System Design: Multi-tier VPC Architecture for a Large-Scale Application

You are designing and deploying a production-ready, multi-tier network on AWS for an internet-facing application with thousands of servers. Assume three or more Availability Zones (AZs) in one Region and typical tiers: web, application, and database.

Address the following:

1. Network Segmentation and Access
   • Design multi-layer segmentation (web/app/db) across multiple AZs using subnets and route tables.
   • Show how public vs. private subnets, NAT gateways, and optional bastion hosts are used.
   • Explain how you would use Security Groups vs. Network ACLs and why.
2. IP Address Planning (≥ 2,000 servers)
   • Choose a VPC CIDR and per-subnet CIDRs.
   • Account for per-subnet reserved IPs, plan headroom for growth, and distribute across at least three AZs.
   • Show calculations and present one concrete, feasible plan with explicit CIDR blocks.
3. Centralized Server Management (Linux and Windows)
   • Compare approaches for patching, configuration management, inventory, and remote sessions: AWS Systems Manager, Active Directory/Group Policy, and tools like Ansible/Salt.
   • Recommend a combined approach and justify it.
4. Shared Storage for Concurrent Access
   • Compare NFS on EC2, Amazon EFS, SMB/FSx options, and object storage gateways.
   • Discuss consistency/locking semantics, throughput/IOPS scaling, latency, and cost trade-offs.
   • Recommend options for Linux and Windows workloads.
5. Single Sign-On for Administrators
   • Design "log in once" for server and console access using SSO (SAML/OIDC), MFA, short-lived credentials (e.g., SSM Session Manager/Kerberos), RBAC, auditing, and break-glass procedures.
   • Provide concrete services and controls to implement this.