Architecture Reasoning Drills
Architecture reasoning drills covering multi-service patterns for web apps, high availability, scalability, security, serverless, and big data on AWS.
Learning outcomes
By the end of this lesson, the learner can:
- Reason through multi-service architecture scenarios step by step.
- Explain which service fits which role in a multi-service setup.
- Distinguish between "right service" and "plausible but wrong service" for architecture scenarios.
- Build the habit of matching service role to scenario requirement.
How these drills work
This lesson is about architecture reasoning, not service memorization.
Most architecture questions are not asking: "What is the name of this service?"
They are asking: "Given this situation, which service fits this role?"
That means the skill is reasoning from the requirement to the service, not guessing from the service name.
A simple memory rule:
- define the requirement
- match the requirement to a service role
- eliminate services that do not fit the role (AWS Documentation)
1) The two-layer web app pattern
Many basic AWS architectures use a simple web-plus-database pattern. At a high level:
| Layer | Service choice |
|---|---|
| Web/application layer | EC2 (or ECS for containers), behind an ALB |
| Database layer | RDS (relational) or DynamoDB (NoSQL) |
| DNS / routing | Route 53 |
| Content delivery / caching | CloudFront |
| Static files | S3 |
| Secrets / credentials | Secrets Manager |
A simple way to think about this:
- traffic hits Route 53 → CloudFront → ALB → EC2/ECS → RDS/DynamoDB
- static assets served from S3 via CloudFront
- secrets accessed from Secrets Manager by EC2/ECS at runtime (AWS Documentation)
2) Adding resilience
If the scenario says any of these:
- "survive an AZ failure"
- "99.99% uptime"
- "high availability"
- "no single point of failure"
…the answer usually involves:
- multi-AZ deployment for EC2 or RDS
- ALB to distribute traffic across AZs
- Auto Scaling to replace failed instances
- RDS Multi-AZ for database failover
Key takeaway:
- HA = multiple AZs + Auto Scaling + ALB + Multi-AZ RDS (AWS Documentation)
3) Adding scalability
If the scenario says:
- "unpredictable traffic"
- "handle spikes"
- "scale up and down automatically"
…the answer usually involves:
- Auto Scaling group for EC2
- Lambda for event-driven serverless (if stateless tasks)
- DynamoDB for database scaling (if NoSQL fits)
- CloudFront to reduce load on the origin
Key takeaway:
- scalability = Auto Scaling + Lambda + DynamoDB + CloudFront where they fit (AWS Documentation)
4) Adding security
If the scenario says:
- "protect credentials"
- "least privilege"
- "prevent SQL injection"
- "detect suspicious API behavior"
- "who changed this resource?"
…the answers usually involve:
- Secrets Manager for stored credentials
- IAM roles and least-privilege policies
- WAF for request filtering
- GuardDuty for threat detection
- CloudTrail for action auditing
- KMS for encryption key management (AWS Documentation)
5) Adding cost control
If the scenario says:
- "minimize costs"
- "save on compute"
- "watch spending"
- "alert before going over budget"
…the answers usually involve:
- Spot Instances or Savings Plans for compute
- AWS Budgets for alerts
- Cost Explorer for analysis
- S3 lifecycle policies for storage cost management (AWS Documentation)
6) Serverless pattern
If the scenario says:
- "no server management"
- "event-driven"
- "pay only per invocation"
- "run code when triggered"
…the answer usually involves:
- Lambda for compute
- API Gateway for HTTP endpoints
- DynamoDB for serverless database
- S3 for object storage
- SQS or EventBridge for event routing (AWS Documentation)
Key takeaway:
- serverless = Lambda + API Gateway + DynamoDB + S3 + event routing (AWS Documentation)
7) Big data / analytics pattern
If the scenario says:
- "large-scale data processing"
- "Spark or Hadoop"
- "SQL analytics on large datasets"
- "data warehouse"
…the answer usually involves:
- EMR for big-data processing frameworks
- Redshift for SQL warehouse analytics
- S3 as a data lake
- Glue for data catalog and ETL (AWS Documentation)
8) Eliminating wrong answers
A common exam pattern:
- the scenario mentions a role
- one answer matches the role exactly
- the distractor sounds related but fills a different role
Examples:
- "detect threats" → GuardDuty, not Inspector (Inspector finds vulnerabilities, not threats)
- "track configuration changes" → Config, not CloudTrail (CloudTrail is actions, not config state)
- "store and rotate secrets" → Secrets Manager, not KMS (KMS manages keys, not passwords)
- "DDoS protection" → Shield, not WAF (WAF filters requests, not DDoS volumes) (AWS Documentation)
Micro-activity 1
For each scenario, identify the correct service and explain why the distractor does not fit:
- Scenario: "Detect suspicious API behavior and unusual credential use." Correct: GuardDuty. Distractor: Inspector.
