Task Statement 4.4: Design cost-optimized network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
In the AWS Certified Solutions Architect – Associate exam, network connectivity means how you connect your on-premises data center (or external network) to AWS in a secure, reliable, and cost-effective way.
You must understand three main connectivity options:
- Internet-based VPN (Virtual Private Network)
- Dedicated Private Line (AWS Direct Connect)
- Hybrid connectivity (VPN + Direct Connect together)
These are used to connect to an AWS VPC such as Amazon VPC.
1. Internet-Based VPN (Site-to-Site VPN)
A VPN (Virtual Private Network) creates an encrypted tunnel over the public internet between your on-premises network and AWS.
In AWS, this is commonly called:
- AWS Site-to-Site VPN
How it works
- Traffic goes through the public internet
- It is encrypted using IPsec tunnels
- Typically connects to a VPC via a Virtual Private Gateway or Transit Gateway
Key features (Exam Important)
- Quick to set up (minutes to hours)
- Low cost
- Uses public internet (variable performance)
- Encrypted (secure but depends on internet quality)
- Good for backup or small workloads
When to use VPN
Use VPN when:
- You need fast setup
- You have low to moderate traffic
- You want low cost connectivity
- You need a backup connection to Direct Connect
Limitations
- Latency depends on internet
- Bandwidth is limited compared to dedicated lines
2. Dedicated Private Connection (AWS Direct Connect)
A dedicated line means a private physical connection from your data center to AWS.
This is provided by:
- AWS Direct Connect
How it works
- A physical fiber connection is established between your network and AWS Direct Connect locations
- Traffic does NOT go through the public internet
- Can connect directly into Amazon VPC
Key features (Exam Important)
- Consistent and low latency
- High bandwidth (1 Gbps to 100 Gbps options)
- More reliable than internet VPN
- Lower data transfer cost (compared to internet egress)
- Not encrypted by default (VPN over Direct Connect can be added)
When to use Direct Connect
Use it when:
- You need high performance applications
- You transfer large amounts of data regularly
- You need stable latency
- You want predictable network performance
Limitations
- Takes time to set up (days to weeks)
- Higher upfront cost
- Requires physical infrastructure setup with AWS partner location
3. Hybrid Connectivity (Best Practice in Real Architectures)
A hybrid model combines:
- AWS Direct Connect (primary)
- AWS Site-to-Site VPN (backup)
Why use hybrid?
This is very important for the exam.
You use:
- Direct Connect for main traffic
- VPN for failover (backup path)
How it works
- If Direct Connect fails → traffic automatically switches to VPN
- Improves availability + resilience
Key exam point
- Direct Connect alone = not highly available
- VPN alone = cheaper but less consistent
- Hybrid = best reliability + cost balance
4. Comparison (Very Important for Exam)
| Feature | VPN | Direct Connect |
|---|---|---|
| Connection type | Internet-based | Private dedicated line |
| Cost | Low | Higher (setup + port) |
| Latency | Variable | Consistent |
| Speed | Medium | High (up to 100 Gbps) |
| Setup time | Fast | Slow |
| Security | Encrypted | Not encrypted by default |
| Best use | Small/temporary workloads | Enterprise/high throughput |
5. Cost-Optimized Design Concepts (Exam Focus)
For SAA-C03, you must know when to choose cheaper vs better performance options:
Use VPN when:
- Workload is small or temporary
- Budget is low
- You need quick connectivity
Use Direct Connect when:
- Large-scale data transfer (big data, backups, replication)
- Long-term stable architecture
- You want to reduce internet data transfer costs
Use both (Hybrid) when:
- You need high availability
- You cannot afford downtime
- You need failover networking
6. Supporting AWS Networking Services (Important Context)
These connectivity options often integrate with:
AWS Transit Gateway
- Connects multiple VPCs and on-prem networks
- Simplifies large-scale network architecture
Amazon VPC
- Main private network inside AWS
- All connectivity options ultimately connect here
7. Exam Tips (Very Important)
When solving exam questions, look for keywords:
If you see:
- “Lowest cost / quick setup” → VPN
- “High bandwidth / stable latency / large data transfer” → Direct Connect
- “High availability / failover / hybrid design” → Direct Connect + VPN
8. Simple Summary (For Revision)
- VPN = quick, cheap, over internet, encrypted
- Direct Connect = private, fast, stable, expensive setup
- Hybrid = best practice for reliability and cost balance
- Both connect your network to Amazon VPC
