balancing, network connection options such as VPN, Direct Connect, and PrivateLink, and scalable topology design.

Network chooser

RequirementStrongest first fitWhy
HTTP or HTTPS routing with host or path logicALBLayer 7 routing and web-aware features
Very high-throughput TCP or UDP path with static IP style needsNLBLayer 4 fit with low overhead
Global HTTP content acceleration and cachingCloudFrontEdge caching and origin acceleration
Global non-HTTP entry with fast regional failoverGlobal AcceleratorAnycast entry and network-path optimization
Predictable private hybrid connectivityDirect ConnectBetter fit than internet VPN when consistency matters

Load balancer and edge chooser

PatternUsually strongest fitWhat SAA-C03 is really testing
Host-based or path-based web routingALBWhether the answer needs Layer 7 awareness
Static-IP style, TCP or UDP, or extreme throughputNLBWhether the path is transport-level rather than HTTP-aware
Global cacheable web deliveryCloudFrontWhether edge caching and origin offload matter more than raw routing
Global application entry with fast regional failoverGlobal AcceleratorWhether the answer is network-path optimization rather than CDN caching
Private service exposure without full VPC connectivityPrivateLinkWhether one service should be exposed privately without broad routing

The architecture question behind the services

SAA-C03 often hides the decision inside one of these phrases:

  • “global users need lower latency”
  • “hybrid network needs predictable performance”
  • “the app must expose only one service privately across VPCs”
  • “the traffic is TCP, not HTTP”

Those are not generic networking clues. They usually point directly toward CloudFront, Global Accelerator, Direct Connect, PrivateLink, ALB, or NLB.

Request-path pattern you should recognize

    flowchart LR
	  U["Global users"] --> E["CloudFront or Global Accelerator"]
	  E --> L["ALB or NLB"]
	  L --> A["Application tiers in the right subnets"]

What matters here is not the exact shape. It is the separation of concerns:

  • edge service for global entry or caching
  • load balancer for protocol-aware distribution
  • application placement and subnet routing behind it

Example: choose an interface endpoint for private service access

This is the kind of network configuration SAA-C03 expects you to reason about:

 1Resources:
 2  ApiEndpoint:
 3    Type: AWS::EC2::VPCEndpoint
 4    Properties:
 5      VpcEndpointType: Interface
 6      VpcId: vpc-1234567890abcdef0
 7      ServiceName: com.amazonaws.us-east-1.execute-api
 8      SubnetIds:
 9        - subnet-app-a
10        - subnet-app-b
11      SecurityGroupIds:
12        - sg-endpoint

What to notice:

  • this is a private service access pattern, not broad network peering
  • the endpoint spans subnets and uses attached security groups, which makes it operationally different from a simple public path
  • SAA-C03 often prefers this kind of narrow private exposure over opening wider connectivity than the requirement justifies

Failure patterns worth recognizing

SymptomStrongest first checkWhy
Global users still see high latency for cacheable contentCloudFront fit and origin pathThe workload may need edge caching, not just a bigger backend
Regional failover is slow for a TCP applicationGlobal entry strategyDNS-only thinking may be weaker than a network accelerator approach
The service needs only one private endpoint across VPCsPrivateLink versus broader topologyFull VPC connectivity may be more than the requirement needs
The load balancer works, but the routing logic is wrongALB versus NLB fitThe chosen load balancer may not match the protocol or routing requirement

Common traps

  • choosing ALB for a requirement that really needs NLB characteristics
  • assuming CloudFront and Global Accelerator solve the same problem
  • using broad VPC connectivity where a private service exposure model is enough
  • focusing on bandwidth only when the real issue is placement, protocol, or edge routing

Quiz

Loading quiz…

Continue with 3.5 Data Ingestion & Transformation to finish the performance domain with transfer, stream, analytics, and transformation paths.

3.3 Database Solutions
3.5 Data Ingestion & Transformation