Task Statement 1.2: Design secure workloads and applications.
📘AWS Certified Solutions Architect – (SAA-C03)
This topic is very important for the SAA-C03 exam. You must understand how organizations securely connect their on-premises data centers, branch offices, or other cloud environments to AWS.
When traffic moves between AWS and external networks, it must be:
- Encrypted
- Authenticated
- Authorized
- Highly available
- Monitored
In this section, we will cover everything required for the exam in simple and clear language.
1. Why Securing External Connections Is Important
When an organization connects its internal network (such as a data center or office network) to AWS, sensitive data may travel across the internet or private circuits.
Without proper security:
- Data can be intercepted
- Systems can be attacked
- Unauthorized access can occur
- Compliance rules can be violated
AWS provides secure connectivity options such as:
- Site-to-Site VPN
- Client VPN
- AWS Direct Connect
Each option has different use cases and security characteristics.
2. AWS Site-to-Site VPN
What It Is
AWS Site-to-Site VPN allows you to securely connect your on-premises network to your Amazon VPC over the internet using encrypted tunnels.
It uses:
- IPsec (Internet Protocol Security)
- Encrypted tunnels
- VPN gateways
Key Components
1. Virtual Private Gateway (VGW)
Attached to your VPC.
2. Customer Gateway (CGW)
Represents your on-premises VPN device.
3. VPN Connection
The encrypted tunnel between AWS and your on-premises environment.
How It Secures Traffic
- Uses IPsec encryption
- Uses IKE (Internet Key Exchange) for key management
- Data is encrypted before leaving the network
- Only authenticated devices can establish the tunnel
High Availability (Very Important for Exam)
By default:
- AWS provides two VPN tunnels
- Each tunnel connects to a different AWS endpoint
Best practice:
- Configure both tunnels on your customer gateway
- Use dynamic routing (BGP) for automatic failover
Routing Options
Static Routing
You manually configure routes.
Dynamic Routing (BGP)
Uses Border Gateway Protocol to automatically exchange route information.
For the exam:
- BGP is preferred for automatic failover and scalability.
When to Use Site-to-Site VPN
- Secure communication over the internet
- Quick setup
- Lower cost
- Backup connection for Direct Connect
3. AWS Client VPN
What It Is
AWS Client VPN allows individual users to securely connect to AWS resources.
It is used for:
- Remote employees
- Secure access to VPC resources
- Connecting from laptops or mobile devices
Security Features
- Uses OpenVPN protocol
- Supports mutual authentication
- Integrates with:
- AWS Directory Service
- Active Directory
- SAML-based authentication
- Supports Multi-Factor Authentication (MFA)
Exam Tip
Use Client VPN when:
- Individual users need secure remote access.
- Not for connecting entire networks.
4. AWS Direct Connect
What It Is
AWS Direct Connect provides a dedicated private network connection from your data center to AWS.
Unlike VPN:
- Does NOT use the public internet.
- Provides consistent performance.
- Lower latency.
- Higher bandwidth options.
Security Characteristics
Important: Direct Connect by itself is NOT encrypted.
It provides:
- Private connection
- Reduced exposure to internet risks
But if encryption is required:
- You must use VPN over Direct Connect
- Or application-level encryption (like TLS)
Direct Connect Components
1. Direct Connect Location
Physical facility where connection is established.
2. Virtual Interface (VIF)
Logical connection to:
- Public services
- Private VPC resources
- Transit Gateway
Types of VIFs (Exam Important)
Private VIF
Connects to a VPC.
Public VIF
Access AWS public services (like S3).
Transit VIF
Connects to Transit Gateway.
High Availability Best Practice
- Use multiple Direct Connect connections
- Use different locations
- Use VPN as backup
5. VPN vs Direct Connect (Exam Comparison)
| Feature | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Uses Internet | Yes | No |
| Encryption | Yes (IPsec) | No (must add separately) |
| Setup Speed | Fast | Slower |
| Cost | Lower | Higher |
| Performance | Variable | Consistent |
| Best For | Secure quick connection | High bandwidth, stable performance |
Exam scenario tip:
- If question mentions consistent latency and large data transfer, choose Direct Connect.
- If question mentions encrypted over internet, choose VPN.
6. VPN over Direct Connect (Very Important Concept)
Many exam questions combine both services.
Why combine?
- Direct Connect = private, stable path
- VPN = encryption
This gives:
- Private + Encrypted + Reliable connection
Used for:
- Compliance requirements
- Highly secure environments
7. AWS Transit Gateway for Secure Connectivity
AWS Transit Gateway acts as a central hub to connect:
- Multiple VPCs
- VPN connections
- Direct Connect connections
Benefits:
- Simplifies network architecture
- Centralized routing
- Easier security management
Exam scenario:
If many VPCs and on-prem networks need connectivity → Transit Gateway is often the answer.
8. Security Best Practices for External Connectivity
You must know these for the exam:
1. Always Use Encryption
- VPN uses IPsec
- Direct Connect requires VPN for encryption
- Use TLS for application-level encryption
2. Use Redundant Connections
- Two VPN tunnels
- Multiple Direct Connect links
- Backup VPN for Direct Connect
3. Use IAM for Access Control
Use:
- IAM roles
- IAM policies
Control who can:
- Create VPNs
- Modify routing
- Attach gateways
4. Restrict Network Access
Use:
- Security Groups
- Network ACLs
Control inbound and outbound traffic.
5. Monitor Traffic
Use:
- Amazon CloudWatch
- AWS CloudTrail
- VPC Flow Logs
Monitor:
- Tunnel status
- Configuration changes
- Suspicious activity
6. Use Least Privilege
Only allow required IP ranges and ports.
9. Common Exam Scenarios
You may see questions like:
Scenario 1:
Company needs encrypted connection over internet →
Answer: Site-to-Site VPN
Scenario 2:
Company needs high bandwidth, consistent latency →
Answer: Direct Connect
Scenario 3:
Company needs encrypted + private dedicated line →
Answer: VPN over Direct Connect
Scenario 4:
Remote employees need secure access →
Answer: Client VPN
Scenario 5:
Many VPCs and on-premises need centralized connectivity →
Answer: Transit Gateway
10. Important Security Concepts to Remember
For SAA-C03 exam:
- VPN = encrypted internet connection
- Direct Connect = private dedicated connection
- Direct Connect is NOT encrypted by default
- Always design for high availability
- Use BGP for automatic failover
- Use Transit Gateway for scalability
- Combine services when needed
- Monitor and log all connections
Final Exam Strategy
For every question:
- Identify performance requirement
- Identify encryption requirement
- Identify availability requirement
- Identify scale (single VPC or many VPCs)
- Choose correct AWS service
If you understand:
- How VPN works
- How Direct Connect works
- When to combine them
- How to secure them
You will be fully prepared for this section of the SAA-C03 exam.
