Cloud/ AWS / AWS Certified Solutions Architect โ€” Associate (SAA-C03) / AWS Compute & Networking: EC2, VPC, ELB, Auto Scaling for SAA-C03

AWS Amazon Web Services Associate Step 2 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 2 โ€” Compute & Networking

The compute and networking domains account for roughly 26% of the SAA-C03 exam. EC2 and VPC knowledge is foundational โ€” nearly every architecture question assumes you can reason about instance placement, network routing, and traffic distribution.


EC2 โ€” Elastic Compute Cloud

EC2 gives you virtual servers (instances) on demand. The exam tests your ability to choose the right instance type, the right purchasing model, and the right storage configuration for a scenario.

Instance Type Families (2026)

General Purpose (M, T series) โ€” Balanced CPU/memory. T-series has burstable CPU.
Compute Optimized (C series) โ€” High CPU:memory ratio. Batch processing, HPC.
Memory Optimized (R, X, z) โ€” Large in-memory workloads. Databases, SAP HANA.
Storage Optimized (I, D, H) โ€” High I/O throughput. NoSQL, data warehousing.
Accelerated (P, G, Inf2) โ€” GPU/Inferentia. ML training/inference.

Latest generation names end in a number (e.g., m7g, c7i). The suffix letter matters:

EC2 Lifecycle

Pending โ”€โ”€โ–บ Running โ”€โ”€โ–บ Stopping โ”€โ”€โ–บ Stopped
โ”‚ โ”‚
โ–ผ โ–ผ (restart)
Shutting-Down (back to Pending)
โ”‚
โ–ผ
Terminated (permanent โ€” data on EBS persists if DeleteOnTermination=false)

Stopped vs Terminated: A stopped instance retains its EBS root volume. A terminated instance deletes it (unless you changed the setting). Public IP changes on every stop/start โ€” use an Elastic IP if you need a persistent address.

Security Groups vs NACLs

This comparison is tested constantly:

Security Groups โ”‚ Network ACLs (NACLs)
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Instance/ENI level โ”‚ Subnet level
Stateful (return traffic auto OK) โ”‚ Stateless (must allow inbound + outbound)
Allow rules only โ”‚ Allow and Deny rules
Evaluated as a whole โ”‚ Rules evaluated in number order (lowest first)
Default: deny all inbound โ”‚ Default: allow all (VPC default NACL)

A common exam pattern: โ€œYou want to block a specific IP from reaching any instance in a subnet.โ€ โ†’ NACL (can Deny). Security Groups cannot Deny.


VPC โ€” Virtual Private Cloud

Every AWS account gets a default VPC. For production, you design your own. The VPC is your isolated network in the cloud.

VPC Architecture for High Availability

VPC: 10.0.0.0/16
โ”œโ”€โ”€ Public Subnet A (10.0.1.0/24) AZ us-east-1a
โ”‚ โ”œโ”€โ”€ EC2 Web Server
โ”‚ โ””โ”€โ”€ NAT Gateway (for private subnet outbound)
โ”œโ”€โ”€ Public Subnet B (10.0.2.0/24) AZ us-east-1b
โ”‚ โ””โ”€โ”€ EC2 Web Server
โ”œโ”€โ”€ Private Subnet A (10.0.3.0/24) AZ us-east-1a
โ”‚ โ””โ”€โ”€ RDS Primary
โ”œโ”€โ”€ Private Subnet B (10.0.4.0/24) AZ us-east-1b
โ”‚ โ””โ”€โ”€ RDS Standby (Multi-AZ)
โ”‚
Route Table (Public): 0.0.0.0/0 โ†’ Internet Gateway
Route Table (Private): 0.0.0.0/0 โ†’ NAT Gateway

Internet Gateway (IGW): Allows public subnets to send/receive traffic from the internet. Horizontally scaled, HA by default. One per VPC.

NAT Gateway: Lets private subnet resources (like your database server) initiate outbound internet connections (e.g., to download OS patches) without being directly reachable from the internet. Deployed in a public subnet, referenced from private subnet route tables. Managed, HA within AZ โ€” deploy one per AZ for full HA.

Bastion Host (Jump Server): An EC2 instance in the public subnet used as a secure SSH gateway into private subnet instances. Modern alternative: AWS Systems Manager Session Manager (no bastion, no open port 22 needed).

