AWS Connectivity Architectures: Public and Private Access Strategies

This study guide covers the critical networking patterns required for the AWS Certified Advanced Networking Specialty (ANS-C01) exam, focusing on how to establish secure, performant connections between on-premises environments and AWS services.

Learning Objectives

• Differentiate between public and private access methods for AWS services.
• Configure Direct Connect (DX) and Site-to-Site VPN for hybrid connectivity.
• Evaluate the use cases for AWS PrivateLink to eliminate internet exposure.
• Understand routing priorities and failover mechanisms in hybrid architectures.
• Implement Virtual Interfaces (VIFs) based on specific resource requirements.

Key Terms & Glossary

• VPC Endpoint: A virtual device that enables private connectivity between your VPC and supported AWS services.
• PrivateLink: A highly available, scalable technology that provides private connectivity between VPCs and services without using public IP addresses.
• Virtual Private Gateway (VGW): The VPN endpoint on the AWS side of a Site-to-Site VPN connection.
• Customer Gateway (CGW): A physical device or software application on your side of the Site-to-Site VPN connection.
• Direct Connect Gateway (DXGW): A grouping of virtual private gateways and transit gateways that can be associated with a Direct Connect connection.
• Virtual Interface (VIF): A logical connection on a Direct Connect link to access AWS services.

The "Big Idea"

The core of modern AWS networking is the elimination of the public internet from the data path. While public access (IGWs, EIPs) is necessary for consumer-facing apps, enterprise connectivity relies on moving traffic onto the AWS global backbone. Whether through dedicated physical fiber (Direct Connect) or virtualized private endpoints (PrivateLink), the goal is to treat AWS resources as a seamless, private extension of the corporate data center.

Formula / Concept Box

Hierarchical Outline

1. Public Access Methods
   • Internet Gateway (IGW): Logical connection for IPv4/IPv6 internet traffic.
   • Elastic IP (EIP): Static, public IPv4 addresses for reachability.
   • Edge Services: Route 53 (DNS), CloudFront (CDN), and API Gateway for public entry points.
2. Hybrid Connectivity (On-Premises to AWS)
   • AWS Direct Connect: Dedicated physical link; supports Public VIF (for S3/Public APIs) and Private VIF (for VPC/EC2).
   • Site-to-Site VPN: IPsec tunnels over the public internet; common as a low-cost backup to DX.
3. Private Service Access
   • AWS PrivateLink: Uses Interface Endpoints (ENI with Private IP) to access services.
   • Gateway Endpoints: Specific to S3 and DynamoDB; managed via route table entries (no cost).

Visual Anchors

Hybrid Routing Priority Flow

This diagram illustrates how AWS selects the path when both Direct Connect and VPN are present.

PrivateLink Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=2.5cm, minimum height=1cm, align=center}] \node (vpc) {Consumer VPC \ (Private Subnet)}; \node (endpoint) [right of=vpc, xshift=2cm] {Interface Endpoint \ (Private IP/ENI)}; \node (service) [right of=endpoint, xshift=2cm] {AWS Service / \ Endpoint Service};

\draw[->, thick] (vpc) -- node[above] {Internal Traffic} (endpoint); \draw[->, thick] (endpoint) -- node[above] {AWS Backbone} (service);

\node[draw=none, below of=endpoint, yshift=1cm] {\textit{No IGW or NAT Required}}; \end{tikzpicture}

Definition-Example Pairs

• Public VIF: A Direct Connect virtual interface used to access public AWS services (like S3 or Glacier) using the AWS backbone rather than the internet.
  • Example: A media company uses a Public VIF to upload terabytes of video to S3 to avoid high internet egress costs and unpredictable latency.
• Interface Endpoint: An Elastic Network Interface (ENI) with a private IP address from your subnet's IP range that serves as an entry point for traffic destined for a supported AWS service.
  • Example: A banking application in a private subnet uses an Interface Endpoint to send logs to CloudWatch without ever traversing the public internet.

Worked Examples

Example 1: Configuring DX Failover to VPN

Scenario: You have a 10Gbps Direct Connect and want to ensure connectivity if the physical link is cut.

1. Setup DX: Establish a Private VIF to a Direct Connect Gateway (DXGW) associated with your VPC's VGW.
2. Setup VPN: Create a Site-to-Site VPN terminating on the same VGW.
3. Routing: Advertise the same on-premises prefixes over both DX (BGP) and VPN (BGP).
4. Result: AWS automatically prefers the DX path because it has a shorter AS_PATH or preferred BGP community. If the DX BGP session drops, the VGW automatically switches to the VPN tunnel.

Checkpoint Questions

1. Which AWS service allows you to share your own application (hosted behind an NLB) with other AWS accounts privately?
2. True or False: A Private VIF can be used to access Amazon S3 directly without an IGW.
3. What is the maximum throughput of a single AWS managed VPN tunnel?
4. Why is a Direct Connect Gateway required for multi-VPC connectivity over a single Private VIF?

▶Click to see answers

1. AWS PrivateLink (Endpoint Services).
2. False (A Public VIF or a Gateway/Interface Endpoint is required for S3).
3. 1.25 Gbps.
4. To allow the VIF to scale across multiple VPCs in different regions or accounts.

Muddy Points & Cross-Refs

• Public VIF vs. PrivateLink: Students often confuse these. Public VIF is for accessing all public AWS services in a region over Direct Connect. PrivateLink is for accessing specific services via a private IP within your VPC.
• Gateway vs. Interface Endpoints: S3 and DynamoDB primarily use Gateway Endpoints (free, route-table based). Most other services (EC2 API, Kinesis, etc.) use Interface Endpoints (cost per hour + data processed).

Comparison Tables

VIF Type Comparison

[!IMPORTANT] Direct Connect BGP routes are always preferred over VPN routes. If you need to influence traffic for multi-homed Direct Connect, use BGP Local Preference (Inbound to On-prem) or AS_PATH Prepending (Outbound from AWS).