Task Statement 4.4: Design cost-optimized network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
Selecting Appropriate Bandwidth Allocation for Network Devices
This topic focuses on how to choose the correct network bandwidth design in AWS based on workload needs and cost efficiency. In the exam, you are expected to understand how AWS networking options scale, how bandwidth is allocated, and when to use single vs multiple connections such as VPN or AWS Direct Connect.
1. Key Concept: Bandwidth in AWS Networking
Bandwidth means the maximum data transfer capacity between two network endpoints.
In AWS, bandwidth is mainly controlled through:
- Site-to-Site VPN throughput
- AWS Direct Connect connection speed
- Multiple connections for scaling bandwidth
- Load distribution across connections
The goal is to:
- Meet performance requirements
- Avoid over-provisioning (cost optimization)
- Ensure reliability and scalability
2. AWS Network Options for Bandwidth Allocation
2.1 Site-to-Site VPN (Single VPN Connection)
A VPN connection uses the public internet to create a secure tunnel between:
- On-premises network
- AWS VPC
Bandwidth Characteristics:
- Limited throughput per tunnel (commonly up to ~1.25 Gbps aggregated depending on configuration)
- Performance depends on internet conditions
- Encryption overhead reduces effective throughput
Use Cases:
- Small workloads
- Backup connectivity to AWS
- Low-to-moderate data transfer requirements
Exam Point:
- A single VPN tunnel is not suitable for high-throughput or large-scale data transfer workloads
2.2 Multiple VPN Connections (Scaling VPN Bandwidth)
You can increase VPN bandwidth by:
- Creating multiple VPN tunnels
- Using Equal Cost Multi-Path (ECMP) routing
How it works:
- Traffic is distributed across multiple tunnels
- Each tunnel carries part of the total load
Benefits:
- Higher aggregate bandwidth
- Improved resilience (if one tunnel fails, others continue)
- Cost-effective compared to dedicated connectivity
Limitations:
- Still depends on internet quality
- More operational complexity than a single VPN
Exam Point:
- Use multiple VPNs when you need higher bandwidth but want to avoid Direct Connect cost
2.3 AWS Direct Connect (Dedicated Network Connection)
Direct Connect (DX) provides a private, dedicated network connection between on-premises and AWS.
Bandwidth Options:
- 50 Mbps
- 100 Mbps
- 1 Gbps
- 10 Gbps
- 100 Gbps (in supported locations)
Key Features:
- Consistent low latency
- High and predictable throughput
- No internet variability
- Lower data transfer cost at scale
Single Direct Connect Connection
Characteristics:
- One physical connection to AWS
- Fixed bandwidth (based on selected port speed)
Use Cases:
- Stable, predictable workloads
- Medium-to-high data transfer needs
Exam Point:
- A single DX connection is sufficient when workload bandwidth fits within one port capacity
Multiple Direct Connect Connections (Link Aggregation / Scaling)
You can increase bandwidth using:
- Multiple Direct Connect links
- Link Aggregation Groups (LAG)
Benefits:
- Higher total throughput (aggregate bandwidth)
- High availability (redundant links)
- Scalable architecture
Use Cases:
- Large-scale data migration
- High-performance hybrid applications
- Continuous data replication workloads
Exam Point:
- Use multiple DX connections when a single connection is not enough for required throughput or redundancy
3. Choosing Between VPN and Direct Connect for Bandwidth
3.1 When to use VPN
Choose VPN when:
- Bandwidth requirements are low to moderate
- Cost must be minimized
- Setup needs to be fast and simple
- Temporary or backup connectivity is required
Key limitation:
- Not suitable for consistent high throughput workloads
3.2 When to use Direct Connect
Choose Direct Connect when:
- High and consistent bandwidth is required
- Large-scale data transfer is expected
- Stable latency is critical
- Long-term hybrid connectivity is needed
3.3 VPN vs Direct Connect (Exam Comparison)
| Feature | VPN | Direct Connect |
|---|---|---|
| Bandwidth | Limited | High (up to 100 Gbps) |
| Consistency | Variable | Stable |
| Cost | Low | Higher initial setup, lower at scale |
| Security | Encrypted over internet | Private connection |
| Performance | Depends on internet | Predictable |
4. Bandwidth Design Decisions in AWS Exams
You will often be asked scenarios like:
4.1 Low Cost + Low Traffic
Solution:
- Single Site-to-Site VPN
4.2 Moderate Traffic + Need for Redundancy
Solution:
- Multiple VPN tunnels with ECMP
4.3 High Throughput + Stable Performance Required
Solution:
- AWS Direct Connect (single or multiple links)
4.4 Very High Throughput or Enterprise Hybrid System
Solution:
- Multiple Direct Connect connections (LAG)
5. Key Exam Traps and Important Points
1. VPN is NOT for high bandwidth workloads
Even if multiple VPNs are used, it still relies on internet performance.
2. Direct Connect does NOT automatically scale
You must explicitly:
- Increase port speed OR
- Add multiple connections
3. Multiple VPNs ≠ infinite scaling
It increases throughput, but:
- Each tunnel has limits
- Aggregation is not perfectly linear
4. ECMP is important for VPN scaling
Without ECMP:
- Multiple VPN tunnels may not be fully utilized
5. Cost vs performance trade-off is critical
- VPN = cheaper, lower performance
- Direct Connect = higher setup cost, better performance at scale
6. Summary (Exam Revision Points)
To select appropriate bandwidth allocation:
- Use single VPN for low bandwidth and simple connectivity
- Use multiple VPNs for improved throughput without Direct Connect
- Use Direct Connect for high, stable, and predictable bandwidth
- Use multiple Direct Connect links for very high throughput and redundancy
- Always balance:
- Performance requirements
- Cost optimization
- Reliability needs
