Hybrid Connectivity Architectures
Explore hybrid connectivity architectures combining AWS Direct Connect, Site-to-Site VPN, and Transit Gateway. Understand how to design secure, highly available, and scalable networks that integrate on-premises data centers with AWS. This lesson covers routing, failover mechanisms, redundancy, and real-world deployment strategies to prepare you for advanced network design challenges in AWS environments.
Most enterprises operate in a state of architectural duality. Production databases remain on-premises, latency-sensitive applications run in colocation facilities, and new workloads launch natively in AWS. The SAP-C02 exam tests our ability to unify these environments into a single, resilient network fabric. This lesson dissects the connectivity services, routing architectures, and failover mechanisms that form the backbone of enterprise hybrid design, equipping you to evaluate trade-offs and select patterns that satisfy availability, security, and cost requirements at scale.
Why hybrid connectivity matters
Large organizations rarely execute a full cloud migration in a single phase. Regulatory constraints, data gravity, and legacy application dependencies mean that hybrid architectures persist for years, sometimes indefinitely. The architectural challenge is not simply “connecting” an on-premises data center to a VPC. It is building a network topology where hundreds of VPCs across multiple accounts and Regions communicate transitively with multiple physical sites, all while maintaining predictable latency, encryption boundaries, and automated failover.
AWS provides two primary transport services for this purpose:
AWS Direct Connect: Delivers dedicated, private fiber connectivity between on-premises environments and AWS.
AWS Site-to-Site VPN: Establishes encrypted IPsec tunnels over the public internet.
Direct Connect excels at sustained, high-bandwidth workloads. VPN excels at rapid deployment and encryption without additional hardware. AWS Transit Gateway then acts as the centralized routing hub, enabling
Attention: The SAP-C02 exam frequently uses Route 53 and Global Accelerator as distractors in hybrid connectivity questions. These services optimize client-to-AWS ingress traffic but do not replace private hybrid transport between data centers and AWS. Selecting them as a substitute for Direct Connect or VPN is a common trap.
The architectural problem is how to choose, combine, and make these services highly available. The following comparison establishes the foundational trade-offs.
AWS Direct Connect vs. AWS Site-to-Site VPN Comparison
Dimension | AWS Direct Connect | AWS Site-to-Site VPN |
Latency | Predictable, low-latency via dedicated private connections | Variable, internet-dependent performance |
Bandwidth | 50 Mbps to 100 Gbps dedicated connections | Up to 1.25 Gbps per tunnel; limited by internet throughput |
Encryption | Not encrypted by default; MACsec available on 10/100 Gbps | IPsec encrypted by default |
Cost Model | Port-hour charges + data transfer fees | Per-tunnel-hour + data transfer charges |
Deployment Time | Several weeks (physical cross-connect provisioning) | Minutes (rapid console setup) |
Reliability | Dedicated fiber; single point of failure without redundancy | Internet path diversity; variable quality |
Typical Use Case | Production workloads requiring consistent, high performance | Backup connectivity or rapid deployment scenarios |
SAP-C02 Exam Guidance | Recommended as primary connection | Recommended as encrypted backup |
With these trade-offs established, the next section examines the architectural details that drive selection between Direct Connect and VPN.
Direct Connect and VPN trade-offs
While the high-level trade-offs dictate the overall hybrid strategy, successfully deploying these services requires a deep understanding of their underlying physical and virtual components.
Direct Connect architecture and VIFs
A Direct Connect architecture starts with a physical connection between the customer ...