Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. Overview of Multi-VPC and Multi-Account Connectivity
In AWS, organizations often use multiple VPCs (Virtual Private Clouds) for isolation, security, or organizational purposes. These VPCs can exist:
- In different AWS accounts
- In different AWS Regions
- With different network requirements
Connectivity across these VPCs is crucial for workloads to communicate, share data, or access shared services. AWS provides multiple tools and patterns to achieve this, and knowing which tool fits which scenario is exam-critical.
2. VPC Peering
VPC Peering allows two VPCs to connect privately using AWS’s internal network.
Key points for the exam:
- Works across accounts (inter-account peering) and within the same account.
- Works across Regions (inter-region peering), but data transfer has a cost.
- Non-transitive: If VPC A peers with VPC B, and VPC B peers with VPC C, A cannot automatically communicate with C.
- Routing: You must update the route tables in each VPC to allow traffic.
- Limitations:
- Maximum number of active peering connections per VPC (depends on AWS limits).
- Cannot overlap CIDR blocks.
Use case in IT environment: Sharing backend services (like databases) between two VPCs in the same account.
3. AWS Transit Gateway (TGW)
Transit Gateway is like a hub that connects multiple VPCs and on-premises networks through a single gateway.
Key points for the exam:
- Supports multi-account and multi-region connectivity.
- Transitive routing: Unlike VPC peering, VPCs connected to the same TGW can communicate via TGW.
- Scalable: Can connect hundreds of VPCs.
- Route tables: TGW has its own route tables that control which VPCs/networks can communicate.
- Cost-efficient for many-to-many connections compared to multiple peering links.
Exam tip: TGW is often the recommended solution for large-scale multi-VPC, multi-account architectures.
4. VPN Connectivity
VPN (Virtual Private Network) is used to securely connect networks over the internet. It can be:
- Site-to-site VPN: Connect on-premises networks to AWS VPCs.
- VPC-to-VPC VPN: Connect VPCs in different accounts or regions.
Key points for the exam:
- Uses IPsec encryption.
- Can be combined with Transit Gateway for scalable architectures.
- Dynamic routing with BGP is often used to automatically exchange routes.
- Backup solution: Often used as a secondary path for resiliency.
5. Third-Party Network Vendors and SD-WAN
Some enterprises use third-party vendors or SD-WAN (Software-Defined Wide Area Network) solutions for advanced networking, especially when connecting multiple VPCs and on-premises networks globally.
Key exam points:
- SD-WAN simplifies complex routing and multiple VPNs.
- Supports policy-based routing, dynamic failover, and optimization.
- Can integrate with AWS Transit Gateway using VPN connections.
6. Multi-Protocol Label Switching (MPLS)
MPLS is a traditional enterprise WAN technology. In the AWS context, MPLS networks can connect to AWS via:
- Direct Connect (private, high-speed link)
- VPN over MPLS
Key points:
- Often used by enterprises to connect on-premises locations to AWS regions securely.
- Works well for hybrid architectures.
7. Connectivity Patterns
When designing connectivity, AWS exam focuses on understanding patterns:
A. Hub-and-Spoke (Centralized)
- Hub: Transit Gateway or a central VPC.
- Spokes: Other VPCs or accounts connect to the hub.
- Benefit: Simplified routing and security control.
- Example: TGW connecting multiple VPCs in multiple accounts.
B. Full Mesh
- Each VPC peered with every other VPC.
- Challenge: Not scalable; routing tables grow rapidly.
C. Hybrid Connectivity
- Combines on-premises networks, VPCs, VPNs, and Direct Connect.
- Often uses TGW + VPN + Direct Connect.
- Benefit: Resilient and scalable.
8. Routing and Route Tables
For any multi-VPC setup:
- VPC route tables: Control traffic within a VPC and to other networks.
- TGW route tables: Control which VPCs, VPNs, or Direct Connect links can communicate.
- BGP: Automatically exchanges routes for dynamic connectivity.
Exam tip: Know which solution requires manual route updates (VPC Peering) vs. dynamic route propagation (TGW with VPN/Direct Connect).
9. Security Considerations
- Security Groups: Control inbound/outbound traffic at the instance level.
- Network ACLs: Control traffic at the subnet level.
- TGW policies: Control which VPCs/networks can communicate.
Always remember: connectivity ≠ accessibility. Just because two VPCs are connected does not mean instances can talk unless security rules allow it.
10. Key Exam Summary Table
| Connectivity Type | Transitive | Multi-Account | Multi-Region | Dynamic Routing | Use Case |
|---|---|---|---|---|---|
| VPC Peering | No | Yes | Yes | No | Simple VPC-to-VPC connections |
| Transit Gateway | Yes | Yes | Yes | Yes | Hub-and-spoke, scalable |
| VPN | No | Yes | Yes | Optional BGP | Encrypted remote connectivity |
| SD-WAN | Yes | Yes | Yes | Yes | Enterprise hybrid WAN |
| MPLS/Direct Connect | Yes | Yes | Possible | Yes | High-speed enterprise WAN |
✅ Exam Tips:
- Always identify whether transitive routing is required.
- Know manual vs. automatic route propagation.
- Remember limits and constraints (CIDR overlaps, peering limits).
- Focus on Transit Gateway vs. Peering—common exam scenario.
- Be aware of security group and route table interactions.
