Well Architected Framework

Question 1

Reliability

Answer 1

Use multiple regions and DX locations - DX Gateway

VPN to Multiple regions
Use both Tunnels.

AZ1 AZ2 AZ3 = Region 1

Duplicate services per AZ.

SLA Eligible w/ more circuits
Use multiple local routers w/ BFD

NET205, 308, 309

Question 2

Security

Answer 2

Encryption MACSEC AES-256
Nirto-enabled instances
Encrypt your own traffic
Least privilege
AWS Config
Shared VPC /RBAC
Remove internet service
Centralize egress
AWS PrivateLink
Automation
AWS Guardduty

Net306

Question 3

Performance efficiency

Answer 3

Direct connect
Low latency, high BW, takes time
Dependency
Lag to 100GB

VPN
Encrypted, 1.25gb, the internet, fast setup
Up to 50gb with TxGw

n-family instances
Placement groups HPC/ML
Cloudfront, global accelerator, accel VPN
Closest DX location

Region, local zone, outposts
Baseline, look for bottlenecks

Question 4

Operational excellence

Answer 4

Use automation
Tags, attachments, policies
Sg not ips, meta data
Test for failures

Managed services
Nat instance vs Nat gw
Ssh vs session manager
Transit vpc vs gw
Ec2 dns vs rt53 endpoints

Monitor, baseline, visibility - cloudwatch
Vpc flow logs
Net202

Question 5

Cost Optimization

Answer 5

Different options
S3 through NAT gw $$$
—vpc endpoints instead

Reference resources by pub ip $$$
—use private ips

Keep apps AZ aware

Cloudfront for outbound traffic

Check nat gw use

Analyze Flowlogs - athena
Cost explorer

Dx lower data out costs
Right size instances
Shared vpcs?