Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.2.4. Tricky Architectural Distinctions & Common Pitfalls

šŸ’” First Principle: A professional architect demonstrates mastery through a nuanced understanding of seemingly similar services, enabling them to select the precise tool for the job and avoid common misconfigurations.

Scenario: You are analyzing a proposed architecture that suggests using "VPC peering" to connect 30 "VPCs" in a mesh topology and recommending "S3 Intelligent-Tiering" for all long-term archives.

The SAP-C02 delights in subtle distinctions.

  • "VPC Peering" vs. "Transit Gateway": Peering for few "VPCs", not transitive. "TGW" for many "VPCs", transitive, complex hub-and-spoke.
  • "Direct Connect" vs. "Site-to-Site VPN": "Direct Connect" for dedicated, high-bandwidth, consistent, private. "VPN" for flexible, lower cost, internet-based. Use both for resilience.
  • "ALB" vs. "NLB" vs. "GLB": "ALB" for HTTP/S (Layer 7), content-based routing. "NLB" for TCP/UDP (Layer 4), extreme performance, static IPs. "GLB" for third-party network virtual appliances.
  • "Security Groups" vs. "Network ACLs": "SGs" stateful, instance-level, allow-only. "NACLs" stateless, subnet-level, allow/deny, order matters.
  • "RDS Multi-AZ" vs. "Read Replicas" (same-region vs. cross-region): "Multi-AZ" for "HA" (synchronous, "RPO=0", automatic failover within region). "Read Replicas" for read scaling (asynchronous, "RPO>0", manual failover). Cross-region "Read Replicas" for "DR".
  • "CloudFront" vs. "Global Accelerator": "CloudFront" for HTTP/S content delivery ("CDN"). "Global Accelerator" for any protocol ("Anycast IPs"), optimizes network path to nearest region.
  • "Lambda" vs. "Fargate": "Lambda" for event-driven functions (up to 15 min), "Fargate" for containerized apps (longer running). Both serverless.
  • "S3 Intelligent-Tiering" vs. "Lifecycle Policies": "Intelligent-Tiering" automates based on actual access patterns (for unpredictable access). "Lifecycle Policies" based on predefined rules (for predictable access).
  • Managed Rules vs. Custom Rules ("Config"/"WAF"): Managed by AWS for common patterns. Custom for specific/complex requirements.
Visual: Tricky Distinctions & Common Pitfalls
Loading diagram...

āš ļø Common Pitfall: Confusing services that operate at different layers of the OSI model, such as choosing an "NLB" (Layer 4) when you need to route traffic based on the URL path (a Layer 7 function).

Key Trade-Offs:
  • Purpose-Built vs. General-Purpose: Understanding these distinctions allows you to choose the most efficient and effective service instead of trying to force a general-purpose service to perform a specialized task.

Reflection Question: Based on the tricky distinctions, what are the two main architectural flaws in the proposed solution of using "VPC peering" to connect 30 "VPCs" in a mesh topology and recommending "S3 Intelligent-Tiering" for all long-term archives? What alternative AWS services or strategies would you recommend to address these flaws, explaining the nuances of why your alternatives are superior?