Networking Design

• Multi-region expansion
• Future peerings (partners, M&A)
• VPN client pool

Don't use overlapping RFC1918 ranges if hybrid connectivity planned.

Subnet tiers

Per VPC:

Multi-AZ: 3 subnets per tier × 3 AZs = 9 subnets typical.

Routing

• Internet Gateway (public only)
• NAT Gateway (private → internet; per-AZ for HA)
• Transit Gateway for cross-VPC + hybrid hub
• VPC Peering for simple 1:1 (bypasses TGW cost but doesn't transit)
• Routing tables per subnet tier

Hub-spoke topology

For multi-VPC / multi-account:

• Hub VPC (shared services: DNS, monitoring, hybrid connectivity)
• Spoke VPCs (workload envs)
• Spokes route to hub; hub routes out (internet / on-prem)

DNS

Naming convention: <service>.<env>.<region>.<company>.internal.

Private endpoints for managed services

Avoid public internet traffic to managed services within same cloud:

• VPC endpoints (AWS) / Private Link / Private Service Connect
• Access S3 / RDS / Cloud SQL / etc. over private network
• Reduces egress + improves security

Load balancers

CDN

• Static content + dynamic content at edge
• CloudFront / Cloudflare / Fastly / Akamai
• Cache policy per content type
• Edge functions for logic at edge (Lambda@Edge, Workers, Cloudflare)

Hybrid connectivity

Service mesh network

For microservices:

• Sidecar-based (Istio / Linkerd)
• mTLS between services
• Traffic policies (retry / timeout / circuit-breaker)
• Observability

Diagram

flowchart TB
    Internet
    subgraph VPC
        subgraph AZ1["AZ 1"]
            PUB1["Public subnet"]
            PRIV1["Private subnet"]
            DATA1["Data subnet"]
        end
        subgraph AZ2["AZ 2"]
            PUB2["Public subnet"]
            PRIV2["Private subnet"]
            DATA2["Data subnet"]
        end
    end
    Internet --> PUB1
    PUB1 --> PRIV1 --> DATA1
    PUB2 --> PRIV2 --> DATA2

Report

# Networking Design: [Scope]

## CIDR Plan
[Per env + future reservations]

## VPC Structure
[Hub-spoke / per-env / multi-region]

## Subnet Tiering
[Public / private / data per AZ]

## Routing
[IGW / NAT / TGW / peering]

## DNS Strategy
[External + internal + hybrid]

## Private Endpoints
[For managed services]

## Load Balancers + CDN
[Per external entry point]

## Hybrid Connectivity
[If on-prem]

## Service Mesh
[If microservices]

## Security Controls
[Security groups / NACLs / firewall rules]

## Diagram

Failure behavior

• Overlapping CIDRs → remediate before hybrid
• No private endpoints (all via internet) → challenge
• Public-by-default resources → flag
• mmdc failure → see mixin