Defense-in-depth AWS architecture layers WAF, Network Firewall, and Internet Gateway to filter traffic before reaching application workloads. Internet traffic flows through CloudFront CDN and Route 53 DNS to WAF for application-layer protection, then Network Firewall for network-layer inspection, before entering the VPC via Internet Gateway to an Elastic Load Balancer distributing requests across three t3.medium EC2 instances in a Private Subnet with Auto Scaling. On-premises connectivity routes through VPN Gateway to NAT Gateway, maintaining network isolation while enabling hybrid access. EC2 instances leverage EBS gp3 volumes for local storage, shared EFS for cross-instance file access, and S3 with Glacier archival for object storage, while CloudWatch monitors performance, CloudTrail logs API activity, and IAM with KMS enforce identity and encryption controls. Fork this diagram on Diagrams.so to customize subnet CIDR ranges, adjust instance types, add Transit Gateway for multi-VPC connectivity, or export as .drawio for Confluence documentation.