Hybrid and Cross-Account Networking

AWS Direct Connect (DX)

Key Features and Benefits

• Creates a private, dedicated connection from on-premises to AWS without using public internet

• Works with AWS partners/ISPs to establish physical connections

• Uses BGP (Border Gateway Protocol) for routing

• Can connect to VPCs via Virtual Private Gateway (VGW) or Direct Connect Gateway

• Supports both private and public virtual interfaces

Use Cases

• Organizations requiring consistent network performance

• Large dataset transfers where internet data transfer costs would be high

• Compliance requirements demanding private connectivity

• Workloads sensitive to network latency

• Need for predictable network throughput

Considerations

• Higher cost compared to VPN solutions

• Long provisioning time (minimum 2+ weeks)

• Requires working with third-party providers

• Physical infrastructure dependencies

Direct Connect Gateway

• Enables connection to multiple VPCs across regions

• Can connect to up to 3 Virtual Private Gateways or Transit Gateways

• Provides centralized management of Direct Connect connections

• Supports private virtual interfaces for VPC access

Site-to-Site VPN

Key Features

• Quick to deploy compared to Direct Connect

• Uses IPsec protocol for encrypted communications

• Operates over public internet

• Provides two tunnels per connection for redundancy

• Native AWS monitoring tools available

Components

• Customer Gateway (CGW) - on-premises endpoint

• Virtual Private Gateway (VGW) - AWS endpoint

• VPN Connection - secure tunnel between CGW and VGW

• Transit Gateway (optional) - for connecting to multiple VPCs

High Availability Configurations

Direct Connect + VPN Backup

• Primary: Direct Connect

• Backup: Site-to-Site VPN

• Automatic failover using BGP routing

• Provides redundancy at lower cost than dual DX

Dual Direct Connect

• Two Direct Connect connections from different providers

• Higher cost but completely private network

• BGP routing for automatic failover

• DX Site Link feature for inter-datacenter connectivity

Multi-Region Architecture

• Transit Gateway peering between regions

• Direct Connect Gateway for centralized connectivity

• Multiple Virtual Private Gateways for redundancy

• Availability Zone redundancy within each region

Exam Tips

1. Single Points of Failure

• Identify potential network bottlenecks

• Understand redundancy requirements

• Know failover mechanisms (BGP routing)

• Consider multi-region requirements

1. Cost vs Performance Trade-offs

• Direct Connect: Higher cost, better performance, longer setup

• VPN: Lower cost, variable performance, quick setup

• Hybrid: Best of both worlds but more complex

1. Transit Gateway Knowledge

• Central hub for network connectivity

• Simplifies complex networking scenarios

• Supports multiple VPC attachments

• Enables cross-region connectivity

1. Direct Connect vs VPN Decision Factors

• Budget constraints

• Time requirements

• Security/compliance needs

• Performance requirements

• Data transfer volumes

1. Scalability Considerations

• Number of VPCs to connect

• Regional distribution of resources

• Future growth requirements

• Cross-account networking needs

Remember for the exam: You need to be able to design and recommend appropriate hybrid networking solutions based on various business requirements, taking into account factors like security, cost, performance, and high availability.