AWS VPN Connection utilizes IPSec to establish encrypted network connectivity between the intranet and VPC over the Internet.
AWS Direct Connect provides dedicated, private network connections between the intranet and VPC.
Setup time
VPN Connections can be configured in minutes and are a good solution for immediate needs, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.
Direct Connect can take anywhere from 4 to 12 weeks
Routing
VPN traffic is still routed through the Internet.
Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between the intranet and VPC. The network traffic remains on the AWS global network and never touches the public internet. This reduces the chance of hitting bottlenecks or unexpected increases in latency
Cost
VPN connections are very cheap ($37.20/month as of now)
Direct Connect connection as it requires actual hardware and infrastructure and might go in thousands.
Encryption in Transit
VPN connections encrypt the data in transit.
Direct Connect data transfer can now be encrypted using MACsec, however, comes with limitations in terms of supported speed and locations.
Direct Connect vs VPN Comparison
AWS Direct Connect + VPN
AWS Direct Connect + VPN combines the benefits of the end-to-end secure IPSec connection with low latency and increased bandwidth of the AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections.
AWS Direct Connect public VIF establishes a dedicated network connection between the on-premises network to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint.
A BGP connection is established between the AWS Direct Connect and your router on the public VIF.
Another BGP session or a static router will be established between the virtual private gateway and your router on the IPSec VPN tunnel.
Direct Connect + VPN as Backup
VPN can be selected to provide a quick and cost-effective, backup hybrid network connection to an AWS Direct Connect. However, it provides a lower level of reliability and indeterministic performance over the internet
Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC.
If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN.
If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface.
If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always preferred, regardless of AS path prepending.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You work as an AWS Architect for a company that has an on-premise data center. They want to connect their on-premise infra to the AWS Cloud. Note that this connection must have the maximum throughput and be dedicated to the company. How can this be achieved?
Use AWS Express Route
Use AWS Direct Connect
Use AWS VPC Peering
Use AWS VPN
A company wants to set up a hybrid connection between their AWS VPC and their on-premise network. They need to have high bandwidth and less latency because they need to transfer their current database workloads to AWS. Which of the following would you use for this purpose?
AWS Managed software VPN
AWS Managed hardware VPN
AWS Direct Connect
AWS VPC Peering
An organization has established an Internet-based VPN connection between their on-premises data center and AWS. They are considering migrating from VPN to AWS Direct Connect. Which operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS Direct Connect?
AWS Direct Connect provides greater redundancy than an Internet-based VPN connection.
AWS Direct Connect provides greater resiliency than an Internet-based VPN connection.
AWS Direct Connect provides greater bandwidth than an Internet-based VPN connection.
AWS Direct Connect provides greater control of network provider selection than an Internet-based VPN connection.
AWS provides a suite of data transfer services that includes many methods that to migrate your data more effectively.
Data Transfer services work both Online and Offline and the usage depends on several factors like the amount of data, the time required, frequency, available bandwidth, and cost.
Online data transfer and hybrid cloud storage
A network link to the VPC, transfer data to AWS or use S3 for hybrid cloud storage with existing on-premises applications.
helps both to lift and shift large datasets once, as well as help you integrate existing process flows like backup and recovery or continuous data streams directly with cloud storage.
Offline data migration to S3.
use shippable, ruggedized devices are ideal for moving large archives, data lakes, or in situations where bandwidth and data volumes cannot pass over your networks within your desired time frame.
