Learning Objectives
By the end of this chapter, you will be able to:
- Architect network connectivity strategies across AWS Regions, Availability Zones, and on-premises locations.
- Prescribe identity, encryption, and audit controls that meet enterprise security baselines.
- Design reliable and resilient architectures aligned with RTO and RPO targets.
- Build a multi-account AWS environment governed by AWS Organizations and AWS Control Tower.
- Determine cost optimization and visibility strategies that map spend to business units.
Executive Summary
- Network design at the Professional level begins with the placement of accounts, VPCs, and edge points, not with subnets and routes.
- Identity and encryption controls follow the network blueprint: cross-account roles, KMS key policies, and ACM certificates inherit the boundaries set by Organizations.
- Reliability targets (RTO and RPO) drive the disaster recovery pattern (backup and restore, pilot light, warm standby, multi-site), and the pattern dictates the replication topology and cost envelope.
- Cost visibility is an outcome of the tagging strategy, the account hierarchy, and the purchasing model. Without consistent tags, neither AWS Cost Explorer nor AWS Budgets can attribute spend to a business unit.
Assumptions
- The candidate has at least two years of hands-on AWS experience and is fluent with Amazon VPC, Amazon EC2, AWS IAM, and Amazon S3 at the Associate level.
- Region examples use
us-east-1,us-west-2, andeu-west-1for clarity. Replace with the Regions required by your data residency posture. - Pricing references describe model behavior, not absolute dollar values. Confirm rates with the AWS Pricing Calculator before committing.
- All service quotas cited are documented defaults. Quotas may be raised on request unless flagged as hard limits.
