Defense-in-depth AWS VPC architecture implements multiple security layers protecting EC2 workloads across public and private subnets. Traffic flows from users through AWS WAF and Shield for DDoS protection, then Network Firewall inspects packets before reaching an Elastic Load Balancer distributing requests to an Auto Scaling Group of t3.medium EC2 instances in the private subnet. Each instance mounts EBS gp3 volumes for block storage and shares data via EFS, with S3 handling backups and object storage, while CloudWatch monitors all resources and KMS encrypts data at rest. Hybrid connectivity enables on-premises systems to reach workloads securely via VPN Gateway and Direct Connect, with NAT Gateway providing controlled outbound internet access from private instances. This architecture demonstrates AWS best practices for network segmentation, perimeter defense, encryption, and observability critical for compliance-driven enterprises. Fork this diagram on Diagrams.so to customize subnet CIDR ranges, add additional security groups, or integrate AWS GuardDuty and Security Hub for your environment.