Online data transfer
VPN
connect securely between data centers and AWS
quick to set up and cost-efficient
ideal for small data transfers and connectivity
not reliable as still uses shared Internet connection
Direct Connect
provides a dedicated physical connection to accelerate network transfers between data centers and AWS
provides reliable data transfer
ideal for regular large data transfer
needs time to setup
is not a cost-efficient solution
can be secured using VPN over Direct Connect
AWS S3 Transfer Acceleration
makes public Internet transfers to S3 faster.
helps maximize the available bandwidth regardless of distance or varying Internet weather, and there are no special clients or proprietary network protocols. Simply change the endpoint you use with your S3 bucket and acceleration is automatically applied.
ideal for recurring jobs that travel across the globe, such as media uploads, backups, and local data processing tasks that are regularly sent to a central location
AWS DataSync
automates moving data between on-premises storage and S3 or Elastic File System (Amazon EFS).
automatically handles many of the tasks related to data transfers that can slow down migrations or burden the IT operations, including running your own instances, handling encryption, managing scripts, network optimization, and data integrity validation.
helps transfer data at speeds up to 10 times faster than open-source tools.
uses AWS Direct Connect or internet links to AWS and is ideal for one-time data migrations, recurring data processing workflows, and automated replication for data protection and recovery.
Offline data transfer
AWS Snowcone
AWS Snowcone is portable, rugged, and secure that provides edge computing and data transfer devices.
Snowcone can be used to collect, process, and move data to AWS, either offline by shipping the device or online with AWS DataSync.
AWS Snowcone stores data securely in edge locations, and can run edge computing workloads that use AWS IoT Greengrass or EC2 instances.
Snowcone devices are small and weigh 4.5 lbs. (2.1 kg), so you can carry one in a backpack or fit it in tight spaces for IoT, vehicular, or even drone use cases.
AWS Snowball
AWS Snowball is a data migration and edge computing device that comes in two device options:
Compute Optimized
Snowball Edge Compute Optimized devices provide 52 vCPUs, 42 terabytes of usable block or object storage, and an optional GPU for use cases such as advanced machine learning and full-motion video analysis in disconnected environments.
Storage Optimized.
Snowball Edge Storage Optimized devices provide 40 vCPUs of compute capacity coupled with 80 terabytes of usable block or S3-compatible object storage.
It is well-suited for local storage and large-scale data transfer.
Customers can use these two options for data collection, machine learning and processing, and storage in environments with intermittent connectivity (such as manufacturing, industrial, and transportation) or in extremely remote locations (such as military or maritime operations) before shipping it back to AWS.
Snowball devices may also be rack mounted and clustered together to build larger, temporary installations.
AWS Snowball Edge
is a petabyte to exabytes scale data transfer device with on-board storage and compute capabilities
move large amounts of data into and out of AWS, as a temporary storage tier for large local datasets, or to support local workloads in remote or offline locations.
ideal for one time large data transfers with limited network bandwidth, long transfer times, and security concerns
is simple, fast, and secure.
can be very cost and time efficient for large data transfer
AWS Snowmobile
AWS Snowmobile moves up to 100 PB of data in a 45-foot long ruggedized shipping container and is ideal for multi-petabyte or Exabyte-scale digital media migrations and data center shutdowns.
A Snowmobile arrives at the customer site and appears as a network-attached data store for more secure, high-speed data transfer.
After data is transferred to Snowmobile, it is driven back to an AWS Region where the data is loaded into S3.
Snowmobile is tamper-resistant, waterproof, and temperature controlled with multiple layers of logical and physical security – including encryption, fire suppression, dedicated security personnel, GPS tracking, alarm monitoring, 24/7 video surveillance, and an escort security vehicle during transit.
Data Transfer Chart – Bandwidth vs Time
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
An organization is moving non-business-critical applications to AWS while maintaining a mission critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The Internet performance is unpredictable. Which configuration will ensure continued connectivity between sites MOST securely?
VPN and a cached storage gateway
AWS Snowball Edge
VPN Gateway over AWS Direct Connect
AWS Direct Connect
A company wants to transfer petabyte-scale of data to AWS for their analytics, however are constrained on their internet connectivity? Which AWS service can help them transfer the data quickly?
S3 enhanced uploader
Snowmobile
Snowball
Direct Connect
A company wants to transfer its video library data, which runs in exabytes, to AWS. Which AWS service can help the company transfer the data?
Snowmobile
Snowball
S3 upload
S3 enhanced uploader
You are working with a customer who has 100 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Gbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?
