SkarpSkarp

Chapter 9 of 26

Data Protection in Transit and Secure Connectivity

From simple HTTPS to hybrid VPN and Direct Connect, learn how to protect data in motion and pick the right connectivity option for each scenario.

27 min readen

Big Picture: Data in Transit and Secure Connectivity

Why Data in Transit Matters

This module focuses on data in transit: how to protect data while it moves across networks, from browsers to AWS services and between AWS and on‑premises.

Exam‑Relevant Skills

You must design TLS/SSL for public/private endpoints, compare VPC peering, PrivateLink, VPN, and Direct Connect, and build secure hybrid connectivity aligned to the Security pillar.

Threats to Data in Transit

Unencrypted traffic can be intercepted, modified, or impersonated. Encryption in transit aims to provide confidentiality, integrity, and authentication.

Shared Responsibility

AWS secures the cloud infrastructure; you configure TLS, keys, networks, and connectivity. Misconfigurations here often show up as exam scenarios.

TLS/SSL Foundations: How HTTPS Actually Protects Data

TLS/SSL in a Nutshell

TLS uses certificates, CAs, and a handshake to agree on keys and encrypt traffic. On AWS, it underpins HTTPS and most secure service endpoints.

HTTPS Flow

Client connects, server sends a certificate, client validates it, both sides negotiate keys, then all application data is encrypted over the connection.

Where TLS Shows Up on AWS

You configure TLS on ALB/NLB, CloudFront, API Gateway, and also for private services like internal load balancers, EC2 apps, and RDS.

Exam Tips for TLS

Prefer TLS 1.2/1.3, use ACM for certs, and design end‑to‑end encryption by terminating and re‑encrypting at each hop (edge, load balancer, backend).

Designing TLS for Public and Private Endpoints

Scenario 1: Public Web App

Public ALB with ACM certificate, HTTPS listener, TLS 1.2/1.3 policy, and encrypted connections from ALB to EC2 using HTTPS target groups.

Implementing Scenario 1

Request cert in ACM, attach to ALB, set HTTPS listener on 443, configure backend EC2 with HTTPS, and use HTTPS target groups for end‑to‑end encryption.

Scenario 2: Private Microservice

Internal NLB in private subnets, TLS listener on 443, internal certificates from ACM Private CA or your CA, and optional mutual TLS for service‑to‑service auth.

Why Encrypt Inside the VPC?

Even inside a VPC, encrypting traffic in transit strengthens your security posture and helps meet regulatory and Well‑Architected Security pillar guidance.

VPC Peering vs AWS PrivateLink: Private Connectivity Inside AWS

VPC Peering Basics

VPC peering privately connects two VPCs over AWS’s network. It is non‑transitive and gives broad network‑level access between the VPCs.

Using VPC Peering

You create a peering connection and update each VPC’s route tables to send traffic for the other VPC’s CIDR through that peering link.

AWS PrivateLink Basics

PrivateLink exposes a specific service via interface endpoints in consumer VPCs. Traffic uses private IPs and does not grant general network access.

Choosing Between Them

Need many resources to talk both ways? Think peering. Need to expose just one service to many VPCs or accounts? Think PrivateLink.

Choosing Between VPC Peering and PrivateLink

Example 1: Shared Services VPC

Multiple app VPCs need broad, bidirectional access to a central VPC with AD, logging, and tools. VPC peering (or TGW) fits this pattern.

Why Not PrivateLink Here?

PrivateLink is service‑oriented. You would need many endpoint services and endpoints, which is complex for general shared services access.

Example 2: Internal SaaS API

A billing API in one VPC must be safely consumed by many VPCs across accounts, without exposing the provider VPC network. This screams PrivateLink.

Visual Mental Model

Peering: big network pipe between VPCs. PrivateLink: small, focused pipes from many VPCs into a single, well‑defined service.

Site‑to‑Site VPN: Secure Tunnels Over the Internet

What Is Site‑to‑Site VPN?

AWS Site‑to‑Site VPN uses IPsec tunnels over the public internet to connect your on‑premises network to a VPC securely.

