Study Guide1,050 words
AWS Certified Advanced Networking: Hybrid Connectivity and Routing Strategy
Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud
AWS Certified Advanced Networking: Hybrid Connectivity and Routing Strategy
This study guide focuses on Domain 1.5: Designing a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud. This is a critical pillar for the ANS-C01 exam, covering how to bridge physical data centers with VPCs using performance, redundancy, and scalability as primary drivers.
Learning Objectives
By the end of this module, you should be able to:
- Differentiate between AWS Site-to-Site VPN and AWS Direct Connect (DX) based on cost, performance, and security requirements.
- Design redundant hybrid architectures using BGP attributes to influence traffic (active/passive vs. active/active).
- Select the appropriate Virtual Interface (VIF) type for various Direct Connect scenarios.
- Integrate SD-WAN solutions using Transit Gateway Connect.
- Optimize network throughput using Jumbo Frames and MTU tuning.
Key Terms & Glossary
- BGP (Border Gateway Protocol): The standard exterior gateway protocol used to exchange routing information between autonomous systems (AS) on the internet and in hybrid AWS setups.
- ASN (Autonomous System Number): A unique identifier for a network on the internet; AWS usually uses
64512–65534for private ASNs. - VIF (Virtual Interface): A logical connection on a Direct Connect link. Types include Private (to one VPC), Public (to AWS public endpoints), and Transit (to a Transit Gateway).
- DXGW (Direct Connect Gateway): A grouping of VPCs and/or Transit Gateways that allows a single Direct Connect connection to access resources in multiple AWS Regions.
- LOA-CFA (Letter of Authorization - Connecting Facility Assignment): The document required to permit a service provider to wire your equipment to the AWS port in a Direct Connect location.
- MTU (Maximum Transmission Unit): The size of the largest protocol data unit that can be communicated in a single network layer transaction. AWS supports 1500 (standard) and 9001 (jumbo) bytes.
The "Big Idea"
[!IMPORTANT] Hybrid networking is about extending the trust boundary of your on-premises data center into the AWS Cloud. It treats the VPC not as an isolated island, but as a remote subnet. The goal is a "transparent" network where routing, latency, and security policies are consistent regardless of where the workload resides.
Formula / Concept Box
BGP Path Selection (Simplified for AWS)
When multiple paths exist, AWS prefers routes in this order:
| Priority | Attribute | Description |
|---|---|---|
| 1 | Longest Prefix Match | Most specific CIDR (e.g., /24 over /16). |
| 2 | Local Preference | Higher is preferred (Used to influence outbound traffic from AWS). |
| 3 | AS_PATH | Shorter path is preferred (Influenced via AS_PATH Prepending). |
| 4 | MED (Multi-Exit Discriminator) | Lower is preferred (Used to influence inbound traffic to AWS). |
Hierarchical Outline
- AWS Site-to-Site VPN
- Characteristics: Over the public internet, IPsec encrypted, quick to deploy.
- Routing: Static or Dynamic (BGP).
- Performance: Limited to 1.25 Gbps per tunnel.
- AWS Direct Connect (DX)
- Characteristics: Private physical fiber, consistent performance, bypasses the internet.
- Components: Physical Port (1G, 10G, 100G) → LAG → VIFs.
- Direct Connect Gateway (DXGW): Global reach; connects one DX to up to 10 VPCs across regions.
- Hybrid Routing Hubs
- Transit Gateway (TGW): Regional hub-and-spoke router.
- Transit VIF: Used specifically to connect DX to a TGW.
- Advanced Performance Tuning
- Jumbo Frames: 9001 MTU for DX and VPC Peering; VPN is limited to 1500.
- BFD (Bidirectional Forwarding Detection): Fast sub-second failure detection for BGP.
Visual Anchors
Connectivity Flow
Loading Diagram...
Physical Interconnect (Direct Connect)
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- AS_PATH Prepending: The act of adding your own ASN multiple times to a BGP route advertisement.
- Example: If you have two DX links and want one to be backup, prepend your ASN 3 times on the backup link so AWS sees a "longer" path and chooses the other link instead.
- Public VIF: A Direct Connect interface used to access public AWS services (S3, DynamoDB) without a VPN.
- Example: A financial firm needs to sync 50TB of data to S3 via private fiber to avoid internet latency and transit costs.
- Transit Gateway Connect: A feature that allows for GRE tunnels between a TGW and SD-WAN appliances.
- Example: A company uses Cisco SD-WAN on-prem and wants to extend the fabric into AWS VPCs with high-bandwidth BGP peering over TGW.
Worked Examples
Problem: Active/Passive Failover Design
Scenario: A company has a 10Gbps Direct Connect and a Site-to-Site VPN as backup. They want to ensure traffic only uses the VPN if the DX fails.
Step-by-Step Solution:
- Symmetry: Ensure BGP is configured on both the DX Private VIF and the VPN.
- Inbound to AWS: The DX route is preferred by AWS automatically because a DX route has a higher priority than a VPN route in the VPC route table (Longest Prefix Match being equal).
- Outbound to On-Prem: On the on-premises router, set a higher Local Preference for the routes learned via Direct Connect compared to those learned via VPN.
- Verification: Use
traceroutefrom an EC2 instance to an on-prem IP to verify the path through the Virtual Private Gateway (VGW).
Comparison Tables
Connectivity Service Comparison
| Feature | Site-to-Site VPN | Direct Connect (DX) | TGW Connect |
|---|---|---|---|
| Transport | Public Internet | Private Fiber | GRE over TGW/DX/VPN |
| Setup Time | Minutes | Weeks/Months | Minutes (after TGW) |
| Bandwidth | Up to 1.25 Gbps | 1G / 10G / 100G | Up to 20 Gbps (aggregated) |
| Encryption | IPsec (Mandatory) | Optional (MACsec) | GRE (No native encryption) |
| Cost | Low (Hourly + Data) | High (Port + Data) | Moderate |
Checkpoint Questions
- Why would an architect choose a Transit VIF over a Private VIF?
- What BGP attribute should you use to influence how AWS sends traffic to your on-premises network?
- True or False: You can enable Jumbo Frames (9001 MTU) on a Site-to-Site VPN tunnel.
- Which AWS service allows you to share a single Direct Connect connection across multiple AWS accounts?
▶Click to see answers
- Use a Transit VIF to connect to a Transit Gateway (supporting thousands of VPCs); Private VIFs connect only to a VGW or DXGW (supporting up to 10 VPCs).
- AS_PATH Prepending (to make a path look longer) or MED.
- False. VPN is limited to 1500 bytes (usually effectively less due to IPsec overhead).
- Direct Connect Gateway (DXGW) combined with AWS Resource Access Manager (RAM) for TGW sharing.
Muddy Points & Cross-Refs
- Public VIF vs. Private VIF: Students often confuse these. Remember: Private is for VPC resources (EC2, RDS). Public is for AWS Public endpoints (S3, DynamoDB, Amazon Connect) reachable via public IPs.
- MTU Mismatch: If on-prem uses 1500 and AWS uses 9001, packets will be dropped or fragmented. Always ensure end-to-end MTU consistency.
- Further Study: Check AWS Documentation on Direct Connect Resiliency Toolkit for high-availability design patterns (High vs. Maximum resiliency).