Advanced AWS Networking: Implementing Connectivity Solutions

This guide focuses on the critical decision-making process and implementation details for AWS network connectivity services, specifically tailored for the AWS Certified Advanced Networking Specialty (ANS-C01) exam.

Learning Objectives

After studying this guide, you should be able to:

Differentiate between VPC Peering, Transit Gateway, and PrivateLink based on technical requirements.
Explain the concept of transitive routing and why it is absent in VPC Peering.
Implement hub-and-spoke architectures using AWS Transit Gateway.
Optimize network throughput by selecting the appropriate network interface (ENI, ENA, EFA).
Evaluate cost-effective connectivity options for hybrid cloud environments.

Key Terms & Glossary

Transitive Routing: The ability for traffic to pass through an intermediate network hop (e.g., A -> B -> C). VPC Peering does NOT support this.
Quotas/Limits: Hard or soft caps on resources, such as the 125 active peering connections per VPC limit.
VRF (Virtual Router Forwarder): Separate routing instances within a Transit Gateway that allow for network segmentation and isolation.
SD-WAN (Software-Defined Wide Area Network): A decoupled network layer that manages connectivity; often integrated via Transit Gateway Connect.
Multicast: One-to-many communication; supported by Transit Gateway but not by standard VPC routing or Peering.

The "Big Idea"

As AWS environments grow from a few VPCs to hundreds or thousands across multiple accounts and regions, the connectivity strategy must shift from point-to-point (VPC Peering) to centralized hub-and-spoke (Transit Gateway). The goal is to balance low latency and high performance against the complexity of management and the need for advanced features like multicast or centralized security inspection.

Formula / Concept Box

Feature	VPC Peering	Transit Gateway (TGW)	PrivateLink
Model	Point-to-Point (Mesh)	Hub-and-Spoke	Provider-Consumer
Transitive?	No	Yes	No
Throughput	No Aggregate Limit	50 Gbps per VPC attachment	10 Gbps+ per endpoint
IP Overlaps	Not allowed	Supported (via NAT/Multiple VRFs)	Supported (Native)
Complexity	$O(N^2)$ (at scale)	$O(N)$ (Centralized)	Low (Service specific)

Hierarchical Outline

Intra-Region & Inter-Region VPC Connectivity
- VPC Peering: Direct connection between two VPCs using AWS backbone.
  - Pros: Low latency, no bandwidth bottlenecks, no single point of failure.
  - Cons: Complexity at scale, non-transitive.
- AWS Transit Gateway: A regional network transit hub.
  - Pros: Simplifies routing, supports multicast, connects on-premises via VPN/DX.
  - Cons: Hourly attachment costs + data processing fees.
Hybrid Connectivity (AWS to On-Premises)
- Site-to-Site VPN: Encrypted IPsec tunnels over the public internet.
- Direct Connect (DX): Private, dedicated physical connection (1Gbps, 10Gbps, 100Gbps).
- Transit Gateway Connect: Uses GRE tunnels to integrate SD-WAN appliances.
Application-Specific Connectivity
- AWS PrivateLink: Access services privately without exposing traffic to the internet or needing Peering/TGW.

Visual Anchors

Choosing a Connectivity Service

Loading Diagram...

Hybrid Routing Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, minimum height=1cm}] \node (vpc) [fill=blue!10] {AWS VPC$Workload)}; \node (tgw) [right of=vpc, xshift=2cm, fill=orange!10] {Transit\Gateway}; \node (dxc) [right of=tgw, xshift=2cm, fill=green!10] {Direct Connect\Gateway}; \node (onprem) [right of=dxc, xshift=2cm, fill=gray!10] {On-Premises\Data Center};

code

\draw[<->, thick] (vpc) -- node[above] {Attachment} (tgw);
\draw[<->, thick] (tgw) -- node[above] {Association} (dxc);
\draw[<->, thick, dashed] (dxc) -- node[above] {VIF} (onprem);

\node[draw=none, below of=tgw, yshift=1cm] {\tiny Hub}; 

\end{tikzpicture}

Definition-Example Pairs

VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
- Example: A Production VPC needing to access a shared Logging VPC within the same region where the number of connections is small and fixed.
Transit Gateway Connect: A feature that enables native integration of SD-WAN appliances into AWS.
- Example: A company uses Cisco or Silver Peak SD-WAN on-premises and wants to extend the same routing fabric into their AWS TGW using GRE tunnels.
Secondary CIDR: Adding additional IP address ranges to an existing VPC.
- Example: A VPC is running out of IPs for its Lambda functions; the admin adds 100.64.0.0/16 as a secondary block to expand capacity.

Worked Examples

Scenario: The Transitive Routing Trap

Problem: VPC A is peered with VPC B. VPC B is peered with VPC C. Traffic from VPC A needs to reach VPC C.

Step-by-Step Breakdown:

Analyze Current State: VPC A -> Peer -> VPC B -> Peer -> VPC C.
Identify Restriction: AWS VPC Peering is non-transitive. Traffic arriving at VPC B from A cannot be "forwarded" to C.
Propose Solution 1 (Peering): Create a direct peering connection between VPC A and VPC C.
Propose Solution 2 (TGW): Replace peering with a Transit Gateway. Attach VPC A, B, and C to the TGW. Traffic will now flow A -> TGW -> C.
Selection: If there are only 3 VPCs, Peering is cheaper. If there are 50 VPCs, TGW is more manageable.

Checkpoint Questions

True or False: VPC Peering supports multicast traffic within the peered connection.
What protocol is used by Transit Gateway to exchange routing information with on-premises routers?
Which network interface should be chosen for high-performance computing (HPC) and MPI applications requiring sub-millisecond latency?
How does PrivateLink solve the issue of overlapping IP addresses between two companies?

▶Click to see answers

False (Only Transit Gateway supports multicast).
BGP (Border Gateway Protocol).
Elastic Fabric Adapter (EFA).
PrivateLink uses NLB and VPC Endpoints; traffic is mapped via service names rather than direct IP routing, making the underlying CIDR irrelevant.

Muddy Points & Cross-Refs

Peering vs. TGW Cost: Peering has no hourly fee (only data transfer), whereas TGW has an hourly attachment fee + data processing fee ($0.02/GB). For high-volume data replication, Peering is often significantly cheaper.
MTU Issues: VPC Peering supports jumbo frames (9001 MTU) within a region. Inter-region peering and VPNs typically drop to 1500 MTU. Always verify path MTU to avoid fragmentation.
Route Propagation: Remember that for VPNs over TGW, BGP propagation must be enabled in the TGW route table, or static routes must be manually added.

Comparison Tables

Network Interfaces Comparison

Interface	Typical Use Case	Key Characteristic
ENI	Standard networking	Basic connectivity, management traffic.
ENA	High throughput	Supports up to 100 Gbps, enhanced networking.
EFA	HPC / Machine Learning	OS-bypass, lowest latency, supports MPI/libfabric.

Connectivity Scalability

Requirement	Best Choice	Why?
1000+ VPCs	Transit Gateway	Centralized management and transitive routing.
2 VPCs (High Traffic)	VPC Peering	Lowest cost and no throughput bottleneck.
Third-party SaaS	PrivateLink	Secure, one-way, handles overlapping IPs.