Advanced AWS Networking and Hybrid Connectivity: SAP-C02 Study Guide
AWS networking concepts (for example, Amazon Virtual Private Cloud [Amazon VPC], AWS Direct Connect, AWS VPN, transitive routing, AWS container services)
Advanced AWS Networking and Hybrid Connectivity
This guide covers the core networking architectural patterns required for the AWS Certified Solutions Architect - Professional (SAP-C02) exam, focusing on hybrid connectivity, transitive routing, and large-scale VPC management.
Learning Objectives
After studying this guide, you should be able to:
- Evaluate and select appropriate connectivity options (VPN vs. Direct Connect) based on bandwidth and latency requirements.
- Design hub-and-spoke network topologies using AWS Transit Gateway.
- Differentiate between Public, Private, and Transit Virtual Interfaces (VIFs) for Direct Connect.
- Explain the security implications of Software VPNs versus AWS Managed VPNs.
- Implement hybrid DNS strategies using Route 53 Resolver.
Key Terms & Glossary
- Virtual Private Cloud (VPC): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
- Transit Gateway (TGW): A network transit hub used to interconnect VPCs and on-premises networks.
- Customer Gateway (CGW): An AWS resource which provides information to AWS about your customer gateway device.
- Virtual Private Gateway (VGW): The VPN endpoint on the Amazon side of a Site-to-Site VPN connection.
- Direct Connect (DX): A cloud service solution that establishes a dedicated network connection from your premises to AWS.
- Transitive Routing: The ability to route traffic between two networks through an intermediate network (e.g., VPC A to VPC B via a Transit Gateway).
The "Big Idea"
The "Big Idea" of AWS Networking for Professionals is abstraction and scale. In a simple architecture, VPC Peering or a single VPN is sufficient. However, for a complex organization, networking must be treated as a shared service that provides consistent, low-latency, and secure pathways between thousands of microservices and legacy on-premises data centers. The goal is to move from a "web of connections" to a structured "hub-and-spoke" model that supports centralized monitoring and security controls.
Formula / Concept Box
| Feature | Site-to-Site VPN | AWS Direct Connect |
|---|---|---|
| Transport | Public Internet (IPsec) | Private Fiber/Ethernet |
| Setup Time | Minutes | Weeks to Months |
| Reliability | Variable (Best-effort internet) | High (Consistent/Predictable) |
| Max Throughput | Up to 1.25 Gbps per tunnel | 1, 10, or 100 Gbps |
| Cost | Low hourly rate + Data Transfer | Port hours + High Data Transfer (Out) savings |
Hierarchical Outline
- I. Hybrid Connectivity
- AWS Managed VPN: IPsec over internet; uses VGW or TGW.
- Software VPN: EC2-based; allows full control over the stack but introduces Single Point of Failure (SPOF) risks.
- AWS Direct Connect (DX): Dedicated physical connection; bypasses the internet.
- II. Advanced Routing and Interconnectivity
- Transit Gateway: Centralized router; supports Transitive Routing and simplifies multi-account network management.
- VPC Peering: Point-to-point connection; non-transitive; low latency.
- VPC Endpoints: PrivateLink for accessing AWS services without an Internet Gateway.
- III. Container Networking
- Amazon ECS/EKS: Integration with VPC subnets via ENIs.
- Fargate: Serverless compute for containers with native VPC networking.
Visual Anchors
Hub-and-Spoke Topology with Transit Gateway
Direct Connect Architecture (Logic Flow)
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, align=center, fill=blue!10}] \node (onprem) {On-Premises\Router}; \node (loce) [right of=onprem, xshift=2cm] {DX Location$Partner/Cage)}; \node (aws) [right of=loce, xshift=2cm] {AWS Global\Infrastructure};
\draw[<->, thick] (onprem) -- node[above] {\small Physical Fiber} (loce);
\draw[<->, thick] (loce) -- node[above] {\small AWS Internal} (aws);
\node[draw=none, fill=none, below of=loce, yshift=1cm] {\small (Cross-Connect)};\end{tikzpicture}
Definition-Example Pairs
- Public VIF (Virtual Interface): An interface that allows access to public AWS services (like S3 or DynamoDB) over a Direct Connect connection instead of the internet.
- Example: A bank needs to upload 50TB of logs to Amazon S3 daily. Using a Public VIF ensures the data never traverses the public internet, satisfying compliance and ensuring high throughput.
- Private VIF: An interface used to connect a Direct Connect connection to a single VPC via a Virtual Private Gateway (VGW).
- Example: A developer needs to access an RDS database in a private subnet from a local workstation via a dedicated line.
- Transit VIF: A specific VIF type used to connect Direct Connect to an AWS Transit Gateway.
- Example: A corporation with 50 AWS accounts uses a single Direct Connect connection to provide all VPCs with on-premises connectivity through a central Transit Gateway.
Worked Examples
Scenario: High-Availability Hybrid Connectivity
Problem: A company requires a connection between their on-premises data center and AWS that supports 10 Gbps and provides a failover mechanism if the primary line fails.
Step-by-Step Solution:
- Primary Connection: Provision a 10 Gbps AWS Direct Connect connection at a specific DX location.
- Logical Setup: Create a Transit VIF to connect to a Transit Gateway (TGW) in the main region.
- Secondary Connection (Failover):
- Option A (Cost-Effective): Set up an AWS Site-to-Site VPN as a backup over the public internet.
- Option B (High Resilience): Provision a second Direct Connect connection at a different DX location for physical redundancy.
- Routing: Use BGP (Border Gateway Protocol) with higher local preference/AS-path prepending to ensure the DX is the primary path and VPN/Second DX is only used during failure.
Checkpoint Questions
- What is the main disadvantage of using a Software VPN on EC2 compared to AWS Managed VPN?
- Which type of Direct Connect VIF is required to connect to a Transit Gateway?
- True or False: VPC Peering is transitive, meaning if VPC A peers with B, and B peers with C, A can talk to C.
- What service allows for hybrid DNS resolution between on-premises and AWS?
▶Click to see answers
- Software VPNs introduce a Single Point of Failure (SPOF) and require the user to manage patching, scaling, and high availability.
- Transit VIF.
- False. VPC Peering is non-transitive.
- Amazon Route 53 Resolver (Inbound/Outbound Endpoints).
Muddy Points & Cross-Refs
- VPC Peering vs. Transit Gateway: Use Peering for simple, high-performance, two-way connections between a few VPCs. Use Transit Gateway for complex, many-to-many connections or when transitive routing is needed (e.g., centralized Inspection VPCs).
- MTU Limits: Remember that Site-to-Site VPNs typically have an MTU of 1500 bytes (but only support 1399 bytes for the payload due to IPsec overhead), whereas VPC-to-VPC traffic supports Jumbo Frames (9001 bytes).
- Direct Connect Gateway (DXGW): This is often confused with Transit Gateway. A DXGW is a global resource that allows a Direct Connect connection in one region to access VPCs in any other AWS region (except China).
Comparison Tables
VIF Types Comparison
| VIF Type | Use Case | Target Destination |
|---|---|---|
| Private VIF | Connect to a specific VPC | Virtual Private Gateway (VGW) |
| Public VIF | Connect to AWS Public Endpoints | S3, DynamoDB, EC2 Public IPs |
| Transit VIF | Connect to many VPCs | Transit Gateway (TGW) |
[!IMPORTANT] For the SAP-C02 exam, always prioritize Transit Gateway for designs involving 10+ VPCs or complex routing requirements like "Service VPCs" or "Security Inspection VPCs."