Key Components

Customer gateway on your side, virtual private gateway or Transit Gateway on AWS, and a VPN connection with two redundant IPsec tunnels.

Security and Performance

Traffic is encrypted with IPsec but travels over the internet, so latency and bandwidth can vary and are not guaranteed.

When to Use It

Ideal for quick, cost‑effective hybrid connectivity, smaller bandwidth needs, or as a backup link alongside Direct Connect.

AWS Direct Connect: Private, High‑Bandwidth Hybrid Links

What Is Direct Connect?

AWS Direct Connect is a dedicated network link from your data center to AWS, bypassing the public internet for more consistent performance.

How It Connects

You get a physical or hosted port, then create virtual interfaces to reach VPCs (via VGW/TGW) or public AWS endpoints.

Encryption Considerations

DX is private but not inherently encrypted. Use TLS at the app layer or run IPsec VPN over DX for encryption in transit.

DX vs VPN Trade‑offs

DX offers higher, more stable bandwidth and lower latency but costs more and takes longer to provision than internet‑based VPN.

Thought Exercise: Picking the Right Hybrid Connectivity

Use these short scenarios to practice deciding between Site‑to‑Site VPN, Direct Connect, or a combination. Think in terms of security, performance, and cost.

  1. Startup analytics platform
  • Needs to connect a small on‑prem database to AWS for nightly ETL jobs.
  • Data volume is moderate; budget is tight.
  • They need encryption in transit but can tolerate some latency variation.
  1. Financial trading firm
  • Needs sub‑10 ms latency between on‑prem trading systems and AWS.
  • Bandwidth needs are high and steady.
  • Strong regulation around protecting data in transit.
  1. Enterprise backup strategy
  • Large enterprise wants to back up multiple data centers to S3.
  • They already have one Direct Connect link for production workloads.
  • They want a resilient design if the DX link fails.

Pause and decide for each:

  • Would you use VPN only, Direct Connect only, or DX + VPN?
  • Would you also enforce TLS at the application layer?

Then check suggested answers:

  1. Startup: Site‑to‑Site VPN only, plus TLS for app/database connections. Internet‑based but encrypted and cheap.
  2. Trading firm: Direct Connect + VPN (for IPsec encryption) + TLS at the app layer. DX meets latency; VPN ensures encryption in transit.
  3. Enterprise backup: Primary Direct Connect for throughput, plus Site‑to‑Site VPN as a failover path. Continue to use TLS (for example, HTTPS to S3) on top.

Quiz 1: Data in Transit Basics

Test your understanding of TLS and private connectivity options.

You are designing a connection between two VPCs in the same region. The application teams need full, bidirectional network access between many subnets in both VPCs. They do NOT want to expose these VPCs to the internet, and they do not need to limit access to a single service. Which option is the BEST fit?

  1. AWS PrivateLink with an interface endpoint in each VPC
  2. VPC peering between the two VPCs, with appropriate route table updates
  3. AWS Direct Connect from each VPC to your on‑premises data center
  4. A Site‑to‑Site VPN connection between the two VPCs over the internet
Show Answer

Answer: B) VPC peering between the two VPCs, with appropriate route table updates

VPC peering is designed for private, bidirectional connectivity between VPCs using the AWS network. It provides network‑level access between CIDR blocks without going over the public internet. PrivateLink is for exposing specific services, not general VPC connectivity. Direct Connect and Site‑to‑Site VPN are for hybrid (on‑prem to AWS), not VPC‑to‑VPC in the same region.

Quiz 2: Hybrid Connectivity Design

Check your reasoning about VPN, Direct Connect, and encryption.

A healthcare company must replicate sensitive patient data from on‑premises to an Amazon RDS database in a VPC. They require encryption in transit and consistent low latency. They already have an existing 1 Gbps Direct Connect link. What is the MOST appropriate design?