Flow logs – Capture information about the IP traffic going to and from network interfaces in your VPC
Tenancy option for instances
shared, by default, allows instances to be launched on shared tenancy
dedicated allows instances to be launched on a dedicated hardware
Route Tables
defines rules, termed as routes, which determine where network traffic from the subnet would be routed
Each VPC has a Main Route table and can have multiple custom route tables created
Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted
Route priority is decided by matching the most specific route in the route table that matches the traffic
Subnets
map to AZs and do not span across AZs
have a CIDR range that is a portion of the whole VPC.
CIDR ranges cannot overlap between subnets within the VPC.
AWS reserves 5 IP addresses in each subnet – first 4 and last one
Each subnet is associated with a route table which define its behavior
Public subnets – inbound/outbound Internet connectivity via IGW
Private subnets – outbound Internet connectivity via an NAT or VGW
Protected subnets – no outbound connectivity and used for regulated workloads
Elastic Network Interface (ENI)
a default ENI, eth0, is attached to an instance which cannot be detached with one or more secondary detachable ENIs (eth1-ethn)
has primary private, one or more secondary private, public, Elastic IP address, security groups, MAC address and source/destination check flag attributes associated
AN ENI in one subnet can be attached to an instance in the same or another subnet, in the same AZ and the same VPC
Security group membership of an ENI can be changed
with pre-allocated Mac Address can be used for applications with special licensing requirements
allows internet access to instances in the private subnets.
performs the function of both address translation and port address translation (PAT)
needs source/destination check flag to be disabled as it is not the actual destination of the traffic for NAT Instance.
NAT gateway is an AWS managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort
are not supported for IPv6 traffic
NAT Gateway supports private NAT with fixed private IPs.
Egress-Only Internet Gateways
outbound communication over IPv6 from instances in the VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances
supports IPv6 traffic only
Shared VPCs
allows multiple AWS accounts to create their application resources, such as EC2 instances, RDS databases, Redshift clusters, and AWS Lambda functions, into shared, centrally-managed VPCs
enables private connectivity from VPC to supported AWS services and VPC endpoint services powered by PrivateLink
does not require a public IP address, access over the Internet, NAT device, a VPN connection, or Direct Connect
traffic between VPC & AWS service does not leave the Amazon network
are virtual devices.
are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on the network traffic.
Gateway Endpoints
is a gateway that is a target for a specified route in the route table, used for traffic destined to a supported AWS service.
only S3 and DynamoDB are currently supported
Interface Endpoints OR Private Links
is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service
supports services include AWS services, services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
provides low latency and high data transfer speeds for the distribution of static, dynamic web, or streaming content to web users.
delivers the content through a worldwide network of data centers called Edge Locations or Point of Presence (PoPs)
keeps persistent connections with the origin servers so that the files can be fetched from the origin servers as quickly as possible.
dramatically reduces the number of network hops that users’ requests must pass through
supports multiple origin server options, like AWS hosted service for e.g. S3, EC2, ELB, or an on-premise server, which stores the original, definitive version of the objects
single distribution can have multiple origins and Path pattern in a cache behavior determines which requests are routed to the origin
Web distribution supports static, dynamic web content, on-demand using progressive download & HLS, and live streaming video content
supports HTTPS using either
dedicated IP address, which is expensive as a dedicated IP address is assigned to each CloudFront edge location
Server Name Indication (SNI), which is free but supported by modern browsers only with the domain name available in the request header
For E2E HTTPS connection,
Viewers -> CloudFront needs either a certificate issued by CA or ACM
CloudFront -> Origin needs a certificate issued by ACM for ELB and by CA for other origins
Security
Origin Access Identity (OAI) can be used to restrict the content from S3 origin to be accessible from CloudFront only
supports Geo restriction (Geo-Blocking) to whitelist or blacklist countries that can access the content
Signed URLs
to restrict access to individual files, for e.g., an installation download for your application.
