SkarpSkarp

Chapter 6 of 26

Advanced VPC Design: Hybrid Connectivity, PrivateLink, and Edge Security

Complex architectures often span on-premises networks, multiple VPCs, and the public internet. This module unpacks hybrid connectivity options and edge protections that show up in scenario-style exam questions.

27 min readen

Big Picture: Why Advanced VPC Design Matters

From Single VPC to Real Architectures

Real AWS workloads rarely live in a single isolated VPC. They must connect to other VPCs, on-prem networks, AWS services, and the internet while staying secure and reliable.

Key Building Blocks

We will use VPC peering and AWS Transit Gateway for VPC-to-VPC, VPN and Direct Connect for hybrid, PrivateLink for private service access, and WAF/Shield with Route 53 for edge security and DNS.

Well-Architected Context

Design choices here strongly affect the Security and Reliability pillars. The exam expects you to pick the simplest option that still meets security, availability, and cost requirements.

VPC Peering vs AWS Transit Gateway: Core Concepts

VPC Peering Basics

VPC peering is a private, one-to-one connection between two VPCs. It is non-transitive: traffic cannot automatically hop through a third VPC.

Transit Gateway Basics

AWS Transit Gateway is a central hub that connects many VPCs and on-prem networks. It supports transitive routing via TGW route tables.

Choosing on the Exam

Few VPCs and simple needs? Prefer VPC peering. Many VPCs, transitive routing, or centralized hybrid connectivity? Prefer Transit Gateway.

Designing Multi-VPC Connectivity: Worked Scenarios

Scenario 1: Two VPCs

App VPC needs private access to a DB VPC in the same Region. Use VPC peering, update both VPCs’ route tables, and adjust security groups to allow app-to-DB traffic.

Scenario 2: Many VPCs + On-Prem

Ten+ VPCs across accounts plus a data center need controlled, transitive connectivity. Attach them all to a Transit Gateway and manage paths via TGW route tables.

Key Takeaway

If the design mentions many VPCs, centralized inspection, or shared on-prem connectivity, think Transit Gateway rather than a mesh of peering connections.

Hybrid Connectivity: Site-to-Site VPN vs AWS Direct Connect

Site-to-Site VPN

Site-to-Site VPN is an IPSec tunnel over the public internet. It is encrypted, quick to deploy, and lower cost, but latency and throughput vary with internet conditions.

AWS Direct Connect

Direct Connect is a dedicated network link from your premises to AWS. It offers predictable latency and high bandwidth but takes longer to provision and costs more.

Choosing on the Exam

Short setup, low cost, encrypted? Choose VPN. Need consistent performance or large data transfer? Choose Direct Connect. Need both? Combine DX with VPN.

Thought Exercise: Picking Hybrid Options

Work through these scenarios and decide which hybrid option fits best. Think about latency, bandwidth, cost, and encryption.

Scenario A

A small startup wants to extend its on-prem lab network to a single AWS VPC to test migrating a few workloads. They need encryption but have no strict latency or throughput requirements. They want something they can set up this week.

  • Which do you choose: Site-to-Site VPN, Direct Connect, or both?
  • Why is the other option less suitable?

Pause and answer before reading the guide:

Suggested reasoning:

  • Site-to-Site VPN is ideal: quick deployment, low cost, built-in encryption.
  • Direct Connect would be overkill: higher cost, longer lead time, and not needed for a lab.

Scenario B

A media company must continuously transfer terabytes of video files from its data center to S3 for processing. They complain about variable upload speeds and missed processing windows.

  • Which do you choose now: Site-to-Site VPN, Direct Connect, or both?
  • How would you improve reliability and security?

Suggested reasoning:

  • Use Direct Connect for consistent, high-bandwidth transfer.
  • Optionally add a VPN over DX for encryption, or a separate Site-to-Site VPN as a failover path.

Scenario C

An enterprise already uses Direct Connect but wants automatic failover if DX goes down.

  • What simple addition improves resilience?

Hint: Add a Site-to-Site VPN as a backup path and use BGP for failover.

AWS PrivateLink and Interface Endpoints

What is PrivateLink?