  1. Use the existing Direct Connect link only; Direct Connect always encrypts traffic by default
  2. Create a Site‑to‑Site VPN over the internet and stop using Direct Connect
  3. Use the existing Direct Connect link and configure an IPsec VPN over Direct Connect, plus TLS for the database connection
  4. Rely only on TLS for the database connection over Direct Connect; IPsec is not supported with Direct Connect
Show Answer

Answer: C) Use the existing Direct Connect link and configure an IPsec VPN over Direct Connect, plus TLS for the database connection

Direct Connect provides a private path but does not encrypt traffic by default. For sensitive healthcare data, combining Direct Connect with IPsec VPN (VPN over DX) provides both consistent performance and encryption in transit. You should still use TLS for the RDS connection. Option 1 is incorrect because DX is not inherently encrypted; option 2 loses the performance benefits of DX; option 4 ignores IPsec, which is supported via VPN over DX.

Key Terms Review: Data in Transit and Connectivity

Flip through these cards to reinforce core terminology before moving on.

Data in transit
Data that is actively moving from one location to another, such as across the internet, within a VPC, or between on‑premises and AWS.
TLS/SSL
A cryptographic protocol that provides confidentiality, integrity, and authentication for data in transit. Modern implementations use TLS; SSL is the older term still seen in labels.
VPC peering
A networking connection between two VPCs that enables private routing of traffic using IPv4 or IPv6 addresses. It is non‑transitive and provides broad VPC‑level connectivity.
AWS PrivateLink
A technology that provides private connectivity between VPCs, AWS services, and on‑premises networks by exposing specific services via interface endpoints using private IPs.
Site‑to‑Site VPN
An IPsec VPN connection between your on‑premises network and your AWS VPC (via a virtual private gateway or Transit Gateway) over the public internet.
AWS Direct Connect
A dedicated network connection from your premises to AWS that bypasses the public internet, offering more consistent performance but not automatic encryption.
AWS shared responsibility model
The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
AWS Well‑Architected Framework
The AWS Well‑Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
Security pillar (Well‑Architected)
The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
End‑to‑end encryption in AWS web apps
A design where traffic is encrypted from client to edge (CloudFront/ALB) and re‑encrypted on every hop to the backend (for example, ALB to EC2 or RDS) using TLS.

Aligning Data in Transit Protection with the Well‑Architected Framework

Well‑Architected Pillars

Six pillars: Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability. All apply to connectivity.

Security Pillar Focus

Encryption in transit, certificate management, and secure hybrid links are core Security pillar practices you must design correctly.

Other Pillars in Play

Reliability (redundant VPN/DX), Performance efficiency (DX vs VPN), Cost optimization (when DX is justified), Ops excellence and Sustainability.

Using Pillars as a Hint

In exam scenarios, words like security, latency, cost, or resilience point to the pillar being tested and the likely best connectivity option.

Key Terms

TLS/SSL
A cryptographic protocol that provides confidentiality, integrity, and authentication for data in transit. TLS is the modern version; SSL is an older name still used in labels.
VPC peering
A networking connection between two VPCs that enables private routing of traffic using IPv4 or IPv6 addresses. It is non‑transitive and provides broad VPC‑level connectivity.
AWS PrivateLink
A technology that provides private connectivity between VPCs, AWS services, and on‑premises networks by exposing specific services via interface endpoints using private IPs.
Data in transit
Data that is actively moving from one location to another, such as across the internet, within a VPC, or between on‑premises and AWS.
Security pillar
The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
AWS Direct Connect
A dedicated network connection from your premises to AWS that bypasses the public internet, offering more consistent network performance but not automatic encryption.
Site‑to‑Site VPN
An IPsec VPN connection between your on‑premises network and your AWS VPC (via a virtual private gateway or Transit Gateway) over the public internet.
Transit Gateway (TGW)
A hub service that connects VPCs and on‑premises networks via VPN or Direct Connect, simplifying complex network topologies.
Customer gateway (CGW)
The on‑premises side of an AWS Site‑to‑Site VPN connection, typically a router or firewall, represented in AWS as a resource with configuration details.
AWS Certificate Manager (ACM)
A managed service that lets you provision, manage, and deploy public and private TLS certificates for use with AWS services and your internal resources.
Virtual private gateway (VGW)
The AWS side of a Site‑to‑Site VPN or Direct Connect private virtual interface that you attach to a VPC to allow hybrid connectivity.
AWS shared responsibility model
The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
AWS Well‑Architected Framework
The AWS Well‑Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself