Study Guide: Evaluating Connectivity Options for Multiple VPCs

This guide explores the architectural strategies for interconnecting multiple Virtual Private Clouds (VPCs) and on-premises environments, focusing on scalability, redundancy, and IP management as required for the AWS Certified Solutions Architect - Professional (SAP-C02) exam.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between Many-to-Many Mesh and Hub-and-Spoke network topologies.
• Describe the benefits and high-availability features of AWS Transit Gateway (TGW).
• Design resilient hybrid connectivity using AWS Direct Connect (DX) and VPN failover.
• Implement IP addressing strategies using Amazon VPC IPAM to prevent overlaps and ensure future scalability.
• Evaluate the use of AWS PrivateLink for secure, service-specific connectivity.

Key Terms & Glossary

• Transit Gateway (TGW): A network transit hub used to interconnect VPCs and on-premises networks through a central point.
• Hub-and-Spoke: A topology where a central "hub" (TGW) manages traffic between multiple "spokes" (VPCs/On-prem).
• Mesh Network: A topology where every VPC is connected to every other VPC directly (e.g., via VPC Peering).
• IPAM (IP Address Manager): An AWS VPC feature that helps plan, track, and monitor IP addresses.
• ECMP (Equal-Cost Multi-Pathing): A routing strategy that allows for increased bandwidth by balancing traffic across multiple paths (e.g., multiple VPN tunnels).
• PrivateLink: A technology that provides private connectivity between VPCs and AWS services or SaaS applications without exposing traffic to the public internet.

The "Big Idea"

Scaling network infrastructure in AWS follows a path from complexity to centralization. While simple VPC Peering works for a few VPCs, it becomes an unmanageable "spaghetti" mesh as the organization grows. Centralization via Transit Gateway is the architectural pivot that enables global scale, consistent security policy enforcement, and operational efficiency.

Formula / Concept Box

Hierarchical Outline

1. Network Topologies
   • Many-to-Many Mesh: High complexity, exponential connection growth, best for 2-3 VPCs.
   • Hub-and-Spoke (Recommended): Uses TGW, simplifies management, supports thousands of VPCs.
2. AWS Transit Gateway (TGW)
   • Managed service, inherently highly available across AZs.
   • Supports Transitive Routing (Spoke A to Hub to Spoke B).
   • Centralized monitoring and security compliance.
3. Hybrid Connectivity Resiliency
   • Direct Connect (DX): Use at least two connections in separate locations for high resiliency.
   • VPN Failover: Cost-effective backup for DX; use ECMP to maximize bandwidth.
   • VPC Endpoints: Use Interface Endpoints (PrivateLink) for redundant, private service access.
4. IP Address Planning
   • Non-overlapping CIDRs: Mandatory for TGW or Peering connectivity.
   • Growth Buffer: Always size VPCs larger than current needs; /16 is the recommended large block.

Visual Anchors

Topology Comparison

Hybrid Resiliency Model

\begin{tikzpicture} \draw[thick] (0,0) rectangle (3,2) node[pos=.5] {Corporate DC}; \draw[thick] (7,0) rectangle (10,2) node[pos=.5] {AWS Region}; \draw[blue, thick, ->] (3,1.5) -- (7,1.5) node[midway, above] {Direct Connect (Primary)}; \draw[red, dashed, ->] (3,0.5) -- (7,0.5) node[midway, below] {Site-to-Site VPN (Backup)}; \node at (5,-1) {\small Failover configuration using TGW or VGW}; \end{tikzpicture}

Definition-Example Pairs

• Transitive Routing: The ability for traffic to pass through one network component to reach another. Example: A packet from VPC A goes through the Transit Gateway to reach an On-premises server.
• CIDR Overlap: When two connected networks use the same IP range. Example: If VPC A and VPC B both use 10.0.0.0/16, they cannot be connected via TGW without NAT workarounds.
• Interface Endpoint: An ENI with a private IP address that serves as an entry point for traffic. Example: Connecting to an S3 bucket privately from an EC2 instance without using an Internet Gateway.

Worked Examples

Example 1: Calculating Connectivity Overhead

Scenario: A company has 10 VPCs that all need to communicate with each other.

• Mesh Approach: Uses VPC Peering. Connections = $10(9)/2 = 45$ peering relationships. Each must be managed individually.
• Hub-and-Spoke: Uses 1 Transit Gateway. Connections = 10 attachments. Management is centralized at the TGW route table.

Example 2: Subnet Calculation

Scenario: You need to create a subnet for a fleet of 100 EC2 instances.

• Minimum Required IPs: 100 (instances) + 5 (AWS reserved) = 105 IPs.
• CIDR Selection: A /25 provides 128 IPs. However, to allow for scaling and Elastic Load Balancers, a /24 (256 IPs) is safer.

Checkpoint Questions

1. What is the primary disadvantage of a Many-to-Many Mesh topology as the number of VPCs increases?
2. Which AWS service is managed, highly available by default across multiple AZs, and acts as a central hub for VPCs?
3. If two VPCs have overlapping IP ranges, what are the three suggested workarounds to enable connectivity?
4. How many IP addresses does AWS reserve in every subnet for internal use?

▶Click for Answers

1. Exponential increase in management complexity and connection count.
2. AWS Transit Gateway (TGW).
3. Relying on NATing, switching to IPv6, or using AWS PrivateLink.
4. Five (5).

Muddy Points & Cross-Refs

• TGW vs. VPC Peering: Use VPC Peering for simple, high-bandwidth/low-latency connections between two VPCs (no extra cost). Use TGW for complex, multi-VPC, or hybrid architectures.
• Single Point of Failure: While TGW is managed and highly available, it is logically a single point. Architecture should include multi-region TGW peering for disaster recovery.
• IPAM Integration: If you are struggling with IP tracking, see the specific documentation for Amazon VPC IP Address Manager to automate allocation.

Comparison Tables

[!IMPORTANT] When designing for the Professional exam, always prioritize Transit Gateway for enterprise-scale requirements and Direct Connect with VPN Failover for cost-effective high-resiliency hybrid designs.