Designing Network Architecture for Your AWS Landing Zone

Network architecture is one of the most critical aspects of your AWS Landing Zone. A well-designed network provides security isolation, enables connectivity between resources, and supports your business requirements while remaining flexible for future growth.

Network Architecture Fundamentals

Your Landing Zone network architecture must address:

• Isolation: Separating workloads and environments
• Connectivity: Enabling communication where needed
• Security: Controlling traffic flow
• Scalability: Growing with your organisation
• Performance: Minimizing latency
• Cost: Optimizing for efficiency

VPC Design Patterns

Pattern 1: Single VPC Per Account

The simplest approach: each account gets one VPC.

Pros:

• Simple to understand and manage
• Clear security boundaries
• Easy cost attribution

Cons:

• IP address space planning required across accounts
• Cross-account connectivity needed for shared services
• Can lead to many VPCs to manage

Best for: Small to medium organisations with clear workload separation

Pattern 2: Multiple VPCs Per Account

Different VPCs for different applications or tiers within an account.

Pros:

• Finer-grained isolation within accounts
• Different network configurations per application
• Reduced cross-account complexity

Cons:

• More complex to manage
• Higher VPC costs if many are needed
• Inter-VPC connectivity required

Best for: Large applications with distinct network requirements

Pattern 3: Shared VPC (AWS Resource Access Manager)

A centralised Network account owns VPCs shared with other accounts.

Pros:

• Centralised network management
• Consistent IP addressing
• Shared connectivity resources
• Simplified hybrid connectivity

Cons:

• More complex initial setup
• Requires careful planning
• Dependency on Network account

Best for: Large organisations with centralised network teams

IP Address Planning

Proper IP address planning prevents future headaches.

CIDR Block Sizing

Choose VPC CIDR blocks based on growth projections:

• /16 (65,536 IPs): Large production environments
• /20 (4,096 IPs): Typical production workloads
• /24 (256 IPs): Small environments or development

Australian Region Recommendations: For ap-southeast-2 (Sydney) deployments, plan for:

• Primary region VPCs
• DR capacity in ap-southeast-4 (Melbourne)
• Possible expansion to Singapore (ap-southeast-1)

Reserved IP Spaces

Use non-overlapping RFC 1918 private ranges:

Production VPCs:     10.0.0.0/16 - 10.15.0.0/16
Staging VPCs:        10.16.0.0/16 - 10.31.0.0/16
Development VPCs:    10.32.0.0/16 - 10.63.0.0/16
Shared Services:     10.64.0.0/16 - 10.79.0.0/16
On-Premises:         10.128.0.0/16 - 10.255.0.0/16

Important: Document your IP allocation scheme and maintain a source of truth (spreadsheet or IPAM tool).

Subnet Design

Within each VPC, create subnets for different purposes:

Public Subnets: Resources with internet access

• Application Load Balancers
• NAT Gateways
• Bastion hosts

Private Subnets: Internal resources

• Application servers
• Databases
• Internal services

Protected Subnets: Highly sensitive resources

• Databases with regulated data
• Internal APIs
• Compliance-scoped resources

Distribute subnets across Availability Zones:

VPC: 10.0.0.0/16

Public Subnets:
  - ap-southeast-2a: 10.0.0.0/24
  - ap-southeast-2b: 10.0.1.0/24
  - ap-southeast-2c: 10.0.2.0/24

Private Subnets:
  - ap-southeast-2a: 10.0.10.0/24
  - ap-southeast-2b: 10.0.11.0/24
  - ap-southeast-2c: 10.0.12.0/24

Protected Subnets:
  - ap-southeast-2a: 10.0.20.0/24
  - ap-southeast-2b: 10.0.21.0/24
  - ap-southeast-2c: 10.0.22.0/24

Connectivity Patterns

Internet Connectivity

Internet Gateway (IGW): Provides internet access for public subnets

• Attach one per VPC
• Use in public subnets only
• Free service

NAT Gateway: Enables outbound internet for private subnets

• Deploy one per AZ for high availability
• ~$0.059/hour + data transfer costs
• More reliable than NAT Instances

Egress-Only Internet Gateway: For IPv6 outbound-only access

VPC-to-VPC Connectivity

VPC Peering:

• Direct connection between two VPCs
• Low latency, no single point of failure
• Requires non-overlapping CIDR blocks
• Good for simple hub-and-spoke or point-to-point

AWS Transit Gateway:

• Central hub connecting multiple VPCs
• Scales to thousands of connections
• Centralised routing management
• Additional cost but simplified operations

Recommended for Landing Zones: Transit Gateway in Network account

Hybrid Connectivity

AWS Site-to-Site VPN:

• IPsec VPN over the internet
• Up to 1.25 Gbps per tunnel
• Quick to set up
• Lower cost option

AWS Direct Connect:

• Dedicated network connection
• 1 Gbps or 10 Gbps (or higher)
• Consistent network performance
• Required for compliance in many regulated industries

Best Practice: Use both - Direct Connect for primary connectivity, VPN as backup

Transit Gateway Architecture

For multi-account Landing Zones, Transit Gateway provides centralised connectivity.

