Design secure multi-tier cloud infrastructure
Company: Amazon
Role: Software Engineer
Category: System Design
Difficulty: hard
Interview Round: Technical Screen
Design and deploy a multi-tier VPC-based architecture for a large-scale application. Address:
(
1) Multi-layer segmentation (web/app/db) across multiple Availability Zones with subnets, route tables, NAT/bastion access, and security groups vs. network ACLs;
(
2) IP planning for at least 2,000 servers: choose VPC and subnet CIDR ranges, account for per-subnet reserved IPs, keep headroom for growth, distribute across at least three AZs, show calculations, and present one feasible plan;
(
3) Centralized management for Linux and Windows (patching, configuration, inventory, remote sessions): compare AWS Systems Manager, AD/Group Policy, and tools like Ansible/Salt;
(
4) Shared storage for concurrent access: compare NFS, Amazon EFS, SMB/FSx, and object-storage gateways, discussing consistency/locking, throughput/IOPS scaling, latency, and cost;
(
5) Single sign-on for administrators to "log in once" to servers and consoles using SSO (SAML/OIDC), MFA, short-lived credentials (e.g., SSM Session Manager/Kerberos), RBAC, auditing, and break-glass procedures.
Quick Answer: This question evaluates cloud systems design competencies including multi-tier network architecture, IP addressing and capacity planning, security controls, centralized server management, shared storage trade-offs, and identity and access integration within a production-scale virtual private cloud.
