Task Statement 3.4: Determine high-performing and/or scalable network architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
1. Overview of Network Connectivity in AWS
When designing AWS architectures, you must connect:
- On-premises data centers → AWS
- One VPC → another VPC
- Applications → AWS services privately
AWS provides three main connectivity options:
| Service | Purpose |
|---|
| AWS VPN | Secure connection over the internet |
| AWS Direct Connect | Dedicated private connection |
| AWS PrivateLink | Private access to services within AWS |
2. AWS VPN (Virtual Private Network)
What is AWS VPN?
AWS VPN creates a secure encrypted connection between your network and AWS over the public internet.
Types of AWS VPN
1. Site-to-Site VPN
- Connects:
- On-premises network ↔ AWS VPC
- Uses:
- Customer Gateway (your router)
- Virtual Private Gateway (AWS side)
2. Client VPN
- Connects:
- Individual users (laptops) → AWS VPC
- Works like remote access VPN
Key Features
- Uses IPSec encryption
- Runs over internet (no dedicated line)
- Quick to set up
- Lower cost compared to Direct Connect
Advantages
- Easy to deploy
- Secure (encrypted traffic)
- Good for:
- Development environments
- Backup connectivity
Limitations
- Dependent on internet quality
- Variable latency
- Lower bandwidth compared to Direct Connect
Exam Tips
- VPN = encrypted + internet-based
- Used when:
- Cost is a concern
- Fast setup needed
- Often used as:
3. AWS Direct Connect (DX)
What is Direct Connect?
AWS Direct Connect provides a dedicated private network connection from your data center to AWS.
- Does NOT use public internet
- Uses a physical connection
Key Features
- Dedicated bandwidth (1 Gbps, 10 Gbps, 100 Gbps)
- Low latency
- Consistent network performance
- Private communication
Components
- Direct Connect Location
- Connection (physical link)
- Virtual Interfaces (VIFs):
- Private VIF → VPC
- Public VIF → AWS public services
- Transit VIF → Transit Gateway
Advantages
- High performance
- Reliable and predictable latency
- Suitable for large data transfers
- More secure (not exposed to internet)
Limitations
- Expensive
- Takes time to set up
- Requires physical infrastructure
Exam Tips
- Direct Connect = private + high performance
- Best for:
- Large-scale enterprise workloads
- Continuous high traffic
- Often paired with:
4. AWS VPN vs Direct Connect
| Feature | AWS VPN | Direct Connect |
|---|
| Network | Internet | Private connection |
| Cost | Low | High |
| Setup time | Fast | Slow |
| Latency | Variable | Consistent |
| Bandwidth | Limited | High |
| Security | Encrypted | Private + can be encrypted |
Common Exam Scenario
- Need cheap + fast setup → VPN
- Need high performance + stability → Direct Connect
- Need redundancy → Direct Connect + VPN backup
5. AWS PrivateLink
What is AWS PrivateLink?
AWS PrivateLink allows you to privately connect to services without using:
- Internet Gateway
- NAT Gateway
- Public IP
How it Works
- Uses Interface Endpoints (ENI with private IP)
- Traffic stays inside AWS network
Types of Endpoints
1. Interface Endpoint (PrivateLink)
- Used for:
- AWS services (e.g., S3, DynamoDB via private)
- Custom services
2. Gateway Endpoint
Key Features
- Private connectivity
- No internet exposure
- Secure communication
- Scales automatically
Advantages
- Increased security
- No need for NAT Gateway
- Simplifies architecture
Limitations
- Cost per endpoint
- Not all services supported (interface endpoints vary)
Exam Tips
- PrivateLink = private service access
- Used when:
- You must NOT use internet
- Works inside AWS network
6. PrivateLink vs VPC Peering
| Feature | PrivateLink | VPC Peering |
|---|
| Access Type | Service-level | Full network |
| Overlapping CIDR | Supported | Not supported |
| Security | More controlled | Less granular |
| Connectivity | One-way | Two-way |
Exam Insight
- Need service access only → PrivateLink
- Need full VPC communication → VPC Peering
7. Combining These Services (Important)
Common Architectures
- Hybrid Architecture
- On-prem → VPN → AWS
- Or Direct Connect
- High Availability Setup
- Direct Connect (primary)
- VPN (backup)
- Secure Service Access
- Use PrivateLink instead of internet
8. Security Considerations
| Service | Security Type |
|---|
| VPN | Encryption (IPSec) |
| Direct Connect | Private link (can add encryption) |
| PrivateLink | Private AWS network |
9. Key Exam Comparison Summary
| Use Case | Best Choice |
|---|
| Quick secure connection | VPN |
| High performance, low latency | Direct Connect |
| Private access to AWS services | PrivateLink |
| Avoid internet completely | PrivateLink |
| Backup connectivity | VPN |
10. Final Exam Tips (Very Important)
- VPN = internet + encrypted
- Direct Connect = dedicated + stable
- PrivateLink = private AWS service access
Watch for keywords in questions:
| Keyword | Answer |
|---|
| “lowest latency” | Direct Connect |
| “quick setup” | VPN |
| “private access to service” | PrivateLink |
| “avoid public internet” | PrivateLink |
| “hybrid architecture” | VPN or Direct Connect |