- Scenario: "Track how a security group configuration changed over the past month." Correct: Config. Distractor: CloudTrail.
- Scenario: "Store and rotate a database password." Correct: Secrets Manager. Distractor: KMS.
- Scenario: "Protect a CloudFront distribution from DDoS attacks." Correct: Shield. Distractor: WAF.
Micro-activity 2
Build an architecture sketch for each scenario (name the services in order):
- "A small web app with a PostgreSQL database, high availability, and static file hosting."
- "A serverless event-driven backend triggered by HTTP requests."
- "A data analytics pipeline that ingests raw data, runs Spark jobs, and exposes results via SQL."
Use only the services covered in this course. (AWS Documentation)
Summary
Architecture reasoning at this level comes down to a few repeatable patterns:
- web app = Route 53 + CloudFront + ALB + EC2/ECS + RDS/DynamoDB + S3
- HA = multi-AZ + Auto Scaling + Multi-AZ RDS + ALB
- scalability = Auto Scaling + Lambda + DynamoDB + CloudFront
- security layers = IAM + Secrets Manager + WAF + GuardDuty + CloudTrail + KMS
- serverless = Lambda + API Gateway + DynamoDB + S3 + event routing
- big data = EMR + Redshift + S3 + Glue (AWS Documentation)
The simplest memory rule is:
- match the requirement to the service role
- eliminate services that fit a different role (AWS Documentation)
Quiz 5.14
Reflection questions
Think about it
Why is Inspector not the right answer for "detect threats and suspicious behavior"?
Think about it
What is the pattern for a simple serverless backend?
Think about it
What is the pattern for a simple highly available web application?
Think about it
A team wants to host a static website with global low latency. Which services fit best?
Think about it
What is the simplest memory rule for architecture reasoning drills?
Answer key
A1: B. GuardDuty. AWS says GuardDuty is the threat-detection service for suspicious activity and compromised credentials. (AWS Documentation)
A2: B. Config. AWS says Config tracks resource configuration and configuration history. (AWS Documentation)
A3: B. Multi-AZ EC2 with ALB and Auto Scaling. This is the standard HA pattern for web applications. (AWS Documentation)
A4: Inspector finds vulnerabilities and unintended network exposure; it does not detect threats or suspicious behavior. GuardDuty does that. (AWS Documentation)
A5: C. Lambda. AWS says Lambda is the event-driven, serverless compute service with per-invocation pricing. (AWS Documentation)
A6: Lambda + API Gateway + DynamoDB + S3 + event routing (SQS or EventBridge). (AWS Documentation)
A7: B. EMR. AWS says EMR is the managed big-data platform for frameworks like Spark and Hadoop. (AWS Documentation)
A8: Route 53 + CloudFront + ALB + EC2 (multi-AZ) + Auto Scaling + Multi-AZ RDS. (AWS Documentation)
A9: S3 (static hosting) + CloudFront (global CDN) + Route 53 (DNS). (AWS Documentation)
A10: Match the requirement to the service role, then eliminate services that fit a different role. (AWS Documentation)
Next lesson
Lesson 5.15: Module 5.4 Scenario-Based Service Selection Review Quiz