Task Statement 1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
The key services you need to master are:
- Amazon VPC Peering
- AWS Transit Gateway
- AWS PrivateLink
🧩 1. Understanding the Architecture Scope
In real AWS environments, you will often have:
- Multiple AWS accounts (for security, billing, isolation)
- Multiple Regions (for performance, latency, disaster recovery)
- Multiple VPCs (for isolating workloads like web, app, database)
The challenge is:
👉 How do we connect these securely and efficiently?
🔗 2. Connectivity Patterns Overview
There are 3 main patterns:
- Point-to-Point Connectivity
- Example: VPC Peering
- Hub-and-Spoke Connectivity
- Example: Transit Gateway
- Service-Level Connectivity (Private Access)
- Example: PrivateLink
🔹 3. VPC Peering (Point-to-Point)
What is it?
Amazon VPC Peering allows direct private connectivity between two VPCs.
- Works like a 1-to-1 network connection
- Traffic stays on the AWS private network
- No need for internet or NAT
Key Characteristics
- Non-transitive (very important for the exam)
- If A is peered with B, and B is peered with C → A cannot talk to C automatically
- Works within the same Region or across Regions (inter-region peering)
- Low latency and simple setup
Use Cases
- Small number of VPCs
- Simple architectures
- Direct communication between:
- Application VPC and database VPC
- Two teams sharing resources
Limitations
- Not scalable for large environments
- No central control
- Requires many peering connections (complex mesh)
🔹 4. AWS Transit Gateway (Hub-and-Spoke)
What is it?
AWS Transit Gateway acts as a central hub that connects:
- Multiple VPCs
- VPN connections
- AWS Direct Connect
- Multiple accounts and Regions
How it Works
- All VPCs connect to the Transit Gateway
- Traffic flows through a central routing point
- Supports transitive routing
Key Characteristics
- Transitive connectivity
- VPC A can talk to VPC C via Transit Gateway
- Highly scalable (thousands of connections)
- Centralized routing and management
- Supports multi-account architecture
- Supports cross-Region peering between Transit Gateways
Use Cases
- Enterprise-level architecture
- Central network hub for:
- Security inspection
- Central routing
- Shared services (like DNS, logging)
- Multi-account AWS Organizations
Important Exam Points
- Supports route tables per attachment
- Can isolate traffic using route tables (segmentation)
- Better than VPC Peering for large-scale designs
🔹 5. AWS PrivateLink (Private Service Access)
What is it?
AWS PrivateLink allows you to access services privately without exposing them to the internet or VPC peering.
- Provides private access to services
- Uses VPC endpoints (Interface Endpoints)
How it Works
- A service is exposed using a VPC Endpoint Service
- Consumers connect via Interface Endpoints
- Traffic stays within AWS network
Key Characteristics
- No need for VPC peering or routing between VPCs
- Highly secure (no route tables shared)
- Only specific services are exposed (not full network access)
- Works across accounts and VPCs
Use Cases
- Access AWS services privately (like S3, DynamoDB via endpoints)
- Internal APIs between teams or accounts
- SaaS providers exposing services to customers securely
Important Exam Points
- Does NOT allow full VPC-to-VPC communication
- Only allows access to specific services
- No IP overlap concerns (very important advantage)
⚖️ 6. Comparison Table (Exam Critical)
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Type | Point-to-point | Hub-and-spoke | Service-level |
| Transitive Routing | ❌ No | ✅ Yes | ❌ No |
| Scalability | Low | High | High |
| Use Case | Small setups | Large enterprise networks | Private service access |
| IP Address Exposure | Yes | Yes | No |
| Full Network Access | Yes | Yes | No (only specific services) |
🏗️ 7. Multi-Account and Multi-Region Design
Multi-Account
Use cases:
- Separate environments (dev, test, prod)
- Security isolation
- Billing separation
👉 Recommended:
- Use Transit Gateway for central connectivity
- Use PrivateLink for secure service sharing
- Avoid excessive VPC peering
Multi-Region
Use cases:
- Disaster recovery
- Low latency for global users
Options:
- Inter-Region VPC Peering
- Transit Gateway Peering
- PrivateLink (regional services only)
👉 Exam tip:
- VPC Peering across regions is possible but not scalable
- Transit Gateway is better for complex multi-region designs
🧠 8. When to Use What (Exam Decision Guide)
Use VPC Peering when:
- Only 2 VPCs need to communicate
- Simple, low-scale architecture
- No need for transitive routing
Use Transit Gateway when:
- Many VPCs must communicate
- Multi-account architecture
- Need centralized routing and control
- Need transitive communication
Use PrivateLink when:
- You want to expose a service privately
- You do NOT want full network connectivity
- You want strong isolation
- You want to avoid route table complexity
⚠️ 9. Common Exam Pitfalls
- ❌ Thinking VPC Peering supports transitive routing
- ❌ Using Transit Gateway when only service-level access is needed
- ❌ Using PrivateLink for full VPC connectivity (not allowed)
- ❌ Not considering scaling limitations of VPC Peering
- ❌ Ignoring multi-account design best practices
🧾 10. Key Takeaways
- VPC Peering → Simple, 1-to-1, no transitive routing
- Transit Gateway → Scalable hub, supports transitive routing
- PrivateLink → Secure service-level access, no full network sharing
- Choose the service based on:
- Scale
- Security
- Connectivity type
- Architecture complexity
