Hybrid Network Connectivity To AWS

Concepts Covered

• Hybrid network design
• Transit Gateway hub-and-spoke routing
• Direct Connect dedicated connectivity
• Site-to-Site VPN encrypted tunnels
• VPC attachments and route tables
• BGP and route propagation
• DNS forwarding with Route 53 Resolver
• Network segmentation and inspection
• Cost and resilience controls
• SAA-C03 networking traps

1. Situation

A company runs workloads in several AWS VPCs and still has applications in a data center. The VPCs need to communicate with each other and with on-premises systems. Some traffic is production, some is development, and some must pass through inspection.

The network must be reliable, secure, and understandable. The team wants to avoid a tangle of point-to-point peering and one-off VPNs.

The central design question is:

how do many networks route to each other without losing control?

For SAA-C03, the answer often involves Transit Gateway, Site-to-Site VPN, Direct Connect, and route table design.

2. Naive Design

The naive design connects every VPC to every other VPC:

VPC A <-> VPC B
VPC A <-> VPC C
VPC B <-> VPC C
on-prem -> separate VPNs everywhere

This becomes unmanageable as accounts and VPCs grow.

Another naive design creates a VPN to one VPC and routes everything through instances in that VPC. That can create bottlenecks, failure points, and unclear ownership.

A third mistake is planning connectivity after CIDR ranges are already overlapping. Overlapping IP space can make routing impossible without NAT or redesign.

3. What Breaks

Point-to-point networks do not scale operationally. Every new VPC adds more routes, security decisions, DNS questions, and failure paths.

Overlapping CIDRs break simple routing. The network cannot know which destination owns the same address range.

DNS breaks when on-premises clients need to resolve private AWS names or AWS workloads need to resolve internal corporate names.

Security breaks when every network can reach every other network. Hybrid connectivity should not mean universal trust.

Reliability breaks when one tunnel, one router, one NAT instance, or one appliance becomes the hidden dependency.

4. AWS Architecture

Use AWS Transit Gateway as the regional hub when many VPCs and on-premises networks must connect.

Attach VPCs to the transit gateway. Attach Site-to-Site VPN or Direct Connect through appropriate gateway constructs depending on the design.

Use Transit Gateway route tables to segment traffic. Production, shared services, inspection, and development can have different routing domains.

Use Site-to-Site VPN for encrypted connectivity over the internet. Each VPN connection includes two tunnels for high availability.

Use Direct Connect for private, dedicated connectivity when traffic volume, predictability, compliance, or latency requirements justify it.

Use Route 53 Resolver endpoints for DNS forwarding between AWS and on-premises.

Use Network Firewall or inspection VPC patterns where traffic inspection is required.

5. Request Or Data Flow

An EC2 instance in a private subnet sends traffic to an on-premises service.

The VPC route table sends the destination CIDR to the Transit Gateway attachment.

The Transit Gateway route table chooses the next attachment: VPN, Direct Connect, another VPC, or inspection path.

The packet travels through the chosen hybrid connection. Return traffic must have a matching route back to the source VPC CIDR.

For DNS, a workload may query a Route 53 Resolver endpoint, which forwards selected domains to on-premises DNS servers. On-premises resolvers can forward AWS private zones to inbound Resolver endpoints.

Monitoring uses CloudWatch metrics, VPN tunnel state, Direct Connect metrics, VPC Flow Logs, and firewall logs where configured.

6. Security Controls

Treat routing as security-sensitive. A route table can create broad reachability.

Use security groups and NACLs inside VPCs. Transit Gateway routing does not replace workload-level network controls.

Segment attachments with separate Transit Gateway route tables where environments should not freely communicate.

Use encryption. Site-to-Site VPN uses IPsec. Direct Connect is private connectivity, and additional encryption can be layered when requirements call for it.

Use Network Firewall, firewall appliances, or centralized inspection only when the traffic path and failure behavior are well understood.

Log and monitor changes to routes, attachments, VPNs, Direct Connect resources, and DNS forwarding rules.

7. Resilience Controls

Use both VPN tunnels and configure customer gateway devices for failover.

For stronger hybrid resilience, use redundant customer devices, redundant connections, and diverse locations where the business requires it.

Direct Connect can be paired with VPN as backup, or multiple Direct Connect connections can be used for higher resilience.

Transit Gateway is managed, but route table mistakes can still cause outages. Use change management and staged rollout.

Avoid single inspection appliances without scaling and failover.

Test failover. A backup tunnel that never carries traffic may not work when needed.

8. Performance Controls

VPN performance depends on tunnel limits, customer gateway device capacity, internet path, encryption overhead, and routing.

Direct Connect provides more predictable private connectivity and higher bandwidth options, but it has provisioning and provider dependencies.

Transit Gateway charges and performance depend on attachments and processed traffic. Avoid unnecessary hairpinning through inspection or shared services when not required.

Route symmetry matters for stateful appliances. If traffic enters one inspection path and returns another way, connections can fail.

DNS latency and forwarding behavior can affect application startup and request paths.

9. Cost Controls

Transit Gateway costs include attachment hours and data processing.

VPN costs include connection hours and data transfer. Accelerated VPN adds Global Accelerator-related cost.

Direct Connect costs include port hours and data transfer out, plus provider or colocation costs.

Centralized inspection can add firewall endpoint cost, appliance cost, and extra data processing.

Do not route S3 or DynamoDB traffic through on-premises or NAT paths unnecessarily. VPC endpoints can reduce cost and improve private access patterns.

Use Cost Explorer and CUR/Data Exports to identify data transfer surprises.

10. Exam Variants

"Connect many VPCs and on-premises networks through a hub" points to Transit Gateway.

"Dedicated private connection from data center to AWS" points to Direct Connect.

"Encrypted connection over the internet" points to Site-to-Site VPN.

"Temporary or fast setup hybrid path" often points to VPN.

"Predictable high-throughput hybrid connectivity" often points to Direct Connect.

"Resolve private DNS across on-premises and VPCs" points to Route 53 Resolver endpoints and rules.

11. Common Traps

Do not use VPC peering as a large transitive routing hub.

Do not forget non-overlapping CIDRs.

Do not assume Direct Connect is encrypted end to end by default in the same way as VPN.

Do not rely on one VPN tunnel or one customer gateway device for high availability.

Do not forget return routes.

Do not confuse connectivity with authorization. Network reachability does not mean the application should allow access.

12. Related Topics

Review AWS Transit Gateway, AWS Direct Connect, AWS Site-to-Site VPN, and VPC Networking Model.

Official AWS references:

• What is AWS Transit Gateway?
• What is Direct Connect?
• What is AWS Site-to-Site VPN?