AWS PrivateLink uses interface VPC endpoints (ENIs with private IPs) to connect your VPC privately to supported AWS, partner, or your own services without using the public internet.

Gateway vs Interface Endpoints

Gateway endpoints are for S3 and DynamoDB via route tables. Interface endpoints (PrivateLink) are ENIs for many AWS and partner services, controlled by security groups.

PrivateLink vs NAT Gateway

NAT sends traffic to public endpoints, even AWS ones. If a requirement says no internet or no public IPs, choose PrivateLink or gateway endpoints instead of NAT.

Private Access Patterns: S3, Internal APIs, and Partners

Pattern 1: S3 Without NAT

Use a Gateway VPC endpoint for S3 so private instances can reach S3 without an internet gateway or NAT, keeping traffic on the AWS backbone.

Pattern 2: Internal Shared Service

Expose a Network Load Balancer as a VPC endpoint service in a shared VPC, then create interface endpoints in other VPCs to consume it privately.

Pattern 3: SaaS via PrivateLink

For a SaaS vendor that supports PrivateLink, create an interface endpoint to their service and send traffic to the endpoint’s private DNS.

Edge Security: AWS WAF and AWS Shield

AWS WAF

AWS WAF is a web application firewall that attaches to CloudFront, ALB, API Gateway, and AppSync to block or allow HTTP(S) requests based on rules.

AWS Shield

AWS Shield provides DDoS protection. Shield Standard is always on at no extra cost; Shield Advanced adds stronger protections and support for critical workloads.

Edge Design Pattern

Common pattern: users → CloudFront + WAF → ALB or API Gateway → VPC. Shield Standard protects at the edge; WAF filters application-layer traffic.

Route 53 and VPC DNS: Public vs Private Zones

Public Hosted Zones

Public hosted zones in Route 53 hold DNS records for internet-facing domains. They usually point to CloudFront, ALBs, or API Gateway endpoints.

Private Hosted Zones

Private hosted zones are only resolvable from associated VPCs. They are ideal for internal names and multi-VPC service discovery.

DNS Resolver and PrivateLink

The VPC DNS resolver plus private hosted zones and PrivateLink private DNS let workloads use friendly names while keeping traffic inside AWS networks.

Quiz 1: Connectivity and PrivateLink

Check your understanding of VPC connectivity and PrivateLink.

Your company has 12 VPCs across multiple AWS accounts. They need transitive connectivity between these VPCs and a shared on-prem data center, plus the ability to centrally inspect traffic in a security VPC. Which design is MOST appropriate?

  1. Create VPC peering connections between every pair of VPCs and a separate VPN to each VPC from on-prem.
  2. Use AWS Transit Gateway, attach all VPCs and a single VPN or Direct Connect from on-prem, and route traffic through a security VPC where needed.
  3. Use a single VPC as a shared services VPC and connect all other VPCs via AWS PrivateLink interface endpoints.
  4. Place all resources into one large VPC to avoid cross-VPC networking complexity.
Show Answer

Answer: B) Use AWS Transit Gateway, attach all VPCs and a single VPN or Direct Connect from on-prem, and route traffic through a security VPC where needed.

AWS Transit Gateway is designed for hub-and-spoke, transitive connectivity at scale. Attaching all VPCs and a single hybrid link to the TGW lets you centralize routing and inspection via a security VPC. A full mesh of VPC peering (option 1) does not scale and still lacks easy central inspection. PrivateLink (option 3) is for service consumption, not general VPC-to-VPC routing. Consolidating into one VPC (option 4) contradicts multi-account, multi-VPC best practices for isolation and governance.

Quiz 2: Edge Security and DNS

Test your knowledge of edge security and Route 53.

A public API is exposed via an Application Load Balancer. The security team wants to block common web exploits (like SQL injection) and limit requests from specific countries. They also want basic DDoS protection without extra cost. Which combination BEST meets these requirements?

