VPC Design: The Three-Tier Private Pattern

VPC design decisions are hard to undo. Three-tier private pattern is the safe default for most workloads.

Why three tiers

Three tiers turn the VPC into a defensible structure. Each tier is a security boundary, and the boundary is enforced by routing, not by hope.

• Public. Load balancers and NAT gateways only; no compute, no databases.
• Private. Application compute; reachable from public via load balancers; no direct internet ingress.
• Isolated. Databases and stateful services; no internet egress; reachable only from private tier.
• Egress control. Each tier's outbound traffic is restricted to declared destinations; the boundary is real, not advisory.

Four components

• 1. 3+ AZs for HA.
• 2. NAT gateways per AZ for private outbound.
• 3. Bastion-less SSM access for ops.
• 4. VPC endpoints for AWS service traffic.

Per-tier boundaries

Boundaries are encoded in security groups, NACLs, and route tables. Each tier's allowed traffic is explicit; default-deny everywhere else.

• Public. Only LBs and NAT gateways; ingress on 80/443; egress to private tier only.
• Private. Workloads plus service-to-service traffic; egress to isolated tier and to internet via NAT.
• Isolated. Databases and queues; no internet egress; ingress only from private tier on declared ports.
• Declared destinations. Egress rules name specific destinations; do not use 0.0.0.0/0 outside the public tier.

When to deviate

The three-tier pattern is a safe default, not a law. Three workloads have legitimate reasons to deviate.

• Multi-tenant SaaS. Strict tenant isolation may justify per-tenant VPCs; the operational cost is real.
• Edge-heavy. Dual-stack with smaller compute footprint; isolated tier may collapse into private when there are no databases.
• Small teams. Single-tier (private only) is fine when there is one workload and one engineer; the structure is overkill.
• Compliance overlay. PCI, HIPAA, or FedRAMP may add tiers (DMZ, audit) on top; do not collapse them into the standard three.

Antipatterns

• Single-AZ. Outage waiting.
• All public. Internet-exposed compute.
• NAT gateway misuse. Cross-AZ traffic; cost.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.