Mastering AWS Hybrid Connectivity: Direct Connect, Transit Gateway, and VIFs
Connectivity methods for AWS and hybrid networks (for example, Direct Connect gateway, Transit Gateway, VIFs)
Mastering AWS Hybrid Connectivity: Direct Connect, Transit Gateway, and VIFs
This study guide focuses on the critical infrastructure components required to bridge on-premises data centers with the AWS Cloud, specifically for the AWS Certified Advanced Networking Specialty (ANS-C01) exam.
Learning Objectives
By the end of this module, you should be able to:
- Differentiate between Private, Public, and Transit Virtual Interfaces (VIFs).
- Explain the role of the Direct Connect Gateway (DXGW) in multi-region and multi-account architectures.
- Design a hub-and-spoke network using AWS Transit Gateway (TGW).
- Understand the constraints of BGP routing and traffic hair-pinning in hybrid environments.
Key Terms & Glossary
- Direct Connect (DX): A physical, dedicated network connection from an on-premises facility to an AWS DX location.
- Direct Connect Gateway (DXGW): A global resource that allows you to connect a single DX connection to VPCs in any AWS Region (except China).
- Transit Gateway (TGW): A regional network hub that connects VPCs and on-premises networks through a single entry point.
- BGP (Border Gateway Protocol): The exterior gateway protocol used to exchange routing information between your on-premises router and AWS.
- AS Number (ASN): A unique identifier for an Autonomous System used in BGP routing.
The "Big Idea"
Hybrid connectivity is about extending your private network perimeter into the AWS Cloud. While VPNs provide quick, encrypted tunnels over the public internet, Direct Connect provides consistent performance and reduced bandwidth costs. The Direct Connect Gateway and Transit Gateway act as the "brains" of this extension, managing how thousands of VPCs and multiple on-premises sites talk to each other globally.
Formula / Concept Box
| Feature | Limit / Rule |
|---|---|
| DX Bandwidth | 1 Gbps, 10 Gbps, or 100 Gbps (Dedicated); Sub-1G (Hosted) |
| DXGW Associations | Up to 10 Virtual Private Gateways (VGWs) OR 3 Transit Gateways (TGWs) |
| VPC Support | Up to 500 VPCs can be connected via a single DXGW |
| BGP ASN | AWS side is typically 64512–65534 (Private range) |
Hierarchical Outline
- Physical Layer (Direct Connect)
- Colocation: Physical fiber connection at a DX location.
- LOA/CFA: The authorization document required to complete the "Cross-Connect."
- Logical Layer (Virtual Interfaces - VIFs)
- Private VIF: Connects to a single VPC (via VGW) or multiple VPCs (via DXGW).
- Public VIF: Accesses public AWS services (S3, DynamoDB) without a VPN.
- Transit VIF: Required specifically for connecting DX to a Transit Gateway.
- Gateway Routing Layer
- DXGW: Facilitates multi-region VPC access; does not allow transitive routing between VPCs.
- TGW: Enables transitive routing (VPC-to-VPC) and acts as a central hub for SD-WAN and VPNs.
Visual Anchors
Hybrid Connectivity Flow
Direct Connect Logical Structure
\begin{tikzpicture} \draw[thick] (0,0) rectangle (6,1) node[midway] {Physical DX Connection (10 Gbps)}; \draw[blue, thick] (0.5,1.2) -- (2.5,1.2) node[right] {Private VIF (VPC A)}; \draw[red, thick] (0.5,1.5) -- (2.5,1.5) node[right] {Public VIF (S3/Public)}; \draw[green, thick] (0.5,1.8) -- (2.5,1.8) node[right] {Transit VIF (TGW)}; \draw[dashed] (-0.5,-0.5) rectangle (7,2.5); \node at (3.25, -0.8) {Logical VIFs encapsulated in 802.1Q VLANs}; \end{tikzpicture}
Definition-Example Pairs
- Transit VIF: A virtual interface used to connect a Direct Connect connection to a Transit Gateway.
- Example: A company wants to connect their 10Gbps DX to 50 different VPCs across 3 accounts; they use a Transit VIF to link the DX to a Transit Gateway for simplified management.
- Hairpinning: Traffic that enters a device and is sent back out the same interface.
- Example: Trying to route traffic from VPC-A to VPC-B through an on-premises router via DXGW. AWS DXGW specifically prevents this; traffic must go VPC-to-VPC via Peering or TGW instead.
Worked Examples
Problem: Multi-Region Connectivity
Scenario: A financial firm has a data center in New York and needs private access to VPCs in us-east-1 (Virginia) and eu-west-1 (Ireland).
Step-by-Step Breakdown:
- Establish DX: Provision a 1Gbps Dedicated Connection in a New York DX location.
- Create DXGW: In the AWS Console, create a Direct Connect Gateway (it is a global object).
- Create Private VIF: Create a Private VIF on the New York DX connection and associate it with the DXGW.
- Associate VGWs: Create Virtual Private Gateways in both
us-east-1andeu-west-1VPCs. - Final Link: Associate both VGWs to the single DXGW. Traffic now flows from NY to both regions over the private fiber.
Checkpoint Questions
- Which VIF type is required if you want to use a Transit Gateway with Direct Connect?
- Can two VPCs connected to the same Direct Connect Gateway communicate with each other through that gateway?
- What is the maximum number of Transit Gateways you can associate with a single Direct Connect Gateway?
[!TIP] Answers: 1. Transit VIF. 2. No (DXGW does not support transitive routing). 3. Three.
Muddy Points & Cross-Refs
- DXGW vs. TGW: Students often confuse these. Remember: DXGW is for DX-to-VPC (Global/Multi-region), while TGW is for VPC-to-VPC and VPC-to-VPN/DX (Regional Hub).
- Public VIF Routing: A Public VIF receives ~4,000+ AWS routes via BGP. Ensure your on-premises router has enough memory to handle this routing table.
Comparison Tables
| Feature | Direct Connect Gateway (DXGW) | Transit Gateway (TGW) |
|---|---|---|
| Scope | Global | Regional |
| VPC-to-VPC Routing | No | Yes |
| Max VPCs | 500 | 5,000+ |
| Primary Use Case | Linking DX to multiple regions/accounts | Centralized hub for all networking |
| VIF Type | Private VIF | Transit VIF |