Task Statement 4.4: Design cost-optimized network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
In the AWS Certified Solutions Architect – Associate (SAA-C03) exam, one important skill under cost-optimized network architecture design is choosing the correct type of network connection between your on-premises environment and Amazon Web Services.
You are usually expected to decide between:
- Internet-based connection (public internet)
- Site-to-Site VPN
- AWS Direct Connect
Each option differs in cost, security, performance, and reliability.
1. Internet-based Connection (Public Internet)
What it is
This is a standard connection over the public internet between your on-premises network and AWS resources (usually inside a VPC).
It is typically used when:
- You access public AWS services (like S3 public endpoints)
- Or you connect to AWS resources without private networking
Key characteristics
- Uses the public internet
- No guaranteed performance
- No built-in encryption (unless you add TLS/HTTPS or VPN on top)
- Lowest cost option
Security in this model
- Must use application-level encryption (HTTPS, TLS)
- No private routing by default
When to use
- Non-sensitive workloads
- Public APIs
- Development/testing environments
- When cost is the highest priority
Exam clue
If the question says:
“Lowest cost, acceptable security using HTTPS”
👉 Choose internet-based connection
2. Site-to-Site VPN
What it is
A secure encrypted tunnel (IPSec VPN) between your on-premises network and an AWS VPC over the public internet.
It connects:
- Customer gateway (on-prem router/firewall)
- Virtual Private Gateway (AWS side)
Key characteristics
- Uses public internet, but encrypted
- Secure tunnel using IPSec
- Supports dynamic routing using BGP
- Faster to deploy than Direct Connect
- Moderate cost
Performance
- Depends on internet quality
- Latency is variable
- Not suitable for ultra-low latency workloads
Security
- Fully encrypted traffic
- Suitable for sensitive workloads
High availability option
You can set up:
- Two VPN tunnels (active-active or failover)
When to use
- Secure hybrid connectivity quickly
- Backup connection for Direct Connect
- Medium workloads with encryption needs
- Temporary hybrid setups
Exam clue
If you see:
- “Quick secure connection”
- “Encrypted traffic over internet”
- “Low setup complexity”
👉 Choose Site-to-Site VPN
3. AWS Direct Connect
What it is
A dedicated private network connection from your on-premises data center directly into AWS.
It does NOT use the public internet.
Instead, it uses:
- Dedicated fiber connection
- AWS Direct Connect location → AWS backbone network
Key characteristics
- Private, dedicated link
- Consistent low latency
- High bandwidth (1 Gbps to 100+ Gbps options)
- More expensive to set up initially
- Lower data transfer cost compared to internet/VPN for large traffic
Types of traffic support
- Private VIF → access VPC privately
- Public VIF → access AWS public services (like S3, DynamoDB)
Security
- Not encrypted by default
- Often combined with VPN for encryption over Direct Connect (optional)
Performance advantages
- Predictable latency
- Stable throughput
- No internet congestion impact
When to use
- Large-scale data transfer (big data, backups, migration)
- Hybrid enterprise workloads
- Low-latency financial or transactional systems
- Stable, long-term hybrid architecture
Exam clue
If you see:
- “Consistent low latency”
- “High bandwidth requirements”
- “Large data transfer cost optimization”
👉 Choose AWS Direct Connect
4. Direct Comparison (Exam Focus Table)
| Feature | Internet | Site-to-Site VPN | Direct Connect |
|---|---|---|---|
| Network type | Public | Public (encrypted) | Private |
| Security | TLS/HTTPS only | IPSec encryption | Private (optional encryption) |
| Latency | Unpredictable | Variable | Predictable |
| Setup speed | Immediate | Fast | Slow (requires provisioning) |
| Cost | Lowest | Medium | Higher setup, lower data cost |
| Bandwidth | Variable | Limited by internet | High (1–100+ Gbps) |
| Best use | Public apps | Secure quick hybrid | Enterprise hybrid + large data |
5. Hybrid Architectures (Very Important for Exam)
In real AWS designs, these are often combined:
A. VPN + Direct Connect (Best Practice)
- Direct Connect = primary connection
- VPN = backup encrypted failover over internet
👉 Ensures:
- High performance
- High availability
B. Multi-Site VPN
- Two VPN tunnels from different locations
- Provides redundancy
C. Direct Connect with Redundancy
- Two Direct Connect links in different locations
- Prevents single point of failure
6. Cost Optimization Perspective (Key Exam Angle)
The exam often asks:
When to choose cheaper options:
- Small data transfer → Internet or VPN
- Temporary workloads → VPN
When Direct Connect is cost-effective:
- Large, continuous data transfer
- Long-term hybrid infrastructure
- Data-heavy applications (analytics, backups, replication)
👉 Important idea:
Direct Connect has higher fixed cost but lower per-GB transfer cost
7. Common Exam Scenarios
Scenario 1
“Secure connection needed quickly between on-prem and AWS”
👉 Answer: Site-to-Site VPN
Scenario 2
“Consistent low latency for financial trading system”
👉 Answer: AWS Direct Connect
Scenario 3
“Lowest cost connection for occasional traffic”
👉 Answer: Internet-based connection
Scenario 4
“High volume data transfer from data center to AWS”
👉 Answer: Direct Connect
Scenario 5
“Need encrypted connection over internet with fast setup”
👉 Answer: Site-to-Site VPN
8. Key Exam Takeaways
You must remember:
Internet
- Cheapest
- No guaranteed performance
- Use for non-sensitive/public traffic
VPN
- Secure (encrypted)
- Quick to deploy
- Depends on internet performance
Direct Connect
- Private dedicated connection
- Best performance + consistency
- Best for enterprise + high data transfer
- Higher setup complexity
Final Summary
To pass the SAA-C03 exam in this topic:
- Use Internet for low-cost, non-critical traffic
- Use VPN for secure, fast-to-set-up hybrid connectivity
- Use Direct Connect for high-performance, large-scale, and predictable enterprise workloads
- Combine VPN and Direct Connect for resilience and failover design
