AWS Networking & DNS: Architecting for Organizational Complexity

This study guide covers the advanced networking strategies required for the AWS Certified Solutions Architect - Professional (SAP-C02) exam, focusing on hybrid connectivity, global traffic management, and multi-account network topology.

Learning Objectives

After studying this module, you should be able to:

• Evaluate and select appropriate connectivity options between on-premises environments and AWS (VPN vs. Direct Connect).
• Design hybrid DNS architectures using Amazon Route 53 Resolver to bridge on-premises and cloud namespaces.
• Architect scalable network topologies using AWS Transit Gateway to manage multi-VPC and multi-account environments.
• Implement high availability for public and private endpoints using Route 53, Global Accelerator, and Elastic Load Balancing.

Key Terms & Glossary

• Anycast Routing: A network addressing and routing method in which incoming requests can be routed to a variety of different nodes, with the "closest" or "best" node being selected. (Used by Route 53 and Global Accelerator).
• BGP (Border Gateway Protocol): The routing protocol used to exchange routing information between autonomous systems on the internet; essential for AWS Direct Connect.
• VGW (Virtual Private Gateway): The VPN concentrator on the Amazon side of a Site-to-Site VPN connection.
• Transit Gateway (TGW): A network transit hub used to interconnect Virtual Private Clouds (VPCs) and on-premises networks.
• Route 53 Resolver Endpoints: Dedicated ENIs that allow DNS queries to flow between AWS VPCs and on-premises DNS servers.

The "Big Idea"

In a professional architectural context, networking is a "one-way door" decision. While you can change instance types easily, changing your core network topology (e.g., migrating from a mesh VPC peering setup to a hub-and-spoke Transit Gateway model) is complex, costly, and disruptive. Successful architecture requires designing a future-proof foundation that balances latency, reliability, and cost.

Formula / Concept Box

Hierarchical Outline

1. Hybrid Connectivity Strategies
   • Site-to-Site VPN: Best for quick setups, encryption over the public internet.
   • Direct Connect (DX): Best for high-volume, consistent performance, and regulatory compliance.
   • DX + VPN: Using VPN over DX for encryption or using VPN as a low-cost backup for DX.
2. Multi-VPC Networking
   • VPC Peering: One-to-one connection, no transitive routing, best for simple, low-volume connections.
   • Transit Gateway (TGW): Central hub, supports transitive routing, simplifies management for 10+ VPCs.
   • AWS PrivateLink: Connect services across VPCs without traversing the public internet or requiring VPC peering.
3. Global DNS & Traffic Management
   • Route 53: Public/Private zones, Health Checks, and Routing Policies (Latency, Geoproximity).
   • Route 53 Resolver: Managing hybrid DNS resolution (Inbound/Outbound endpoints).
   • Global Accelerator: Uses the AWS Global Network and static Anycast IPs to improve performance for non-HTTP (and HTTP) traffic.

Visual Anchors

Hybrid Connectivity Decision Flow

Route 53 Resolver Architecture

Definition-Example Pairs

• Transitive Routing: The ability of a network to pass traffic through an intermediate hub to a destination.
  • Example: If VPC A is connected to a Transit Gateway, and that Gateway is connected to VPC B, VPC A can reach VPC B through the hub.
• Split-View DNS: Configuring the same domain name to resolve to different IP addresses based on the requester's location.
  • Example: api.example.com resolves to a private IP when queried from inside the VPC but to a public ELB address when queried from the internet.

Worked Examples

Scenario: The High-Volume Data Migration

Problem: A financial firm needs to migrate 500TB of data to AWS within a month. They currently have a 100Mbps internet connection. Solution Breakdown:

1. Calculate the constraint: 500TB over 100Mbps would take ~460 days. This makes VPN unfeasible.
2. Selection: Order an AWS Direct Connect 10Gbps connection or use AWS Snowball for the initial bulk migration.
3. Hybrid Setup: Implement a 10Gbps Direct Connect for ongoing synchronization and a Site-to-Site VPN as a cost-effective backup for critical traffic.

Checkpoint Questions

1. What is the main limitation of VPC Peering when dealing with a hub-and-spoke architecture?
2. Why would an architect choose Global Accelerator over CloudFront for a gaming application using custom UDP protocols?
3. To resolve on-premises hostnames from an EC2 instance, which Route 53 Resolver component is required?

[!TIP] Answer Key: 1. No transitive routing. 2. Global Accelerator supports non-HTTP/S (TCP/UDP) traffic. 3. Route 53 Outbound Resolver Endpoint.

Muddy Points & Cross-Refs

• Direct Connect Gateway vs. Transit Gateway: Use a DX Gateway to connect one DX circuit to multiple VPCs across different regions. Use a Transit Gateway when you need complex routing or inter-VPC communication. They are often used together (DXGW attached to TGW).
• CloudFront vs. Global Accelerator: Both use edge locations. CloudFront is for content caching (HTTP/S). Global Accelerator is for optimizing the network path to the endpoint (Anycast IPs, TCP/UDP).

Comparison Tables

Inter-VPC Connectivity Options