VPC Design: The Three-Tier Private Pattern
VPC design decisions are hard to undo. Three-tier private pattern is the safe default for most workloads.
Why three tiers
Public: load balancers and NAT only.
Private: application compute.
Isolated: databases and stateful services.
Each tier is a security boundary; egress controlled.
Four components
- 1. 3+ AZs for HA.
- 2. NAT gateways per AZ for private outbound.
- 3. Bastion-less SSM access for ops.
- 4. VPC endpoints for AWS service traffic.
Per-tier boundaries
Public: only LBs and NAT. Private: workloads + service-to-service. Isolated: databases; no internet egress.
Egress restricted to declared destinations.
When to deviate
Multi-tenant SaaS with strict isolation: per-tenant VPCs.
Edge-heavy workloads: dual-stack with smaller compute footprint.
Small teams: single-tier (private only) is fine.
Antipatterns
- Single-AZ. Outage waiting.
- All public. Internet-exposed compute.
- NAT gateway misuse. Cross-AZ traffic; cost.
What to do this week
Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.