Hybrid Networking: VPN & Direct Connect
In the AWS ecosystem, hybrid networking enables seamless communication between on-premises data centers and the AWS Cloud. For the SAA-C03 exam, you must understand when to prioritize speed and reliability over cost and implementation time.
The Commute Analogy
AWS Site-to-Site VPN: Imagine driving to work on a public highway. It’s free to use (mostly), but traffic (internet congestion) can make your commute unpredictable. You are safe because you are in an armored car (encryption), but you’re still sharing the road.
AWS Direct Connect: This is like having a private high-speed rail line built directly from your house to your office. No one else can use it, the speed is constant, and there is no traffic. It costs more to build, but itโs the most reliable way to travel.
Core Concepts & Well-Architected Lens
1. Reliability & Performance
AWS Site-to-Site VPN uses the public internet. While encrypted, it is subject to the inherent volatility of the web. Direct Connect (DX) provides a dedicated physical fiber connection, bypassing the internet entirely for consistent low-latency performance.
2. Security
VPNs provide IPsec encryption by default. Direct Connect, while private, is not encrypted in transit by default. For the exam, if a scenario requires both a private physical connection AND encryption, the solution is “VPN over Direct Connect.”
3. Cost Optimization
VPNs have low hourly costs and are great for low-bandwidth needs. Direct Connect has high fixed costs (port fees) but offers significantly lower Data Transfer Out (DTO) rates, making it more cost-effective for high-volume data migrations.
Comparison: VPN vs. Direct Connect
| Feature | AWS Site-to-Site VPN | AWS Direct Connect |
|---|---|---|
| Connection Type | Public Internet (IPsec) | Private Physical Fiber |
| Setup Time | Minutes | Weeks to Months |
| Max Bandwidth | Up to 1.25 Gbps per tunnel | 1, 10, or 100 Gbps |
| Consistency | Variable (Internet jitter) | Highly Consistent |
| Best Use Case | Quick setup, low cost, backup | High volume, low latency |
Decision Matrix (If/Then)
- IF you need a connection immediately for a short-term project THEN use Site-to-Site VPN.
- IF you need to transfer 100TB of data daily with consistent latency THEN use Direct Connect.
- IF you need a secure, private connection to multiple VPCs in different regions THEN use Direct Connect Gateway.
- IF your Direct Connect fails and you need a cheap failover THEN use Site-to-Site VPN.
Exam Tips: Golden Nuggets
- The 1.25 Gbps Limit: A single VPN tunnel is capped at 1.25 Gbps. Use Equal Cost Multi-Path (ECMP) routing to aggregate multiple tunnels if more bandwidth is needed.
- Direct Connect Redundancy: For “High Availability,” the exam wants to see TWO Direct Connect locations, not just two ports in one location.
- Public Virtual Interface (VIF): Use this to access public AWS services (S3, DynamoDB) over Direct Connect without using the internet.
- Private VIF: Use this to access your VPC resources (EC2, RDS) using private IP addresses.
Hybrid Connectivity Architecture
๐ ๏ธ Key Services
- Customer Gateway (CGW): The physical/software appliance on your side.
- Virtual Private Gateway (VGW): The anchor on the AWS side.
- Direct Connect Gateway: Connects one DX to multiple VPCs across regions.
โ ๏ธ Common Pitfalls
- Assuming DX is encrypted (it isn’t by default).
- Overlooking the 72-hour lead time for DX cross-connects.
- Using static routing when BGP is required for redundancy.
๐ Quick Patterns
- Max Resiliency: 2 DX Connections + 2 DX Locations.
- Cost-Effective Failover: 1 DX + 1 Site-to-Site VPN.
- Global Reach: DX Gateway + Transit Gateway.