Requirements for Hybrid Connectivity: AWS & On-Premises Integration

This guide outlines the critical requirements, architectural patterns, and implementation strategies for connecting on-premises data centers to the AWS Cloud, specifically tailored for the AWS Certified Advanced Networking Specialty (ANS-C01).

Learning Objectives

By the end of this module, you will be able to:

• Identify physical and logical requirements for AWS Direct Connect and Site-to-Site VPNs.
• Configure routing protocols (BGP and Static) to support hybrid traffic flow.
• Implement hybrid DNS solutions using Route 53 Resolvers and conditional forwarding.
• Establish security boundaries across hybrid environments using encryption and automated monitoring.
• Evaluate connectivity options based on bandwidth, latency, and cost-effectiveness.

Key Terms & Glossary

• ASN (Autonomous System Number): A unique identifier for a network on the internet used in BGP routing. AWS uses 64512–65534 for private ASNs.
• BGP (Border Gateway Protocol): The standard dynamic routing protocol used to exchange reachability information between autonomous systems.
• LOA-CFA (Letter of Authorization - Connecting Facility Assignment): A document provided by AWS that gives permission to connect a fiber cross-connect in a colocation facility.
• LAG (Link Aggregation Group): A logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple Direct Connect connections into a single entity.
• VIF (Virtual Interface): The mechanism for accessing AWS services over Direct Connect (Public, Private, or Transit).
• SD-WAN (Software-Defined Wide Area Network): An architecture that allows for the integration of multiple connection types (MPLS, LTE, Broadband) into a unified overlay network.

The "Big Idea"

[!IMPORTANT] The core objective of hybrid connectivity is to transform the AWS Cloud into a seamless extension of the local data center. By treating AWS VPCs as additional subnets in the corporate network, organizations can leverage cloud scalability without sacrificing the security, low latency, and deterministic performance of private infrastructure.

Formula / Concept Box

Hierarchical Outline

1. Physical & Layer 1 Requirements
   • Colocation: Selecting a Direct Connect location and obtaining an LOA-CFA.
   • Hardware: Single-mode fiber, 1000BASE-LX or 10GBASE-LR optics.
   • Redundancy: Dual connections across different AWS providers for high availability.
2. Layer 2 & Layer 3 Connectivity
   • VLAN Tagging: 802.1Q encapsulation for traffic segregation.
   • IP Addressing: Designing non-overlapping CIDR blocks to prevent routing loops.
   • BGP Peering: Configuring MD5 authentication and identifying peer IP addresses.
3. Hybrid DNS Architecture
   • Inbound Endpoints: Allow on-premises clients to resolve AWS private hosted zones.
   • Outbound Endpoints: Allow EC2 instances to resolve on-premises records via Conditional Forwarders.
4. Security & Automation
   • Encryption: Layer 3 IPsec VPNs or MACsec for Direct Connect.
   • Governance: Using AWS RAM to share Transit Gateways and Direct Connect Gateways across accounts.

Visual Anchors

Choosing a Connectivity Path

Hybrid DNS Resolution Flow

Definition-Example Pairs

• Transit Gateway (TGW): A network hub that acts as a cloud router.
  • Example: A multinational company uses TGW to interconnect 50 VPCs across 3 AWS accounts with a single on-premises Direct Connect link.
• Conditional Forwarding: A DNS configuration that sends specific domain queries to a specific IP address.
  • Example: Configuring Route 53 to send all queries ending in .corp.internal to the on-premises Active Directory DNS server at 10.0.0.5.
• ECMP (Equal-Cost Multi-Path): A routing strategy where next-hop packet forwarding can occur over multiple best paths.
  • Example: Stripping bandwidth across four VPN tunnels to achieve ~5 Gbps of aggregate throughput to a VPC.

Worked Examples

Example 1: BGP Peer Configuration

Scenario: You need to establish a BGP session for a new Private VIF.

• On-Prem ASN: 65001
• AWS ASN: 64512
• Neighbor IP: 169.254.0.1

Steps:

1. Configure Router: Enable BGP router bgp 65001.
2. Define Neighbor: neighbor 169.254.0.1 remote-as 64512.
3. Activate Authentication: Enter the pre-shared MD5 key provided in the AWS configuration file.
4. Advertise Prefixes: network 10.50.0.0 mask 255.255.0.0. Ensure this prefix is NOT overlapping with the VPC.

Checkpoint Questions

1. What document is required to finalize the physical connection between your router and the AWS Direct Connect patch panel?
2. Which AWS service allows you to share a single Direct Connect connection across multiple AWS accounts in an organization?
3. Why would a network engineer choose a Transit VIF over a Private VIF?
4. If a VPN tunnel is up but no traffic is passing, what is the first thing to check in the VPC route table?

Muddy Points & Cross-Refs

• MTU Mismatch: A frequent cause of performance degradation. Traffic over VPN is limited to 1500 bytes. If on-premises hosts send 9001-byte packets (Jumbo), they will be dropped unless MSS Clamping or Path MTU Discovery (PMTUD) is correctly configured.
• BGP Best Path Selection: Remember that AWS prioritizes Direct Connect over VPN if the same prefix is received from both, provided the AS-Path length is comparable.
• Route Propagation: Simply connecting a VPN is not enough; you must enable Route Propagation on the VPC route table or manually add static routes to the Virtual Private Gateway (VGW).

Comparison Tables

Site-to-Site VPN vs. Direct Connect

Static vs. Dynamic (BGP) Routing