Task Statement 1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. VPC Peering
What it is
Amazon VPC Peering is a direct, one-to-one network connection between two VPCs that allows resources to communicate using private IP addresses.
Key Characteristics
- One-to-one connection only
- Each VPC can connect to another VPC individually
- No transitive routing
- If VPC A is peered with B, and B with C → A cannot reach C through B
- Fully private communication
- Works across accounts and regions (cross-account / cross-region peering supported)
- Low latency (direct connection)
Routing Requirements
- You must manually update route tables in both VPCs
- Add routes pointing to the peering connection
Limitations
- Does not scale well (many VPCs = many peering connections)
- No overlapping CIDR blocks allowed
- No transitive routing
- Management complexity increases quickly
When to use VPC Peering
Use it when:
- You have a small number of VPCs
- You need simple, direct communication
- You do not need transitive connectivity
- You want low-cost, low-latency connectivity
Exam Tip
If you see:
- “simple architecture”
- “few VPCs”
- “direct communication without hub”
👉 Think: VPC Peering
2. AWS Transit Gateway
What it is
AWS Transit Gateway is a central hub that connects multiple VPCs and on-premises networks using a hub-and-spoke architecture.
Key Characteristics
- Hub-and-spoke model
- All VPCs connect to the Transit Gateway
- Supports thousands of VPCs
- Transitive routing is supported
- VPC A can talk to VPC C through the Transit Gateway
- Centralized routing management
- Supports:
- Multi-account
- Multi-region (via peering between Transit Gateways)
- Hybrid connectivity (VPN, Direct Connect)
Routing Behavior
- You attach VPCs to the Transit Gateway
- You configure route tables inside Transit Gateway
- You control which VPCs can communicate
Advanced Features
- Segmentation using route tables
- You can isolate environments (e.g., dev, prod)
- Multicast support
- Integration with AWS Direct Connect
Limitations
- Slightly higher cost than peering
- More complex configuration
- Requires understanding of route tables inside Transit Gateway
When to use Transit Gateway
Use it when:
- You have many VPCs
- You need scalable architecture
- You require transitive routing
- You want centralized control of network traffic
Exam Tip
If you see:
- “many VPCs”
- “hub-and-spoke”
- “centralized routing”
- “transitive communication”
👉 Think: Transit Gateway
3. AWS PrivateLink
What it is
AWS PrivateLink enables you to privately access services across VPCs without exposing them to the internet or requiring full VPC connectivity.
Key Characteristics
- Service-based connectivity (not VPC-to-VPC)
- Uses:
- Interface VPC Endpoints
- Traffic stays on AWS network (private)
- No need for:
- Internet Gateway
- NAT Gateway
- Peering
- Transit Gateway
How it works
- A service is published using a Network Load Balancer (NLB)
- Consumers create an Interface Endpoint
- Traffic flows privately between:
- Consumer VPC
- Service provider VPC
Key Advantages
- Highly secure
- No need to expose entire VPC
- Fine-grained access
- Only specific services are exposed
- No CIDR overlap issues
- Works across accounts and regions
Limitations
- Not designed for full VPC connectivity
- Only allows specific service access
- Requires setup from both:
- Service provider
- Service consumer
When to use PrivateLink
Use it when:
- You want to expose specific applications or services
- You do not want full network access
- You need secure, private access between accounts
Exam Tip
If you see:
- “access a specific service only”
- “no full VPC connectivity”
- “private access to an application”
👉 Think: PrivateLink
4. Comparing the Services (VERY IMPORTANT for the Exam)
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Connectivity Type | VPC to VPC | Hub-and-spoke | Service-based |
| Scalability | Low | High | High |
| Transitive Routing | ❌ No | ✅ Yes | ❌ No |
| Centralized Control | ❌ No | ✅ Yes | ❌ No |
| Use Case | Simple VPC connections | Large-scale networks | Secure service access |
| CIDR Overlap Allowed | ❌ No | ❌ No (must avoid) | ✅ Yes |
| Traffic Scope | Full VPC | Full VPC | Specific services |
5. Choosing the Right Service (Exam Decision Logic)
Step 1: Do you need full VPC connectivity?
- Yes → go to next step
- No → PrivateLink
Step 2: How many VPCs?
- Few VPCs → VPC Peering
- Many VPCs → Transit Gateway
Step 3: Do you need transitive routing?
- Yes → Transit Gateway
- No → VPC Peering
Step 4: Do you want to expose only a service (not full network)?
- Yes → PrivateLink
6. Multi-Account and Multi-Region Considerations
Multi-Account
- All three services support cross-account connectivity
- Transit Gateway is best for centralized governance
Multi-Region
- VPC Peering supports cross-region peering
- Transit Gateway supports inter-region peering
- PrivateLink supports cross-region endpoints (with limitations)
7. Common Exam Scenarios
Scenario 1
- 50 VPCs across multiple accounts
- Need centralized routing
👉 Transit Gateway
Scenario 2
- Two VPCs need direct communication
👉 VPC Peering
Scenario 3
- Need to expose a database service to another account securely
👉 PrivateLink
Scenario 4
- Need transitive routing between VPCs
👉 Transit Gateway
8. Key Exam Takeaways
- VPC Peering
- Simple
- Direct
- No transitive routing
- Transit Gateway
- Scalable
- Central hub
- Supports transitive routing
- PrivateLink
- Secure
- Service-level access
- No full network exposure
Final Tip for Passing the Exam
When answering questions, focus on:
- Scale (few vs many VPCs)
- Routing type (transitive vs non-transitive)
- Security (full access vs limited service access)
- Architecture (hub-and-spoke vs direct connection)