users using a client, for e.g. a custom HTTP client, that doesn’t support cookies
Signed Cookies
provide access to multiple restricted files, for e.g., video part files in HLS format or all of the files in the subscribers’ area of a website.
don’t want to change the current URLs
integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configured based on IP addresses, HTTP headers, and custom URI strings
supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get object & object headers, add, update, and delete objects
only caches responses to GET and HEAD requests and, optionally, OPTIONS requests
does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are proxied back to the origin
object removal from the cache
would be removed upon expiry (TTL) from the cache, by default 24 hrs
can be invalidated explicitly, but has a cost associated, however, might continue to see the old version until it expires from those caches
objects can be invalidated only for Web distribution
use versioning or change object name, to serve a different version
supports adding or modifying custom headers before the request is sent to origin which can be used to
validate if a user is accessing the content from CDN
identifying CDN from which the request was forwarded, in case of multiple CloudFront distributions
for viewers not supporting CORS to return the Access-Control-Allow-Origin header for every request
supports Partial GET requests using range header to download objects in smaller units improving the efficiency of partial downloads and recovery from partially failed transfers
supports compression to compress and serve compressed files when viewer requests include Accept-Encoding: gzip in the request header
supports different price classes to include all regions, or only the least expensive regions and other regions without the most expensive regions
supports access logs which contain detailed information about every user request for both web and RTMP distribution
is a network service that uses a private dedicated network connection to connect to AWS services.
helps reduce costs (long term), increases bandwidth, and provides a more consistent network experience than internet-based connections.
supports Dedicated and Hosted connections
Dedicated connection is made through a 1 Gbps, 10 Gbps, or 100 Gbps Ethernet port dedicated to a single customer.
Hosted connections are sourced from an AWS Direct Connect Partner that has a network link between themselves and AWS.
provides Virtual Interfaces
Private VIF to access instances within a VPC via VGW
Public VIF to access non VPC services
requires time to setup probably months, and should not be considered as an option if the turnaround time is less
does not provide redundancy, use either second direct connection or IPSec VPN connection
Virtual Private Gateway is on the AWS side and Customer Gateway is on the Customer side
route propagation is enabled on VGW and not on CGW
A link aggregation group (LAG) is a logical interface that uses the link aggregation control protocol (LACP) to aggregate multiple dedicated connections at a single AWS Direct Connect endpoint and treat them as a single, managed connection
Direct Connect vs VPN IPSec
Expensive to Setup and Takes time vs Cheap & Immediate
Dedicated private connections vs Internet
Reduced data transfer rate vs Internet data transfer cost
Consistent performance vs Internet inherent variability
It’s similar to a CNAME resource record set, but supports both for root domain – zone apex e.g. example.com, and for subdomains for e.g. www.example.com.
supports ELB load balancers, CloudFront distributions, Elastic Beanstalk environments, API Gateways, VPC interface endpoints, and S3 buckets that are configured as websites.
CNAME resource record sets can be created only for subdomains and cannot be mapped to the zone apex record
supports Private DNS to provide an authoritative DNS within the VPCs without exposing the DNS records (including the name of the resource and its IP address(es) to the Internet.
Split-view (Split-horizon) DNS enables mapping the same domain publicly and privately. Requests are routed as per the origin.
Weighted routing – assign weights to resource records sets to specify the proportion for e.g. 80%:20%
Latency based routing – helps improve global applications as requests are sent to the server from the location with minimal latency, is based on the latency and cannot guarantee users from the same geography will be served from the same location for any compliance reasons
Geolocation routing – Specify geographic locations by continent, country, the state limited to the US, is based on IP accuracy
Geoproximity routing policy – Use to route traffic based on the location of the resources and, optionally, shift traffic from resources in one location to resources in another.
Multivalue answer routing policy – Use to respond to DNS queries with up to eight healthy records selected at random.
Failover routing – failover to a backup site if the primary site fails and becomes unreachable
Weighted, Latency and Geolocation can be used for Active-Active while Failover routing can be used for Active-Passive multi-region architecture
Traffic Flow is an easy-to-use and cost-effective global traffic management service. Traffic Flow supports versioning and helps create policies that route traffic based on the constraints they care most about, including latency, endpoint health, load, geoproximity, and geography.
