Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.
📘AWS Certified Advanced Networking – Specialty
1. Introduction to AWS and Hybrid Network Connectivity
In AWS, you often need to connect your AWS resources to each other and to your on-premises data centers. This could involve:
- AWS-to-AWS connectivity – connecting different VPCs in the same or different regions.
- AWS-to-On-Premises connectivity – connecting your AWS VPCs to your corporate network or data center.
AWS provides several methods to achieve this, mainly using gateways, virtual interfaces, and networking services.
Key tools you need to know:
- Direct Connect (DX) – Dedicated, private connection from your on-premises network to AWS.
- Transit Gateway (TGW) – Central hub to connect multiple VPCs and on-premises networks.
- Virtual Private Gateway (VGW) – Gateway attached to a VPC for VPN or DX connections.
- Virtual Interfaces (VIFs) – Logical connections over Direct Connect.
2. AWS Direct Connect (DX)
What it is:
- AWS Direct Connect is a dedicated private network connection between your on-premises environment and AWS.
- Unlike public internet, it provides more predictable bandwidth, lower latency, and better security.
How it works:
- You order a connection (usually 1 Gbps or 10 Gbps) from an AWS DX location.
- AWS provides a physical port. From there, your network connects to AWS Direct Connect locations.
- You can use Virtual Interfaces (VIFs) to route traffic:
- Private VIF – For VPCs over a Virtual Private Gateway.
- Public VIF – For AWS public services (like S3, DynamoDB).
IT Example:
- A company wants its on-premises servers to access an AWS VPC database privately. They create a private VIF over Direct Connect to the VPC. This avoids public internet and improves speed and security.
3. Virtual Private Gateway (VGW)
What it is:
- A VGW is a gateway attached to a VPC.
- It allows your VPC to connect to Direct Connect or VPN connections.
Key points:
- VGWs support BGP routing, which helps dynamic route exchange between AWS and your on-premises network.
- Each VPC can have one VGW attached.
IT Example:
- You have a VPC running web servers. You attach a VGW to connect it to your corporate data center over VPN or Direct Connect.
4. Transit Gateway (TGW)
What it is:
- Transit Gateway is like a network hub that connects multiple VPCs and on-premises networks.
- Simplifies large-scale AWS network design.
Key advantages:
- Centralized connectivity: All VPCs and on-premises connections attach to TGW.
- Scalability: Instead of creating complex VPC-to-VPC peering, you use one TGW.
- Integration with Direct Connect: You can attach a Direct Connect gateway to TGW for on-premises connectivity.
IT Example:
- A company has 10 VPCs and a data center. Instead of 45 VPC peering connections (n*(n-1)/2), they attach all VPCs and the data center to one TGW, making management easier.
5. Direct Connect Gateway (DX Gateway)
What it is:
- A logical AWS resource that allows you to connect one or more VPCs across regions to a Direct Connect connection.
- It acts as a bridge between Direct Connect and Transit Gateway or VGW.
Use Cases:
- Multi-region VPCs – You can connect VPCs in different AWS regions to a single DX connection.
- Hybrid architecture – Connect your on-premises network to multiple VPCs securely.
IT Example:
- A company in New York has VPCs in US-East-1 and US-West-2. They use DX Gateway to connect both VPCs to a single Direct Connect line from the corporate office.
6. Virtual Interfaces (VIFs)
VIFs are logical connections over Direct Connect.
Types:
- Private VIF – For connecting VPCs via VGW.
- Public VIF – For accessing AWS public services over private connection.
- Transit VIF – For connecting to AWS Transit Gateway from on-premises networks.
Key Points:
- A single Direct Connect connection can have multiple VIFs.
- Each VIF has its own BGP session for routing.
IT Example:
- You can have one Direct Connect connection, and split traffic:
- Private VIF → Access corporate VPC.
- Public VIF → Access S3.
- Transit VIF → Access multiple VPCs via TGW.
7. Key Exam Points to Remember
- VGW vs TGW:
- VGW = single VPC to on-premises connection.
- TGW = hub connecting multiple VPCs and on-premises networks.
- Direct Connect:
- Use DX for predictable performance and private network.
- Requires VIFs to access VPCs or AWS services.
- Direct Connect Gateway:
- Enables cross-region or multi-VPC DX connectivity.
- Routing:
- BGP is used for dynamic route exchange.
- You can also use static routes, but dynamic BGP is preferred in hybrid networks.
- Hybrid network design:
- Use TGW + DX Gateway + VIFs for large-scale, multi-region, multi-VPC connectivity.
- Use VGW + private VIF for small-scale or single-VPC connections.
8. Summary Table
| Component | Purpose | Example Use |
|---|---|---|
| Direct Connect | Private connection on-premises → AWS | Fast, secure access to VPC |
| Private VIF | VPC access | Connect on-premises to DB VPC |
| Public VIF | AWS services access | Access S3, DynamoDB over DX |
| Transit Gateway | Central hub for VPCs & DC | Connect 10 VPCs & data center |
| VGW | VPC-level gateway | Connect single VPC via VPN or DX |
| DX Gateway | Multi-region DX connection | Connect multiple regional VPCs |
