Step 2 โ Compute & Networking
The compute and networking domains account for roughly 26% of the SAA-C03 exam. EC2 and VPC knowledge is foundational โ nearly every architecture question assumes you can reason about instance placement, network routing, and traffic distribution.
EC2 โ Elastic Compute Cloud
EC2 gives you virtual servers (instances) on demand. The exam tests your ability to choose the right instance type, the right purchasing model, and the right storage configuration for a scenario.
Instance Type Families (2026)
General Purpose (M, T series) โ Balanced CPU/memory. T-series has burstable CPU.Compute Optimized (C series) โ High CPU:memory ratio. Batch processing, HPC.Memory Optimized (R, X, z) โ Large in-memory workloads. Databases, SAP HANA.Storage Optimized (I, D, H) โ High I/O throughput. NoSQL, data warehousing.Accelerated (P, G, Inf2) โ GPU/Inferentia. ML training/inference.Latest generation names end in a number (e.g., m7g, c7i). The suffix letter matters:
g= AWS Graviton (ARM, best price-performance in 2026)i= Intela= AMDn= Enhanced networkingd= NVMe local storage
EC2 Lifecycle
Pending โโโบ Running โโโบ Stopping โโโบ Stopped โ โ โผ โผ (restart) Shutting-Down (back to Pending) โ โผ Terminated (permanent โ data on EBS persists if DeleteOnTermination=false)Stopped vs Terminated: A stopped instance retains its EBS root volume. A terminated instance deletes it (unless you changed the setting). Public IP changes on every stop/start โ use an Elastic IP if you need a persistent address.
Security Groups vs NACLs
This comparison is tested constantly:
Security Groups โ Network ACLs (NACLs)โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโInstance/ENI level โ Subnet levelStateful (return traffic auto OK) โ Stateless (must allow inbound + outbound)Allow rules only โ Allow and Deny rulesEvaluated as a whole โ Rules evaluated in number order (lowest first)Default: deny all inbound โ Default: allow all (VPC default NACL)A common exam pattern: โYou want to block a specific IP from reaching any instance in a subnet.โ โ NACL (can Deny). Security Groups cannot Deny.
VPC โ Virtual Private Cloud
Every AWS account gets a default VPC. For production, you design your own. The VPC is your isolated network in the cloud.
VPC Architecture for High Availability
VPC: 10.0.0.0/16โโโ Public Subnet A (10.0.1.0/24) AZ us-east-1aโ โโโ EC2 Web Serverโ โโโ NAT Gateway (for private subnet outbound)โโโ Public Subnet B (10.0.2.0/24) AZ us-east-1bโ โโโ EC2 Web Serverโโโ Private Subnet A (10.0.3.0/24) AZ us-east-1aโ โโโ RDS Primaryโโโ Private Subnet B (10.0.4.0/24) AZ us-east-1bโ โโโ RDS Standby (Multi-AZ)โRoute Table (Public): 0.0.0.0/0 โ Internet GatewayRoute Table (Private): 0.0.0.0/0 โ NAT GatewayInternet Gateway (IGW): Allows public subnets to send/receive traffic from the internet. Horizontally scaled, HA by default. One per VPC.
NAT Gateway: Lets private subnet resources (like your database server) initiate outbound internet connections (e.g., to download OS patches) without being directly reachable from the internet. Deployed in a public subnet, referenced from private subnet route tables. Managed, HA within AZ โ deploy one per AZ for full HA.
Bastion Host (Jump Server): An EC2 instance in the public subnet used as a secure SSH gateway into private subnet instances. Modern alternative: AWS Systems Manager Session Manager (no bastion, no open port 22 needed).
VPC Connectivity Options
| Scenario | Solution |
|---|---|
| Two VPCs in same account/region need to talk | VPC Peering |
| Many VPCs across accounts/regions | AWS Transit Gateway |
| On-premises to AWS (encrypted over internet) | Site-to-Site VPN |
| On-premises to AWS (dedicated private connection) | AWS Direct Connect |
| Access AWS services without public internet | VPC Endpoints (Interface or Gateway) |
Gateway Endpoints (free) work for S3 and DynamoDB. Interface Endpoints (PrivateLink, paid per hour) work for all other services.
Elastic Load Balancing
ELB automatically distributes traffic across targets and is the key component for achieving high availability and horizontal scaling.
Three Load Balancer Types
Application Load Balancer (ALB) โโโ Layer 7 (HTTP/HTTPS/WebSocket) โโโ Content-based routing (URL path, hostname, headers, query strings) โโโ Native support for containers (ECS/EKS) โโโ Best for: microservices, web apps, APIs
Network Load Balancer (NLB) โโโ Layer 4 (TCP/UDP/TLS) โโโ Millions of requests per second, ultra-low latency โโโ Static IP per AZ (or Elastic IP) โ exam favorite โโโ Best for: real-time gaming, IoT, financial apps
Gateway Load Balancer (GWLB) โโโ Layer 3 (IP packet level) โโโ Deploys third-party virtual appliances (firewalls, IDS/IPS) โโโ Best for: network security inspectionTarget Groups โ The destination for load balancer traffic. Targets can be EC2 instances, IP addresses, Lambda functions (ALB only), or other ALBs. Health checks run against each target.
ALB Path-Based Routing Example:
ALB (my-app.com) โโโ /api/* โโโบ Target Group: API Servers (EC2 fleet) โโโ /images/* โโบ Target Group: Image Service (Lambda) โโโ /* โโโบ Target Group: Web Servers (EC2 fleet)Sticky Sessions: ALB can route a userโs requests to the same target using cookies. Useful for session-based apps, but creates uneven load โ prefer stateless apps with ElastiCache for sessions instead.
Auto Scaling Groups
ASGs automatically add or remove EC2 instances based on demand. Combined with ELB, they form the backbone of elastic architectures.
ASG Configuration
Launch Template (defines what to launch) โโโ AMI ID โโโ Instance type (+ optional weighted mix) โโโ Key pair โโโ Security groups โโโ User data script โโโ IAM instance profile
Auto Scaling Group โโโ Min: 2 instances (never go below this) โโโ Desired: 4 (start here) โโโ Max: 10 (never exceed this) โโโ VPC + subnets (launch across these AZs) โโโ ELB Target Group (register new instances here)Scaling Policies
Target Tracking (simplest) โ โKeep average CPU at 60%.โ ASG adds/removes instances automatically. This is the exam-recommended default.
Step Scaling โ โWhen CPU > 70%, add 2 instances. When CPU > 90%, add 4.โ More granular.
Scheduled Scaling โ โEvery Monday at 8 AM, set desired to 8.โ For predictable load spikes.
Predictive Scaling โ ML-based forecast using historical data. Pre-warms capacity before demand hits. Available as of 2021 and increasingly tested.
Warm Pools (2026 Trend)
Pre-initialized instances sitting in a stopped state. When ASG needs to scale out, warm pool instances start faster than launching from scratch โ reduces scale-out latency from minutes to seconds for apps with long bootstrap times.
Exam Patterns to Recognise
- โInstances need to span multiple AZs and traffic should be distributedโ โ ALB + ASG across multiple subnets
- โApplication needs a static IP for whitelisting by clientsโ โ NLB (not ALB)
- โPrivate EC2 needs to download updates from internetโ โ NAT Gateway in public subnet
- โVPC to VPC in same region, lowest latencyโ โ VPC Peering (not VPN, not Direct Connect)
- โBlock specific IP from all resources in a subnetโ โ NACL Deny rule
- โCheapest way to add fault tolerance to a single EC2โ โ Multi-AZ + ASG with min=2