  1. Enable AWS Shield Advanced on the ALB and create custom NACL rules on the subnets.
  2. Place the ALB behind a CloudFront distribution, attach an AWS WAF web ACL with appropriate rules, and rely on AWS Shield Standard.
  3. Use a Network Load Balancer instead of ALB and configure security groups to block SQL injection and DDoS.
  4. Host the API on EC2 with public IPs and configure OS firewalls to filter requests.
Show Answer

Answer: B) Place the ALB behind a CloudFront distribution, attach an AWS WAF web ACL with appropriate rules, and rely on AWS Shield Standard.

CloudFront plus AWS WAF provides Layer 7 filtering for SQL injection, XSS, and geo-based restrictions. AWS Shield Standard automatically protects CloudFront and the ALB from common DDoS attacks at no extra cost. Shield Advanced (option 1) is paid and NACLs cannot inspect HTTP payloads. Security groups and OS firewalls (options 3 and 4) cannot perform deep application-layer inspection like WAF managed rules.

Key Term Review

Flip through these flashcards to reinforce core concepts from this module.

VPC peering
A non-transitive, one-to-one private connection between two VPCs that enables routing of traffic using private IPs over the AWS network.
AWS Transit Gateway
A regional networking hub that connects VPCs and on-prem networks using a hub-and-spoke model with transitive routing controlled by Transit Gateway route tables.
AWS Site-to-Site VPN
An IPSec VPN connection over the public internet between your on-premises network and AWS, providing encrypted connectivity with variable latency and throughput.
AWS Direct Connect
A dedicated physical network connection from your premises to AWS that offers more consistent network performance and higher bandwidth than typical internet-based connections.
AWS PrivateLink
A technology that provides private connectivity between VPCs and supported AWS, partner, or customer services using interface VPC endpoints without exposing traffic to the public internet.
Interface VPC endpoint
An elastic network interface with a private IP in your subnet that acts as an entry point to a supported AWS or PrivateLink service.
Gateway VPC endpoint
A gateway that you specify as a target in your route table for traffic destined to S3 or DynamoDB, enabling private access without using an internet gateway or NAT.
AWS WAF
A web application firewall that helps protect web applications from common exploits by letting you create rules that control HTTP and HTTPS requests.
AWS Shield Standard
A managed DDoS protection service that is automatically included at no extra cost to protect AWS resources like CloudFront and Route 53 from most common network and transport layer DDoS attacks.
Route 53 private hosted zone
A DNS zone that is only resolvable from associated VPCs, used for internal domain names and service discovery within and across VPCs.
Private DNS for interface endpoints
A feature that maps standard AWS service hostnames to the private IP addresses of interface VPC endpoints within a VPC, keeping traffic on private connectivity.

Key Terms

AWS WAF
A web application firewall that helps protect web applications from common exploits by letting you create rules that control HTTP and HTTPS requests.
VPC peering
A non-transitive, one-to-one private connection between two VPCs that enables routing of traffic using private IPs over the AWS network.
AWS PrivateLink
A technology that provides private connectivity between VPCs and supported AWS, partner, or customer services using interface VPC endpoints without exposing traffic to the public internet.
AWS Direct Connect
A dedicated physical network connection from your premises to AWS that offers more consistent network performance and higher bandwidth than typical internet-based connections.
AWS Shield Standard
A managed DDoS protection service that is automatically included at no extra cost to protect AWS resources like CloudFront and Route 53 from most common network and transport layer DDoS attacks.
AWS Transit Gateway
A regional networking hub that connects VPCs and on-prem networks using a hub-and-spoke model with transitive routing controlled by Transit Gateway route tables.
AWS Site-to-Site VPN
An IPSec VPN connection over the public internet between your on-premises network and AWS, providing encrypted connectivity with variable latency and throughput.
Gateway VPC endpoint
A gateway that you specify as a target in your route table for traffic destined to S3 or DynamoDB, enabling private access without using an internet gateway or NAT.
Interface VPC endpoint
An elastic network interface with a private IP in your subnet that acts as an entry point to a supported AWS or PrivateLink service.
Route 53 private hosted zone
A DNS zone that is only resolvable from associated VPCs, used for internal domain names and service discovery within and across VPCs.
Private DNS for interface endpoints
A feature that maps standard AWS service hostnames to the private IP addresses of interface VPC endpoints within a VPC, keeping traffic on private connectivity.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself