1.1 Architect Network Connectivity Strategies
Global Infrastructure
- AWS Regions: Strategic selection based on compliance (data sovereignty), latency (proximity to users), and cost (service pricing varies by region).
- Design Consideration: For multi-region architectures, consider replication costs and latency.
- Availability Zones (AZs): Physically separate data centers within a region.
- Architecture: Always spread workloads across at least 2 AZs for high availability.
- Edge Locations: Used by CloudFront and Global Accelerator to cache content and lower latency.
WARNING
Exam Gotcha: An AZ is not a single data center; it comprises one or more discrete data centers. Edge locations are not the same as Regions or AZs.
Hybrid Connectivity
AWS Direct Connect (DX)
Dedicated physical connection between your on-premises network and AWS.
- Components: DX Location, Cross Connect, Virtual Interface (VIFs).
- VIF Types:
- Private VIF: Connects to a VPC (via VGW or DX Gateway).
- Public VIF: Connects to public AWS services (S3, DynamoDB) without internet.
- Transit VIF: Connects to a Transit Gateway (supported only on 1Gbps+ connections or hosted connections).
- Resiliency Patterns:
- High: 2 DX connections at 2 different locations.
- Max: 2 DX connections at 2 locations x 2 devices each.
- Backup: DX primary + VPN backup (BGP required for automatic failover).
AWS Site-to-Site VPN
Encrypted tunnel over the public internet.
- Components: Customer Gateway (CGW) on-prem, Virtual Private Gateway (VGW) or Transit Gateway on AWS.
- Acceleration: Accelerated VPN uses Global Accelerator to enter the AWS network closer to the user.
WARNING
Exam Gotcha: DX does not provide encryption by default. If you need encryption over DX, you must establish a VPN connection over the DX link (Public VIF required).
Cheatsheet: Hybrid Connectivity
| Feature | Direct Connect (DX) | Site-to-Site VPN |
|---|---|---|
| Speed | 50 Mbps - 100 Gbps | Up to 1.25 Gbps per tunnel |
| Latency | Consistent, low | Variable (Internet-based) |
| Cost | High (Port hour + Data transfer) | Low (Connection hour + Data transfer) |
| Setup Time | Weeks/Months | Minutes |
| Encryption | No (unless MACsec or VPN over DX) | Yes (IPsec) |
Traffic Management
Transit Gateway (TGW)
A cloud router to connect VPCs and on-premises networks.
- Architecture: Hub-and-spoke model. Solves the mesh complexity of VPC Peering.
- Routing: Supports transitive routing (A → Hub → B).
- Sharing: Can be shared across accounts using AWS RAM.
VPC Peering
Direct network connection between two VPCs.
- Architecture: Non-transitive. If A peers with B, and B peers with C, A cannot talk to C.
- Performance: Uses AWS backbone; no bandwidth bottlenecks.
- Cost: Data transfer charges apply.
WARNING
Exam Gotcha: VPC Peering DOES NOT support transitive peering. If the exam scenario requires A to talk to C through B, use Transit Gateway or a VPN overlay.
Cheatsheet: Inter-VPC Connectivity
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Topology | Mesh (1:1) | Hub-and-Spoke (1:Many) | Publisher/Subscriber |
| Transitive? | No | Yes | No |
| Bandwidth | Unlimited (Line rate) | Up to 50 Gbps per attachment | 10 Gbps (scale with endpoints) |
| Key Use Case | Simple, high-speed connection between 2 VPCs | Managing hundreds of VPCs centrally | Exposing a service to other VPCs privately |
DNS & Route 53
Amazon Route 53 Resolver (Hybrid DNS)
- Inbound Endpoint: Allows on-premises to resolve AWS private hosted zones.
- Flow: On-prem DNS → VPN/DX → Inbound Endpoint → Route 53.
- Outbound Endpoint: Allows AWS to resolve on-premises hostnames.
- Flow: EC2 → Route 53 Resolver → Outbound Endpoint → On-prem DNS.
WARNING
Exam Gotcha: You typically need a Forwarding Rule associated with the Outbound Endpoint to tell Route 53 which domains to forward to on-prem (e.g.,
corp.example.com).
Segmentation
IP Addressing & Subnetting
- CIDR Design: Ensure no overlapping CIDRs if you plan to peer VPCs or connect to on-prem.
- IPv6: AWS supports dual-stack modes. IPv6 is globally unique and public by default, but you use Egress-Only Internet Gateways for private outbound-only access.
WARNING
Exam Gotcha: You cannot resize a VPC CIDR after creation (though you can add secondary CIDRs). You cannot change a Subnet CIDR at all.