Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. What is Hybrid Connectivity?
Hybrid connectivity means connecting:
- AWS cloud networks (VPCs)
- External networks (on-premises, data centers, or other clouds)
This connection allows:
- Applications in AWS to communicate with on-prem systems
- Centralized control, monitoring, and data sharing
2. Role of Third-Party Vendor Solutions
Third-party vendors provide:
- Firewalls
- VPN appliances
- SD-WAN solutions
- Network Virtual Appliances (NVAs)
These run either:
- On-premises (physical devices)
- Inside AWS (virtual appliances in EC2)
3. Key AWS Hybrid Connectivity Options
Before integrating third-party solutions, understand AWS native connectivity:
3.1 Site-to-Site VPN
- IPSec VPN over the internet
- Connects on-prem network to VPC
- Supports third-party devices
3.2 AWS Direct Connect
- Dedicated private connection to AWS
- High bandwidth, low latency
- Often combined with third-party routers
3.3 Client VPN
- End-user VPN access
- Can integrate with third-party identity systems
4. Third-Party Vendor Integration Models
4.1 Customer Gateway (CGW) with Third-Party Devices
A Customer Gateway represents your external device.
- Could be:
- Cisco router
- Fortinet firewall
- Palo Alto firewall
Key Configuration:
- Public IP of device
- Routing (static or BGP)
- IPSec tunnel parameters
4.2 Virtual Private Gateway (VGW) vs Transit Gateway (TGW)
Virtual Private Gateway (VGW)
- Attached to a single VPC
- Supports VPN with third-party devices
Transit Gateway (TGW)
- Central hub for multiple VPCs and VPNs
- Preferred for large architectures
Exam Tip:
- TGW is more scalable and supports multiple VPN connections.
4.3 Third-Party Network Virtual Appliances (NVA)
These are virtual firewalls or routers running inside AWS EC2.
Examples:
- Firewall appliances
- Intrusion detection systems
- Load balancers
Deployment Pattern:
- Deployed in a dedicated subnet
- Traffic routed through them for inspection
5. VPN with Third-Party Devices
5.1 IPSec VPN Requirements
To connect AWS with a third-party device:
- Encryption:
- AES-128 or AES-256
- Authentication:
- SHA-1 or SHA-2
- Key Exchange:
- IKEv1 or IKEv2
- Pre-shared key (PSK)
5.2 Static vs Dynamic Routing
Static Routing
- Manually define routes
- Simple but less flexible
Dynamic Routing (BGP)
- Uses Border Gateway Protocol
- Automatically updates routes
- Required for:
- Failover
- Scalable architectures
Exam Tip:
- Prefer BGP for enterprise hybrid connectivity
5.3 High Availability VPN Design
AWS provides:
- Two VPN tunnels per connection
Best practices:
- Configure both tunnels on third-party device
- Use BGP for automatic failover
- Monitor tunnel health
6. AWS Direct Connect with Third-Party Solutions
6.1 Integration with Third-Party Routers
Direct Connect connects to:
- Customer router (third-party)
- AWS router
Key Concepts:
- VLANs (802.1Q tagging)
- BGP for routing
- Private and public virtual interfaces
6.2 Hybrid Design: VPN + Direct Connect
Common architecture:
- Direct Connect → Primary connection
- VPN → Backup connection
Benefits:
- High availability
- Cost optimization
7. SD-WAN Integration
7.1 What is SD-WAN?
Software-defined WAN solutions from vendors like:
- Cisco SD-WAN
- VMware SD-WAN
- Fortinet SD-WAN
They manage traffic intelligently across multiple links.
7.2 AWS Integration
Deployment options:
- SD-WAN appliance in AWS (EC2)
- On-prem SD-WAN device connected via VPN or Direct Connect
Features:
- Traffic optimization
- Application-aware routing
- Centralized control
8. Traffic Flow with Third-Party Appliances
8.1 Inbound and Outbound Inspection
Traffic flow:
- Enters VPC
- Routed to firewall/NVA
- Inspected
- Forwarded to destination
8.2 Routing Considerations
To force traffic through appliances:
- Use route tables:
- Destination → appliance ENI
- Use Transit Gateway route tables
- Enable asymmetric routing handling if needed
9. Security Considerations
9.1 Encryption
- VPN uses IPSec encryption
- Direct Connect requires additional encryption if needed
9.2 Firewall Policies
- Managed by third-party appliance
- Controls:
- Inbound traffic
- Outbound traffic
9.3 Identity Integration
- Integrate with:
- Active Directory
- RADIUS
- SAML
10. Monitoring and Troubleshooting
10.1 AWS Tools
- CloudWatch (metrics, logs)
- VPC Flow Logs
- Transit Gateway Network Manager
10.2 Third-Party Tools
- Vendor dashboards
- SNMP monitoring
- Syslog servers
11. Common Hybrid Architectures
11.1 Hub-and-Spoke Model
- Transit Gateway = hub
- VPCs and on-prem = spokes
- Third-party firewall in hub
11.2 Centralized Inspection VPC
- All traffic routed through security VPC
- Uses NVAs
11.3 Multi-Region Hybrid
- Multiple TGWs across regions
- Inter-region peering
- Third-party devices integrated globally
12. Key Exam Tips (Very Important)
Must Remember:
- Transit Gateway is preferred over VGW for scalability
- BGP is preferred over static routing
- Two VPN tunnels = built-in redundancy
- Direct Connect + VPN = best practice for HA
- Third-party appliances = used for advanced security and routing
- SD-WAN = centralized traffic management
13. Quick Comparison Table
| Feature | VPN | Direct Connect | Third-Party Appliance |
|---|---|---|---|
| Connectivity | Internet | Private | Depends on setup |
| Encryption | Yes | Optional | Configurable |
| Latency | Higher | Lower | Depends |
| Use Case | Backup / small scale | Primary enterprise | Security & control |
14. Final Summary
Configuring hybrid connectivity with third-party solutions means:
- Connecting AWS VPCs with external networks using:
- VPN
- Direct Connect
- Integrating:
- Firewalls
- Routers
- SD-WAN appliances
- Ensuring:
- Secure communication (IPSec)
- High availability (dual tunnels, BGP)
- Scalable routing (Transit Gateway)