Route 53 Resolver is a regional DNS service that helps with hybrid DNS
Inbound Endpoints are used to resolve DNS queries from an on-premises network to AWS
Outbound Endpoints are used to resolve DNS queries from AWS to an on-premises network
is a networking service that helps you improve the availability and performance of the applications to global users.
utilizes the Amazon global backbone network, improving the performance of the applications by lowering first-byte latency, and jitter, and increasing throughput as compared to the public internet.
provides two static IP addresses serviced by independent network zones that provide a fixed entry point to the applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and AZs.
always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, the user’s location, and configured policies
improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.
is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover.
is a highly available and scalable service to consolidate the AWS VPC routing configuration for a region with a hub-and-spoke architecture.
acts as a Regional virtual router and is a network transit hub that can be used to interconnect VPCs and on-premises networks.
traffic always stays on the global AWS backbone, data is automatically encrypted, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
is a Regional resource and can connect VPCs within the same AWS Region.
TGWs across the same or different regions can peer with each other.
provides simpler VPC-to-VPC communication management over VPC Peering with a large number of VPCs.
scales elastically based on the volume of network traffic.
AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services
DX links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable with one end of the cable connected to your router, the other to an AWS Direct Connect router.
Connections can be established with
Dedicated connections – 1Gbps, 10Gbps, and 100Gbps capacity.
Hosted connection – Speeds of 50, 100, 200, 300, 400, and 500 Mbps can be ordered from any APN partners supporting AWS DX. Also, supports 1, 2, 5 & 10 Gbps with selected partners.
Virtual interfaces can be created directly to public AWS services ( e.g. S3) or to VPC, bypassing internet service providers in the network path.
DX locations in public Regions or AWS GovCloud (US) can access public services in any other public Region.
Each AWS DX location enables connectivity to all AZs within the geographically nearest AWS region.
DX supports both the IPv4 and IPv6 communication protocols.
Direct Connect Advantages
Reduced Bandwidth Costs
All data transferred over the dedicated connection is charged at the reduced data transfer rate rather than Internet data transfer rates.
Transferring data to and from AWS directly reduces the bandwidth commitment to the Internet service provider
Consistent Network Performance
provides a dedicated connection and a more consistent network performance experience than the Internet which can widely vary.
AWS Services Compatibility
is a network service and works with all of the AWS services like S3, EC2, and VPC
Private Connectivity to AWS VPC
Using DX Private Virtual Interface a private, dedicated, high bandwidth network connection can be established between the network and VPC
Elastic
can be easily scaled to meet the needs by either using a higher bandwidth connection or by establishing multiple connections.
Direct Connect Anatomy
Amazon maintains AWS Direct Connect PoP across different locations (referred to as Colocation Facilities) which are different from AWS regions.
As a consumer, you can either purchase a rack space or use any of the AWS APN Partners which already have the infrastructure within the Colocation Facility and configure a Customer Gateway
Connection from the AWS Direct Connect PoP to the AWS regions is maintained by AWS itself.
Connection from the Customer Gateway to the Customer Data Center can be established using any Service Provider Network.
Connection between the PoP and the Customer gateway within the Colocation Facility is called Cross Connect.
Once a DX connection is created with AWS, an LOA-CFA (Letter Of Authority – Connecting Facility Assignment) would be received.
LOA-CFA can be handover to the Colocation Facility or the APN Partner to establish the Cross Connect
Once the Cross Connect and the connectivity between the CGW and Customer DataCenter are established, Virtual Interfaces can be created
AWS Direct Connect requires a VGW to access the AWS VPC.
Virtual Interfaces – VIF
Each connection requires a Virtual Interface
Each connection can be configured with one or more virtual interfaces.
Supports, Public, Private, and Transit Virtual Interface
Each VIF needs a VLAN ID, interface IP address, ASN, and BGP key.
