The largest domain. Multi-AZ = high availability (same region, synchronous replication, automatic failover). Read Replicas = read scalability (asynchronous, can be cross-region). Decouple with SQS when producers and consumers run at different speeds. ALB is the default choice for HTTP/HTTPS; NLB for TCP/UDP where you need static IPs or ultra-low latency.

• Multi-AZ vs Multi-Region deployments
• Elastic Load Balancing: ALB (HTTP/path routing), NLB (TCP/UDP, static IP), CLB
• Auto Scaling Groups: launch templates, scaling policies (target tracking, step, scheduled)
• Route 53 routing policies: failover, weighted, latency, geolocation, multivalue
• SQS + SNS for decoupled, asynchronous architectures
• S3 for static content; CloudFront for global CDN
• RDS Multi-AZ standby vs Read Replicas (synchronous vs asynchronous)

High performance questions test knowing which cache, database, or compute type fits the workload. ElastiCache Redis vs Memcached is reliably tested: Redis = advanced data structures + persistence; Memcached = simple key-value + horizontal scaling. DynamoDB is the default for serverless single-digit-millisecond NoSQL; Aurora for relational workloads needing MySQL/PostgreSQL compatibility at scale.

• EC2 instance families: compute-optimised (C), memory-optimised (R/X), storage-optimised (I/D), GPU (P/G)
• ElastiCache: Redis (persistence, pub/sub, sorted sets) vs Memcached (simple cache, multithreaded)
• CloudFront caching: cache behaviours, TTL, origin groups
• Aurora: 6-way replication across 3 AZs, Aurora Serverless v2, Global Database
• DynamoDB: partition key design, Global Secondary Indexes, on-demand vs provisioned, DAX for microsecond reads
• Amazon Kinesis: Data Streams vs Data Firehose for real-time data ingestion

Security Groups = stateful (return traffic automatically allowed); NACLs = stateless (must explicitly allow return traffic). SGs attach to instances; NACLs attach to subnets. Use VPC endpoints to keep traffic between your VPC and AWS services on the AWS network without traversing the internet. Secrets Manager = automatic credential rotation; SSM Parameter Store = simpler/cheaper secrets without automatic rotation.

• IAM policies: identity-based, resource-based, permission boundaries, SCPs (Service Control Policies)
• VPC security: Security Groups (stateful, allow-only) vs NACLs (stateless, allow+deny, subnet level)
• Private subnets + NAT Gateway for outbound-only internet access
• VPC endpoints: Gateway (S3/DynamoDB) vs Interface (PrivateLink services) — avoids internet
• AWS KMS: customer-managed keys, envelope encryption, key policies
• AWS Secrets Manager vs SSM Parameter Store — for rotating credentials
• S3 bucket policies, ACLs, Block Public Access, pre-signed URLs

Cost questions test whether you know the cheapest option for a given workload pattern. Spot = interruptible (batch/CI); Reserved/Savings Plans = steady-state (1-3 year commitment); On-Demand = short-term unpredictable. S3 lifecycle policies automate tier transitions — don't manually move objects. Data transfer into AWS is free; transfer out to the internet costs; cross-AZ costs 1¢/GB each way.

• EC2 pricing: On-Demand, Reserved (Standard vs Convertible, 1yr/3yr), Spot (up to 90% off, interruptible), Savings Plans
• S3 storage tiers: Standard → Intelligent-Tiering → Standard-IA → One Zone-IA → Glacier Instant → Glacier Flexible → Glacier Deep Archive
• S3 lifecycle policies for automatic tier transitions
• Lambda pricing: pay per request + duration (no idle cost) — best for infrequent/unpredictable workloads
• Data transfer costs: avoid cross-AZ traffic (use same-AZ endpoints), use VPC endpoints for S3/DynamoDB
• Spot Instances for fault-tolerant batch jobs, EMR, CI/CD workers