Design

Network Account:
  Transit Gateway
    ├── Attachment to Production VPCs
    ├── Attachment to Non-Production VPCs
    ├── Attachment to Shared Services VPC
    ├── VPN Attachment (On-Premises)
    └── Direct Connect Gateway Attachment

Routing Strategy

Use separate route tables for different security zones:

Production Route Table:

• Routes to production VPCs
• Route to on-premises
• NO route to development

Non-Production Route Table:

• Routes to staging/dev VPCs
• Limited on-premises access
• NO route to production

Shared Services Route Table:

• Routes to all environments
• Central logging, monitoring, directory services

Cost Optimisation

Transit Gateway costs:

• ~$0.07/hour per attachment
• ~$0.02 per GB data processed

Optimisation tips:

• Use VPC Peering for high-bandwidth, low-latency connections
• Consolidate VPCs where possible
• Monitor data transfer between attachments

Security Controls

Network ACLs

Stateless firewall at the subnet level:

• Default allow all
• Use for broad restrictions
• Evaluated before security groups

Use cases:

• Block specific IP ranges
• Deny traffic between subnet tiers
• Compliance requirements for defense-in-depth

Security Groups

Stateful firewall at the resource level:

• Default deny all inbound
• Use for application-specific rules
• Can reference other security groups

Best practices:

• Use descriptive names
• Reference security groups instead of IP addresses
• Regularly audit unused rules
• Implement least privilege

AWS Network Firewall

Managed firewall service for advanced filtering:

• Deep packet inspection
• Intrusion prevention
• Domain filtering
• Centralised management

Use cases:

• Regulated industries
• Advanced threat protection
• Traffic inspection requirements

VPC Flow Logs

Capture network traffic metadata:

• Published to CloudWatch Logs or S3
• Essential for security monitoring
• Troubleshooting connectivity issues
• Compliance evidence

Enable on all VPCs in your Landing Zone.

DNS Management

Route 53 Resolver

Centralised DNS for hybrid environments:

• Inbound Endpoints: On-premises to AWS DNS resolution
• Outbound Endpoints: AWS to on-premises DNS resolution

Deploy in Network account for centralised management.

Private Hosted Zones

Internal DNS for AWS resources:

• Associate with multiple VPCs
• Use consistent domain naming (e.g., internal.yourcompany.com.au)
• Enable DNS query logging for security

High Availability and Resilience

Multi-AZ Design

Deploy across at least two Availability Zones:

• Distributes risk
• Enables maintenance without downtime
• Required for most compliance frameworks

For critical workloads in Australia:

• Primary: ap-southeast-2 (Sydney) across 3 AZs
• DR: ap-southeast-4 (Melbourne)

Redundant Connectivity

Internet: Multiple NAT Gateways across AZs

Hybrid Connectivity:

• Multiple Direct Connect connections
• VPN as backup
• Different physical locations for Direct Connect

Monitoring and Observability

Essential network monitoring:

• VPC Flow Logs: Traffic analysis and security
• CloudWatch Metrics: Network performance
• Transit Gateway Network Manager: Centralised visibility
• VPC Reachability Analyzer: Troubleshooting connectivity
• Network Access Analyzer: Identifying unintended access

Common Pitfalls to Avoid

1. Overlapping CIDR blocks: Plan IP addressing upfront
2. Insufficient IP space: VPCs can’t be resized easily
3. Single AZ deployments: No resilience
4. Over-complicated initial designs: Start simple, evolve
5. Lack of documentation: Network diagrams are essential
6. No IP address management: Use IPAM tools
7. Ignoring costs: NAT Gateways and data transfer add up
8. Missing VPC Flow Logs: Critical for security and troubleshooting

Implementation Checklist

• Design IP address allocation scheme
• Plan VPC structure per account
• Determine connectivity requirements
• Choose Transit Gateway or VPC Peering
• Design subnet layout (public, private, protected)
• Plan hybrid connectivity (VPN, Direct Connect)
• Configure security controls (NACLs, Security Groups)
• Enable VPC Flow Logs
• Set up Route 53 Resolver
• Create network diagrams
• Document IP allocations
• Test connectivity between environments
• Implement monitoring and alerting

Conclusion

Network architecture is the backbone of your AWS Landing Zone. A well-designed network provides security, enables connectivity, and scales with your business. Take the time to plan properly - migrating network architecture later is significantly more complex than getting it right initially.

For Australian businesses, particularly in regulated industries, network design must balance security, compliance, performance, and cost. CloudPoint specialises in designing and implementing AWS network architectures tailored to Australian requirements.

Ready to design your Landing Zone network? Contact CloudPoint for an architecture consultation.

---

Need Help with Your AWS Network Architecture?

CloudPoint designs and implements network architectures as part of secure AWS landing zones. Get in touch to discuss your requirements.

Learn more about our Landing Zone service →