AWS

A comprehensive guide to Amazon Web Services project setup patterns, from single-account/single-VPC designs through multi-region active-active architectures and enterprise landing zones using AWS Control Tower.

Architecture Patterns at a Glance

Pattern	Scope	Complexity	Typical Use Case
Single Account + Single VPC	One account, one VPC	Low	Small teams, prototypes, single-application workloads
Multi-VPC (Transit Gateway)	Hub-and-spoke via TGW	Medium-High	Enterprise with centralized networking, multi-team isolation
Multi-VPC (VPC Peering)	Peer-to-peer VPC connections	Medium	Small number of VPCs (2-4) with simple connectivity
AWS PrivateLink	Service-oriented private access	Medium	Consuming/producing services privately across VPC or account boundaries
Multi-Account + Organizations	OU hierarchy with SCPs	High	Large enterprises with regulated environments
Multi-AZ / Multi-Region	Cross-zone and cross-region deployments	High	Production workloads requiring HA and DR
DR: Backup & Restore	Backup to secondary region	Low	Cost-optimized DR, tolerates day-level downtime
DR: Pilot Light	Minimal core in secondary region	Medium	Cost-conscious orgs; hours-level RTO
DR: Warm Standby	Scaled-down full replica	Medium-High	Most enterprises; minutes-level RTO/RPO
DR: Active-Active	Full duplicate in multiple regions	Very High	Mission-critical apps requiring near-zero downtime
DMZ / Network Perimeter	Defense-in-depth with AWS Network Firewall	Medium	Regulated environments with inspection requirements
AWS Landing Zone	Org-wide foundation via Control Tower	Very High	Greenfield enterprise adoption of AWS

Key AWS Services

Networking

• VPC -- isolated virtual network with custom CIDR, subnets, route tables
• Transit Gateway (TGW) -- regional hub for connecting VPCs, VPNs, and Direct Connect
• VPC Peering -- direct peer-to-peer connection between two VPCs
• AWS PrivateLink -- service-oriented private connectivity via VPC endpoints
• Cloud NAT (NAT Gateway) -- managed outbound NAT for private resources
• Direct Connect -- dedicated physical connection to on-premises
• AWS VPN -- IPsec site-to-site VPN over the internet
• Elastic Load Balancing -- ALB (L7), NLB (L4), GLB (L3/appliances)
• Route 53 -- managed DNS with health-check-based routing and failover
• Global Accelerator -- anycast acceleration for global user access
• AWS Network Firewall -- managed stateful L3-L7 deep packet inspection
• AWS Cloud WAN -- managed global WAN service for multi-region networking

Security

• AWS WAF -- web application firewall for ALB, CloudFront, API Gateway
• AWS Shield -- DDoS protection (Standard free; Advanced paid)
• AWS Firewall Manager -- centralized firewall policy management across accounts
• Security Groups -- stateful per-instance firewall
• Network ACLs -- stateless subnet-level packet filter
• Route 53 Resolver DNS Firewall -- outbound DNS filtering

Compute and Orchestration

• EC2 -- VMs with Auto Scaling Groups for cross-AZ HA
• EKS -- managed Kubernetes
• ECS / Fargate -- managed container orchestration
• Lambda -- serverless functions

Data

• RDS -- managed relational DB with Multi-AZ and cross-region read replicas
• Aurora -- MySQL/PostgreSQL-compatible with Global Database for cross-region replication
• DynamoDB -- NoSQL with Global Tables for multi-region multi-active replication
• S3 -- object storage with Cross-Region Replication (CRR)
• ElastiCache -- managed Redis/Memcached with Global Datastore

Management and Governance

• AWS Organizations -- multi-account hierarchy with OUs and SCPs
• AWS Control Tower -- landing zone automation with guardrails and Account Factory
• IAM Identity Center (SSO) -- centralized identity and SSO across accounts
• CloudTrail -- API-level audit logging
• AWS Config -- configuration compliance tracking
• Security Hub -- centralized security findings aggregation
• GuardDuty -- intelligent threat detection

Real-World Examples

Scenario	Pattern(s) Used
Startup running a monolithic web app	Single Account + Single VPC
Mid-size SaaS company with 10+ microservices teams	Transit Gateway hub-spoke, multi-account per team
Large bank migrating to AWS with regulatory requirements	Full Landing Zone: Control Tower, SCPs, Network Firewall, GuardDuty
E-commerce platform needing 99.99% uptime	Multi-AZ with ALB, Aurora Multi-AZ, Warm Standby DR
Global payments processor	Active-Active multi-region with DynamoDB Global Tables, Global Accelerator
Manufacturing company with on-premises data center	Transit Gateway + Direct Connect + Pilot Light DR

Questions

• How does AWS Control Tower's guardrail model compare to Alibaba Cloud Governance Center's control policies in terms of coverage and flexibility?
• What is the cost differential between Pilot Light, Warm Standby, and Active-Active DR for a typical 3-tier web application on AWS?
• When should you choose AWS Cloud WAN over Transit Gateway inter-region peering for multi-region connectivity?
• How does Aurora Global Database switchover compare to DynamoDB Global Tables failover in terms of operational complexity?

Sources

• AWS -- Multi-Account Strategy for Control Tower
• AWS -- Building a Landing Zone (Prescriptive Guidance)
• AWS -- Transit Gateway Design Best Practices
• AWS -- Building Scalable and Secure Multi-VPC Network Infrastructure
• AWS -- Disaster Recovery Options in the Cloud
• AWS -- DR Architecture Part III: Pilot Light and Warm Standby
• AWS -- DR Architecture Part IV: Multi-site Active/Active
• AWS -- Aurora Global Database
• AWS -- DynamoDB Global Tables
• AWS -- Network Firewall Best Practices
• AWS -- Network Firewall Deployment Models
• AWS -- VPC Connectivity Options
• AWS -- Well-Architected Reliability Pillar: DR Strategies