To use the connection with another AWS account, a hosted virtual interface (Hosted VIF) can be created for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.
Direct Connect Network Requirements
Single-mode fiber with
a 1000BASE-LX (1310 nm) transceiver for 1 gigabit Ethernet,
a 10GBASE-LR (1310 nm) transceiver for 10 gigabits, or
a 100GBASE-LR4 for 100 gigabit Ethernet.
802.1Q VLAN encapsulation must be supported
Auto-negotiation for a port must be disabled so that the speed and mode (half or full duplex) cannot be modified and should be manually configured
Border Gateway Protocol (BGP) and BGP MD5 authentication must be supported
Bidirectional Forwarding Detection (BFD) is optional and helps in quick failure detection.
Direct Connect Connections
Dedicated Connection
provides a physical Ethernet connection associated with a single customer
Customers can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API.
support port speeds of 1 Gbps, 10 Gbps, and 100 Gbps.
supports multiple virtual interfaces (current limit of 50)
Hosted Connection
A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer.
Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, which provisions the connection
Support port speeds of 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps
1 Gbps, 2 Gbps, 5 Gbps or 10 Gbps hosted connections are supported by limited partners.
supports a single virtual interface
AWS uses traffic policing on hosted connections and excess traffic is dropped.
Direct Connect Virtual Interfaces – VIF
Public Virtual Interface
enables connectivity to all the AWS Public IP addresses
helps connect to public resources e.g. SQS, S3, EC2, Glacier, etc which are reachable publicly only.
can be used to access all public resources across regions
allows a maximum of 1000 prefixes. You can summarize the prefixes into a larger range to reduce the number of prefixes.
does not support Jumbo frames.
Private Virtual Interface
helps connect to the VPC for e.g. instances with a private IP address
supports
Virtual Private Gateway
Allows connections only to a single specific VPC with the attached VGW in the same region
Private VIF and Virtual Private Gateway – VGW should be in the same region
Direct Connect Gateway
Allows connections to multiple VPCs in multiple regions.
allows a maximum of 100 prefixes. You can summarize the prefixes into a larger range to reduce the number of prefixes.
helps access one or more VPC Transit Gateways associated with Direct Connect Gateways.
supports Jumbo frames with 8500 MTU
Direct Connect Redundancy
Direct Connect connections do not provide redundancy and have multiple single points of failures w.r.t to the hardware devices as each connection consists of a single dedicated connection between ports on your router and an Amazon router.
Redundancy can be provided by
Establishing a second DX connection, preferably in a different Colocation Facility using a different router and AWS DX PoP.
IPsec VPN connection between the Customer DC to the VGW.
For Multiple ports requested in the same AWS Direct Connect location, Amazon itself makes sure they are provisioned on redundant Amazon routers to prevent impact from a hardware failure
High Resiliency – 99.9%
High resiliency for critical workloads can be achieved by using two single connections to multiple locations.
It provides resiliency against connectivity failures caused by a fiber cut or a device failure. It also helps prevent a complete location failure.
Maximum Resiliency – 99.99%
Maximum resiliency for critical workloads can be achieved using separate connections that terminate on separate devices in more than one location.
It provides resiliency against device, connectivity, and complete location failures.
Direct Connect LAG – Link Aggregation Group
A LAG is a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple connections at a single AWS Direct Connect endpoint, treating them as a single, managed connection.
LAG can combine multiple connections to increase available bandwidth.
LAG can be created from existing or new connections.
Existing connections (whether standalone or part of another LAG) with the LAG can be associated after LAG creation.
LAG needs following rules
All connections must use the same bandwidth and port speed of 1, 10, 100 Gbps.
All connections must be dedicated connections.
Maximum of four connections in a LAG. Each connection in the LAG counts toward the overall connection limit for the Region.
All connections in the LAG must terminate at the same AWS Direct Connect endpoint.
Multi-chassis LAG (MLAG) is not supported by AWS.
LAG doesn’t make the connectivity to AWS more resilient.
