Hybrid and Cross-Account Networking

AWS Direct Connect (DX)

Key Features and Benefits

  • Creates a private, dedicated connection from on-premises to AWS without using public internet

  • Works with AWS partners/ISPs to establish physical connections

  • Uses BGP (Border Gateway Protocol) for routing

  • Can connect to VPCs via Virtual Private Gateway (VGW) or Direct Connect Gateway

  • Supports both private and public virtual interfaces

Use Cases

  • Organizations requiring consistent network performance

  • Large dataset transfers where internet data transfer costs would be high

  • Compliance requirements demanding private connectivity

  • Workloads sensitive to network latency

  • Need for predictable network throughput

Considerations

  • Higher cost compared to VPN solutions

  • Long provisioning time (minimum 2+ weeks)

  • Requires working with third-party providers

  • Physical infrastructure dependencies

Direct Connect Gateway

  • Enables connection to multiple VPCs across regions

  • Can connect to up to 3 Virtual Private Gateways or Transit Gateways

  • Provides centralized management of Direct Connect connections

  • Supports private virtual interfaces for VPC access

Site-to-Site VPN

Key Features

  • Quick to deploy compared to Direct Connect

  • Uses IPsec protocol for encrypted communications

  • Operates over public internet

  • Provides two tunnels per connection for redundancy

  • Native AWS monitoring tools available

Components

  • Customer Gateway (CGW) - on-premises endpoint

  • Virtual Private Gateway (VGW) - AWS endpoint

  • VPN Connection - secure tunnel between CGW and VGW

  • Transit Gateway (optional) - for connecting to multiple VPCs

Transit VPC

Transit VPC is a network architecture pattern that creates a centralized hub for connecting multiple VPCs and on-premises locations across different AWS regions and geographic areas.

How Transit VPC Works: A Transit VPC acts as a central routing hub, typically deployed with third-party virtual appliances (like Cisco CSR, Juniper vSRX, or other router/firewall solutions) that handle the routing and connectivity between:

  • Multiple VPCs across different AWS regions

  • On-premises data centers and branch offices

  • Other cloud providers or external networks

Key Characteristics:

  • Hub-and-spoke topology: All traffic flows through the central Transit VPC rather than requiring direct connections between every location

  • Cross-region connectivity: Can connect VPCs in different AWS regions globally

  • Flexible routing: Allows complex routing policies and traffic inspection

  • Third-party integration: Often uses commercial network virtual appliances for advanced features

Use Cases:

  • Organizations with VPCs spread across multiple AWS regions

  • Companies needing to connect hybrid environments (AWS + on-premises + other clouds)

  • Scenarios requiring advanced routing, traffic inspection, or network policies

  • Global enterprises wanting centralized network management

Important Note: While Transit VPC was a popular pattern in the past, AWS now recommends AWS Transit Gateway for most use cases, as it provides similar functionality with less complexity and is fully AWS-managed. Transit VPC is still relevant when you need specific third-party networking features or have complex routing requirements that Transit Gateway doesn't support.

High Availability Configurations

Direct Connect + VPN Backup

  • Primary: Direct Connect

  • Backup: Site-to-Site VPN

  • Automatic failover using BGP routing

  • Provides redundancy at lower cost than dual DX

Dual Direct Connect

  • Two Direct Connect connections from different providers

  • Higher cost but completely private network

  • BGP routing for automatic failover

  • DX Site Link feature for inter-datacenter connectivity

Multi-Region Architecture

  • Transit Gateway peering between regions

  • Direct Connect Gateway for centralized connectivity

  • Multiple Virtual Private Gateways for redundancy

  • Availability Zone redundancy within each region

Exam Tips

  1. Single Points of Failure

  • Identify potential network bottlenecks

  • Understand redundancy requirements

  • Know failover mechanisms (BGP routing)

  • Consider multi-region requirements

  1. Cost vs Performance Trade-offs

  • Direct Connect: Higher cost, better performance, longer setup

  • VPN: Lower cost, variable performance, quick setup

  • Hybrid: Best of both worlds but more complex

  1. Transit Gateway Knowledge

  • Central hub for network connectivity

  • Simplifies complex networking scenarios

  • Supports multiple VPC attachments

  • Enables cross-region connectivity

  1. Direct Connect vs VPN Decision Factors

  • Budget constraints

  • Time requirements

  • Security/compliance needs

  • Performance requirements

  • Data transfer volumes

  1. Scalability Considerations

  • Number of VPCs to connect

  • Regional distribution of resources

  • Future growth requirements

  • Cross-account networking needs

Remember for the exam: You need to be able to design and recommend appropriate hybrid networking solutions based on various business requirements, taking into account factors like security, cost, performance, and high availability.

PreviousEnhanced NetworkingNextAWS Global Accelerator

Last updated

Was this helpful?