VPC Connectivity Options

ScenarioSolution
Two VPCs in same account/region need to talkVPC Peering
Many VPCs across accounts/regionsAWS Transit Gateway
On-premises to AWS (encrypted over internet)Site-to-Site VPN
On-premises to AWS (dedicated private connection)AWS Direct Connect
Access AWS services without public internetVPC Endpoints (Interface or Gateway)

Gateway Endpoints (free) work for S3 and DynamoDB. Interface Endpoints (PrivateLink, paid per hour) work for all other services.


Elastic Load Balancing

ELB automatically distributes traffic across targets and is the key component for achieving high availability and horizontal scaling.

Three Load Balancer Types

Application Load Balancer (ALB)
โ”œโ”€โ”€ Layer 7 (HTTP/HTTPS/WebSocket)
โ”œโ”€โ”€ Content-based routing (URL path, hostname, headers, query strings)
โ”œโ”€โ”€ Native support for containers (ECS/EKS)
โ””โ”€โ”€ Best for: microservices, web apps, APIs
Network Load Balancer (NLB)
โ”œโ”€โ”€ Layer 4 (TCP/UDP/TLS)
โ”œโ”€โ”€ Millions of requests per second, ultra-low latency
โ”œโ”€โ”€ Static IP per AZ (or Elastic IP) โ† exam favorite
โ””โ”€โ”€ Best for: real-time gaming, IoT, financial apps
Gateway Load Balancer (GWLB)
โ”œโ”€โ”€ Layer 3 (IP packet level)
โ”œโ”€โ”€ Deploys third-party virtual appliances (firewalls, IDS/IPS)
โ””โ”€โ”€ Best for: network security inspection

Target Groups โ€” The destination for load balancer traffic. Targets can be EC2 instances, IP addresses, Lambda functions (ALB only), or other ALBs. Health checks run against each target.

ALB Path-Based Routing Example:

ALB (my-app.com)
โ”œโ”€โ”€ /api/* โ”€โ”€โ–บ Target Group: API Servers (EC2 fleet)
โ”œโ”€โ”€ /images/* โ”€โ–บ Target Group: Image Service (Lambda)
โ””โ”€โ”€ /* โ”€โ”€โ–บ Target Group: Web Servers (EC2 fleet)

Sticky Sessions: ALB can route a userโ€™s requests to the same target using cookies. Useful for session-based apps, but creates uneven load โ€” prefer stateless apps with ElastiCache for sessions instead.


Auto Scaling Groups

ASGs automatically add or remove EC2 instances based on demand. Combined with ELB, they form the backbone of elastic architectures.

ASG Configuration

Launch Template (defines what to launch)
โ”œโ”€โ”€ AMI ID
โ”œโ”€โ”€ Instance type (+ optional weighted mix)
โ”œโ”€โ”€ Key pair
โ”œโ”€โ”€ Security groups
โ”œโ”€โ”€ User data script
โ””โ”€โ”€ IAM instance profile
Auto Scaling Group
โ”œโ”€โ”€ Min: 2 instances (never go below this)
โ”œโ”€โ”€ Desired: 4 (start here)
โ”œโ”€โ”€ Max: 10 (never exceed this)
โ”œโ”€โ”€ VPC + subnets (launch across these AZs)
โ””โ”€โ”€ ELB Target Group (register new instances here)

Scaling Policies

Target Tracking (simplest) โ€” โ€œKeep average CPU at 60%.โ€ ASG adds/removes instances automatically. This is the exam-recommended default.

Step Scaling โ€” โ€œWhen CPU > 70%, add 2 instances. When CPU > 90%, add 4.โ€ More granular.

Scheduled Scaling โ€” โ€œEvery Monday at 8 AM, set desired to 8.โ€ For predictable load spikes.

Predictive Scaling โ€” ML-based forecast using historical data. Pre-warms capacity before demand hits. Available as of 2021 and increasingly tested.

Warm Pools (2026 Trend)

Pre-initialized instances sitting in a stopped state. When ASG needs to scale out, warm pool instances start faster than launching from scratch โ€” reduces scale-out latency from minutes to seconds for apps with long bootstrap times.


Exam Patterns to Recognise