Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What is Hybrid Connectivity?
Hybrid connectivity means connecting your on-premises network (data center) with your AWS Virtual Private Cloud (VPC). This allows:
- Applications to run partly on-premises and partly in AWS
- Data to move securely between environments
- Workloads to scale into AWS when needed
2. What Does “Redundant” Mean?
Redundancy means having multiple paths or connections so that if one fails, traffic can still flow using another path.
In networking, redundancy ensures:
- High Availability (HA)
- No single point of failure
- Continuous network connectivity
3. Key AWS Services for Hybrid Connectivity
3.1 AWS Direct Connect (DX)
AWS Direct Connect provides a private, dedicated connection between your data center and AWS.
Key Characteristics:
- Private, not over the public internet
- Predictable latency and performance
- High bandwidth (1 Gbps, 10 Gbps, etc.)
- More stable than VPN
Important Exam Points:
- Connects to a Direct Connect location
- Uses a Virtual Interface (VIF):
- Private VIF → connects to VPC
- Public VIF → connects to AWS public services
- Transit VIF → connects via Transit Gateway
- Does NOT encrypt traffic by default
3.2 AWS Site-to-Site VPN
AWS Site-to-Site VPN creates a secure encrypted tunnel over the internet between your on-premises network and AWS.
Key Characteristics:
- Uses IPsec encryption
- Quick to set up
- Uses public internet
- Automatically redundant (2 tunnels per VPN connection)
Important Exam Points:
- Each VPN connection includes two tunnels
- Supports failover between tunnels
- Works with:
- Virtual Private Gateway (VGW)
- AWS Transit Gateway (TGW)
4. Redundant Hybrid Connectivity Architecture
To design redundancy, you must combine multiple connections and paths.
4.1 Best Practice: Use BOTH Direct Connect and VPN
A highly redundant architecture includes:
- Primary connection → Direct Connect
- Backup connection → Site-to-Site VPN
Why this is important:
- Direct Connect provides performance
- VPN provides failover if DX fails
4.2 Redundancy with Direct Connect
To make Direct Connect redundant:
Use Multiple Components:
- Multiple Direct Connect connections
- Multiple Direct Connect locations
- Different devices or routers
- Different physical paths (where possible)
Key Exam Concepts:
- Avoid single Direct Connect connection
- Use Link Aggregation Groups (LAG) for bandwidth + redundancy
- Use BGP (Border Gateway Protocol) for routing and failover
4.3 Redundancy with VPN
VPN redundancy is built-in but must be configured correctly:
- Each VPN has two tunnels
- Configure both tunnels on your on-premises device
- Use BGP to automatically failover between tunnels
Advanced:
- Use multiple VPN connections to different endpoints
- Use different AWS Availability Zones (AZs)
4.4 Using AWS Transit Gateway (TGW)
AWS Transit Gateway is used to connect multiple VPCs and on-premises networks.
Benefits:
- Central routing hub
- Simplifies large network designs
- Supports:
- Direct Connect
- VPN
- Multiple VPC attachments
Redundancy Features:
- Multiple attachments
- Route table control
- Works with BGP for dynamic routing
5. Routing for Redundancy
Routing is critical in hybrid connectivity.
5.1 BGP (Border Gateway Protocol)
- Used for dynamic routing between on-premises and AWS
- Automatically reroutes traffic when a path fails
Key Exam Points:
- Preferred routing is based on AS path, local preference, MED
- Used with both Direct Connect and VPN
- Supports failover between connections
5.2 Route Priority
When both Direct Connect and VPN exist:
- Direct Connect is usually preferred (lower latency, private)
- VPN acts as backup
This is controlled using:
- BGP route preferences
- Route tables in AWS
6. Designing a Fully Redundant Architecture
A strong redundant hybrid design includes:
1. Dual Connections
- Two Direct Connect connections (different locations)
- Two VPN tunnels (per connection)
2. Failover Paths
- Direct Connect → Primary
- VPN → Backup
3. Multiple Availability Zones
- Distribute AWS resources across AZs
4. Multiple Devices
- Use separate routers/firewalls in data center
5. Dynamic Routing
- Use BGP instead of static routes
7. High Availability Design Patterns
7.1 Active-Active Design
- Both connections are used at the same time
- Traffic is load-balanced
7.2 Active-Passive Design
- One connection is primary
- Another is backup (fails over when needed)
Exam Tip:
- Active-active is preferred for performance
- Active-passive is simpler and sometimes more stable
8. Security Considerations
- Use VPN encryption when using Direct Connect + VPN together
- Use MACsec (Layer 2 encryption) if required for Direct Connect
- Apply:
- Security Groups
- Network ACLs
- Firewalls on-premises
9. Common Exam Scenarios
Scenario 1: High Bandwidth + Redundancy
- Use Direct Connect for primary
- Use VPN for failover
Scenario 2: Multiple Regions
- Use multiple Direct Connect locations
- Use Transit Gateway for centralized routing
Scenario 3: High Availability Required
- Use multiple VPN tunnels
- Use BGP for automatic failover
10. Key Exam Takeaways
- Always design at least two paths for redundancy
- Combine:
- Direct Connect (performance)
- VPN (backup)
- Use BGP for dynamic routing and failover
- Use Transit Gateway for scalable architecture
- Avoid single points of failure
- Prefer active-active or active-passive designs
- Use multiple Availability Zones whenever possible
11. Simple Summary
A redundant hybrid connectivity model ensures:
- Continuous connection between on-premises and AWS
- Automatic failover if a link fails
- High performance and secure communication
The best practice is:
👉 Use Direct Connect as primary
👉 Use VPN as backup
👉 Use BGP for automatic failover
👉 Use multiple connections and AZs for redundancy
