Mastering AWS Network Connectivity Strategies (SAP-C02)

Learning Objectives

After studying this guide, you should be able to:

Evaluate and select appropriate connectivity options for multiple VPCs (Peering vs. Transit Gateway).
Design resilient hybrid architectures using AWS Direct Connect (DX) and Site-to-Site VPN.
Calculate IPv4 subnet requirements while accounting for AWS-reserved addresses and future growth.
Implement high-availability patterns for DNS resolution and service integration using PrivateLink.
Optimize network performance using Equal Cost Multi-Path (ECMP) and Transit Gateway.

Key Terms & Glossary

Transit Gateway (TGW): A network transit hub that connects VPCs and on-premises networks through a central managed gateway.
Direct Connect (DX): A dedicated, private network connection from a corporate data center to AWS, bypassing the public internet.
AWS PrivateLink: Technology that provides private connectivity between VPCs, AWS services, and on-premises applications without exposing traffic to the public internet.
Route 53 Resolver: A regional service that enables recursive DNS queries between VPCs and on-premises networks in a hybrid cloud environment.
ECMP (Equal Cost Multi-Path): A routing strategy that allows for increased bandwidth by balancing traffic across multiple paths (e.g., multiple VPN tunnels).

The "Big Idea"

In a complex organizational environment, network connectivity is the "nervous system" of the architecture. It is not just about moving bits; it is about creating a future-proof, scalable, and resilient topology that balances performance requirements with cost and operational complexity. Choosing a hub-and-spoke model (Transit Gateway) over a mesh model (VPC Peering) is a "one-way door" decision that dictates how the organization scales for years to come.

Formula / Concept Box

Concept	Rule / Constraint
Subnet Reservations	AWS reserves 5 IP addresses per subnet (x.x.x.0, .1, .2, .3, and .255).
VPN Bandwidth	Each Site-to-Site VPN tunnel is limited to 1.25 Gbps.
Scaling VPN	Total Bandwidth = $1.25 Gbps \times n $(where$ n$ is the number of tunnels using ECMP).
Direct Connect Speed	Available in 1 Gbps, 10 Gbps, or 100 Gbps (Hosted: 50 Mbps to 10 Gbps).

Hierarchical Outline

I. Inter-VPC Connectivity
- VPC Peering: Point-to-point, non-transitive, no bottleneck, lowest cost.
- Transit Gateway (TGW): Hub-and-spoke, supports transitive routing, simplifies management at scale.
II. Hybrid Connectivity
- Site-to-Site VPN: Fast to deploy, encrypted over public internet, 1.25 Gbps limit per tunnel.
- Direct Connect (DX): Consistent performance, high bandwidth, private (not encrypted by default).
- Resiliency Patterns: DX as primary with VPN as cost-effective failover.
III. Service Integration & DNS
- Interface Endpoints (PrivateLink): Private access to AWS services via ENIs in your subnets.
- Route 53 Resolver: Inbound/Outbound endpoints for hybrid DNS resolution.
IV. IP Address Management
- CIDR Planning: Ensure non-overlapping blocks across the organization.
- Expansion: Leave room for Elastic Load Balancers (ELB), RDS, and container services.

Visual Anchors

Transit Gateway Hub-and-Spoke Topology

Loading Diagram...

Hybrid Connectivity Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, rounded corners, align=center, fill=white}] \node (aws) [minimum width=3cm, minimum height=2cm] {AWS Cloud}; \node (dc) [below=of aws, minimum width=3cm, minimum height=2cm] {On-Premises Data Center};

code

\draw [ultra thick, blue, <->] ([xshift=-0.5cm]aws.south) -- ([xshift=-0.5cm]dc.north) 
    node [midway, left, draw=none, fill=none] {\text{Direct Connect}\\ \text{(Primary)}};

\draw [thick, red, dashed, <->] ([xshift=0.5cm]aws.south) -- ([xshift=0.5cm]dc.north) 
    node [midway, right, draw=none, fill=none] {\text{VPN over Internet}\\ \text{(Failover)}};

\end{tikzpicture}

Definition-Example Pairs

Transitive Routing: The ability for traffic to pass through a middle-hop to reach a destination.
- Example: If VPC A is connected to a Transit Gateway, and VPC B is also connected, VPC A can reach VPC B through the TGW without a direct peer.
Interface VPC Endpoint: A private entry point to an AWS service using an ENI with a private IP address.
- Example: Allowing an EC2 instance in a private subnet to upload files to an S3 bucket without using an Internet Gateway.
Anycast Routing: A network addressing and routing method in which incoming requests can be routed to a variety of different nodes.
- Example: Route 53 uses Anycast to ensure DNS queries are answered from the closest edge location to the user.

Worked Examples

Example 1: Calculating Usable IPs

Scenario: You create a subnet with a CIDR of 10.0.1.0/28. How many EC2 instances can you launch?

Step 1: Calculate total addresses: $2^{(32-28)} = 2^4 = 16$ .
Step 2: Subtract AWS reserved addresses: $16 - 5 = 11$. Answer: 11 usable IP addresses.

Example 2: High Bandwidth VPN Failover

Scenario: A company needs 4 Gbps of bandwidth for failover from their Direct Connect. A single VPN tunnel only provides 1.25 Gbps. Solution:

Deploy an AWS Transit Gateway.
Establish 4 Site-to-Site VPN connections.
Enable ECMP (Equal Cost Multi-Path) on the TGW.
The traffic will be balanced across the 4 tunnels, providing a total aggregate bandwidth of 5 Gbps.

Checkpoint Questions

What are the 5 specific IP addresses reserved by AWS in every subnet?
Why is Transit Gateway preferred over VPC Peering for large-scale organizations with hundreds of VPCs?
If a workload requires consistent 10 Gbps throughput and low latency, which connectivity option should be selected?
How does AWS PrivateLink improve the security posture of an application?

Muddy Points & Cross-Refs

Transitive Routing (VPC Peering): A common mistake is assuming VPC Peering is transitive. If VPC A peers with B, and B peers with C, A cannot talk to C. You must use Transit Gateway for this.
DX vs. DX Gateway: Remember that Direct Connect is the physical/logical link, while the DX Gateway is the global resource that allows a single DX to connect to VPCs in any AWS region.
Public vs. Private VIFs: A Private Virtual Interface (VIF) is for VPC resources; a Public VIF is for public endpoints like S3 or DynamoDB over Direct Connect.

Comparison Tables

VPC Peering vs. Transit Gateway

Feature	VPC Peering	Transit Gateway
Topology	Mesh (Point-to-Point)	Hub-and-Spoke
Management	Difficult at scale	Centralized/Simple
Transitive	No	Yes
Cost	No hourly charge (Data only)	Hourly charge + Data processing
Performance	No aggregate bottleneck	50 Gbps per VPC attachment

Security Groups vs. Network ACLs

Feature	Security Groups	Network ACLs
Level	Instance (ENI)	Subnet
Statefulness	Stateful (Return traffic allowed)	Stateless (Must allow both ways)
Rules	Allow rules only	Allow and Deny rules
Processing	All rules evaluated	Rules processed in order