Account and Networking Lab
Retrieval Prompts
- State the shared-responsibility model in one paragraph and name three items that are always on the customer side.
- State the difference between a region and an availability zone from memory.
- Describe what makes a subnet public versus private.
- Draw a route table for a private subnet that needs outbound internet access.
- State the one-line difference between L4 and L7 load balancers and when each is preferred.
Compare and Distinguish
Separate these pairs clearly:
- region vs availability zone
- public subnet vs private subnet (and how the route table decides)
- NAT Gateway vs Internet Gateway
- L4 NLB vs L7 ALB
- public hosted zone vs private hosted zone
- VPC Gateway Endpoint vs PrivateLink Interface Endpoint
Common Mistake Check
For each statement, identify the error:
- "We have Multi-AZ RDS, so we are region-resilient."
- "The subnet is labeled
private, so the database in it is safe." - "One NAT Gateway is enough; we can put it in any AZ."
- "Our ALB is in one AZ, but the app spans three, so we are covered."
- "Private hosted zones mean the names are secret."
Mini Application
Do all tasks for this scenario:
You are setting up a new workload account from a landing zone. The workload is a 3-tier web app (public HTTPS API, internal app tier, PostgreSQL). Produce in writing:
- VPC CIDR and subnet layout across three AZs (public, private-app, private-data for each AZ)
- route-table rules for each subnet class (public, private-app, private-data)
- NAT Gateway placement and why
- load-balancer type and listener configuration (HTTPS :443)
- DNS plan: public record for the API, private record for the app-to-database hop
- one VPC endpoint or PrivateLink you would set up, and why
Evidence Check
This page is complete only if you can sketch the topology on a whiteboard without notes and narrate, for each component, which AZ it lives in, what its route table says, and how traffic reaches it.