Exam Cram: AWS Hybrid Connectivity & Routing

This sheet covers the critical knowledge for Domain 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud for the ANS-C01 exam.

Topic Weighting

[!IMPORTANT] This topic is foundational. Expect questions combining Direct Connect (DX) failover, BGP attribute manipulation, and Transit Gateway (TGW) integration.

Key Concepts Summary

1. Connectivity Methods

• AWS Direct Connect (DX): Physical, dedicated connection. Provides consistent performance and bypasses the public internet. High cost, long lead time.
• AWS Site-to-Site VPN: IPsec tunnels over the public internet. Quick to deploy, encrypted, but subject to internet latency/jitter.
• Transit Gateway (TGW): A hub-and-spoke router that simplifies connecting multiple VPCs and on-premises networks.

2. Border Gateway Protocol (BGP)

• eBGP: Used between your on-premises ASN and AWS (usually VGW or TGW).
• ASNs: AWS uses 64512 by default for the AWS side of the VPN. Customer ASNs can be public or private (64512–65534).
• BGP Port: TCP 179.

3. Visual: Hybrid Connectivity Architecture

Common Pitfalls

• Static vs. Dynamic: If a static route and a BGP-learned route for the exact same CIDR exist in a VPC route table, the static route always takes precedence.
• MTU Mismatch: Standard VPN MTU is 1500 bytes. Direct Connect supports Jumbo Frames (9001 bytes), but if the path includes a VPN or certain internet hops, packets will be dropped or fragmented if the MTU isn't adjusted.
• Overlapping CIDRs: AWS does not support routing between overlapping CIDR blocks. Use NAT Gateway or PrivateLink for