LAG connections operate in Active/Active mode.
LAG supports attributes to define a minimum number of operational connections for the LAG function, with a default value of 0.
Direct Connect Failover
Bidirectional Forwarding Detection – BFD is a detection protocol that provides fast forwarding path failure detection times. These fast failure detection times facilitate faster routing reconvergence times.
When connecting to AWS services over DX connections it is recommended to enable BFD for fast failure detection and failover.
By default, BGP waits for three keep-alives to fail at a hold-down time of 90 seconds. Enabling BFD for the DX connection allows the BGP neighbor relationship to be quickly torn down.
Asynchronous BFD is automatically enabled for each DX virtual interface, but will not take effect until it’s configured on your router.
AWS has set the BFD liveness detection minimum interval to 300, and the BFD liveness detection multiplier to 3
It’s a best practice not to configure graceful restart and BFD at the same time to avoid failover or connection issues. For fast failover, configure BFD without graceful restart enabled.
BFD is supported for LAGs.
Direct Connect Security
Direct Connect does not encrypt the traffic that is in transit by default. To encrypt the data in transit that traverses DX, you must use the transit encryption options for that service.
DX connections can be secured
with IPSec VPN to provide secure, reliable connectivity.
with MACsec to encrypt the data from the corporate data center to the DX location.
MAC Security (MACsec)
is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity.
provides Layer2 security for 10Gbps and 100Gbps Dedicated Connections only.
delivers native, near line-rate, point-to-point encryption ensuring that data communications between AWS and the data center, office, or colocation facility remain protected.
removes VPN limitation that required the aggregation of multiple IPsec VPN tunnels to work around the throughput limits of using a single VPN connection.
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You are building a solution for a customer to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement?
Amazon VPC peering
Elastic IP Addresses
AWS Direct Connect
Amazon VPC virtual private gateway
Is there any way to own a direct connection to Amazon Web Services?
You can create an encrypted tunnel to VPC, but you don’t own the connection.
Yes, it’s called Amazon Dedicated Connection.
No, AWS only allows access from the public Internet.
Yes, it’s called Direct Connect
An organization has established an Internet-based VPN connection between their on-premises data center and AWS. They are considering migrating from VPN to AWS Direct Connect. Which operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS Direct Connect?
AWS Direct Connect provides greater redundancy than an Internet-based VPN connection.
AWS Direct Connect provides greater resiliency than an Internet-based VPN connection.
AWS Direct Connect provides greater bandwidth than an Internet-based VPN connection.
AWS Direct Connect provides greater control of network provider selection than an Internet-based VPN connection.
Does AWS Direct Connect allow you access to all Availabilities Zones within a Region?
Depends on the type of connection
No
Yes
Only when there’s just one availability zone in a region. If there are more than one, only one availability zone can be accessed directly.
A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer’s end, however, the customer is unable to connect from EC2 instances inside its VPC to servers residing in its datacenter. Which of the following options provide a viable solution to remedy this situation? (Choose 2 answers)
Add a route to the route table with an IPSec VPN connection as the target (deals with VPN)
Enable route propagation to the Virtual Private Gateway (VGW)
Enable route propagation to the customer gateway (CGW) (route propagation is enabled on VGW)
Modify the route table of all Instances using the ‘route’ command. (no route command available)
Modify the Instances VPC subnet route table by adding a route back to the customer’s on-premises environment.
A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1? Choose 2 answers
Establish a hardware VPN over the internet between VPC-2 and the on-premises network. (Peered VPC does not support Edge to Edge Routing)
Establish a hardware VPN over the internet between VPC-1 and the on-premises network
Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2 (Peered VPC does not support Edge to Edge Routing)
Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1 (need to be in the same region as VPC-1)
Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1
Your company previously configured a heavily used, dynamically routed VPN connection between your on-premises data center and AWS. You recently provisioned a Direct Connect connection and would like to start using the new connection. After configuring Direct Connect settings in the AWS Console, which of the following options will provide the most seamless transition for your users?
Delete your existing VPN connection to avoid routing loops configure your Direct Connect router with the appropriate settings and verify network traffic is leveraging Direct Connect.
Configure your Direct Connect router with a higher BGP priority than your VPN router, verify network traffic is leveraging Direct Connect, and then delete your existing VPN connection.
Update your VPC route tables to point to the Direct Connect connection configure your Direct Connect router with the appropriate settings verify network traffic is leveraging Direct Connect and then delete the VPN connection.
Configure your Direct Connect router, update your VPC route tables to point to the Direct Connect connection, configure your VPN connection with a higher BGP priority. And verify network traffic is leveraging the Direct Connect connection
You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet as well as from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. How would you design routing to meet the above requirements?
Configure a single routing table with a default route via the Internet gateway. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets (propagating the default route would cause conflict)
Configure a single routing table with a default route via the internet gateway. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.
Configure a single routing table with two default routes: one to the internet via an Internet gateway the other to the on-premises network via the VPN gateway use this routing table across all subnets in your VPC. (there cannot be 2 default routes)
Configure two routing tables one that has a default route via the Internet gateway and another that has a default route via the VPN gateway Associate both routing tables with each VPC subnet. (as the instances have to be in the public subnet and should have a single routing table associated with them)
You are implementing AWS Direct Connect. You intend to use AWS public service endpoints such as Amazon S3, across the AWS Direct Connect link. You want other Internet traffic to use your existing link to an Internet Service Provider. What is the correct way to configure AWS Direct Connect for access to services such as Amazon S3?
Configure a public Interface on your AWS Direct Connect link. Configure a static route via your AWS Direct Connect link that points to Amazon S3. Advertise a default route to AWS using BGP.
Create a private interface on your AWS Direct Connect link. Configure a static route via your AWS Direct Connect link that points to Amazon S3 Configure specific routes to your network in your VPC.
Create a public interface on your AWS Direct Connect link. Redistribute BGP routes into your existing routing infrastructure advertise specific routes for your network to AWS
Create a private interface on your AWS Direct connect link. Redistribute BGP routes into your existing routing infrastructure and advertise a default route to AWS.
You have been asked to design network connectivity between your existing data centers and AWS. Your application’s EC2 instances must be able to connect to existing backend resources located in your data center. Network traffic between AWS and your data centers will start small, but ramp up to 10s of GB per second over the course of several months. The success of your application is dependent upon getting to market quickly. Which of the following design options will allow you to meet your objectives?
Quickly create an internal ELB for your backend applications, submit a DirectConnect request to provision a 1 Gbps cross-connect between your data center and VPC, then increase the number or size of your DirectConnect connections as needed.
Allocate EIPs and an Internet Gateway for your VPC instances to use for quick, temporary access to your backend applications, then provision a VPN connection between a VPC and existing on-premises equipment.
Provision a VPN connection between a VPC and existing on-premises equipment, submit a DirectConnect partner request to provision cross connects between your data center and the DirectConnect location, then cut over from the VPN connection to one or more DirectConnect connections as needed.
Quickly submit a DirectConnect request to provision a 1 Gbps cross connect between your data center and VPC, then increase the number or size of your DirectConnect connections as needed.
You are tasked with moving a legacy application from a virtual machine running inside your datacenter to an Amazon VPC. Unfortunately, this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there’s no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? (Choose 3 answers)
An AWS Direct Connect link between the VPC and the network housing the internal services (VPN or a DX for communication)
An Internet Gateway to allow a VPN connection. (Virtual and Customer gateway is needed)
An Elastic IP address on the VPC instance (Don’t need a EIP as private subnets can also interact with on-premises network)
An IP address space that does not conflict with the one on-premises (IP address cannot conflict)
Entries in Amazon Route 53 that allow the Instance to resolve its dependencies’ IP addresses (Route 53 is not required)
A VM Import of the current virtual machine (VM Import to copy the VM to AWS as there is no documentation it can’t be configured from scratch)
