AWS Direct Connect: A Deep Dive for the SAP-C02 Exam

AWS Direct Connect Features

AWS Direct Connect provides a dedicated network connection from your on-premises infrastructure to AWS. The key features include:

If your requirement has shifted from “private connectivity into AWS” to “AWS-managed private connectivity between AWS and another cloud or from a remote site over a partner network,” read the newer guide to AWS Interconnect for multicloud and last-mile designs. Direct Connect is still the base attachment model in many of those architectures, but the operational workflow is different.

1. High Bandwidth and Low Latency: AWS Direct Connect supports connection speeds up to 400 Gbps, suitable for applications that need high data transfer rates with low latency[2].
2. Secure Connections: MACsec and IPsec encryption options protect data transfer between your on-premises network and AWS[2].
3. Worldwide Locations: Direct Connect is available at many global locations, letting you select the most convenient point for your connection[1][2].
4. SiteLink: This feature provides private connectivity between Direct Connect locations, creating a global network without routing traffic through AWS Regions[2].
5. Multiple Deployment Options: You can deploy Direct Connect using dedicated or hosted connections, depending on your requirements[2].
6. Integration with AWS Services: Direct Connect integrates with Amazon Virtual Private Cloud (VPC) and other AWS services, connecting seamlessly to your AWS resources[5].

Link Aggregation Groups (LAGs) combine multiple physical network connections into a single logical connection. This approach enhances network performance by increasing bandwidth, providing redundancy, and improving reliability. Here is a detailed look at LAGs:

Overview of Link Aggregation

Link aggregation bundles multiple network connections in parallel to create a single logical link. This technique is also known as port trunking, channel bonding, or NIC teaming. The primary benefits are:

• Increased Bandwidth: Aggregating multiple links provides more total bandwidth than a single link could offer.
• Redundancy and Reliability: If one link fails, the others continue carrying traffic, maintaining connectivity and reducing downtime.
• Improved Performance: Combined links allow better load balancing and resource utilization.

Implementation and Standards

Link aggregation uses vendor-specific and standard protocols. The most common standard is the Link Aggregation Control Protocol (LACP), defined in IEEE 802.1AX (formerly IEEE 802.3ad)[4][6]. LACP handles automatic configuration and management of aggregated links by sending control packets between devices to negotiate link bundling.

Key Features of LACP:

• Automatic Failover: LACP detects link failures and redistributes traffic across remaining links without manual intervention.
• Dynamic Configuration: Devices adjust link aggregation settings based on peer device capabilities.

Configuration Examples

Static vs. Dynamic Aggregation

• Static Aggregation: Manually configure links without LACP. This requires consistent configuration on both ends of the connection.
• Dynamic Aggregation with LACP: Uses LACP to manage link aggregation, automatically providing flexibility and resilience.

Load Balancing

Load balancing in LAGs uses hashing algorithms that distribute traffic based on source/destination MAC or IP addresses. This ensures efficient use of all aggregated links.

Use Cases

Link aggregation appears in various networking scenarios:

• Data Centers: Connect multiple servers or switches to enhance throughput and reliability.
• Network Backbones: Increase backbone capacity cost-effectively without replacing existing infrastructure.
• AWS Direct Connect: AWS uses LAGs to aggregate multiple connections at a single endpoint, simplifying management and increasing bandwidth for cloud services.

In short, Link Aggregation Groups provide increased bandwidth, redundancy, and improved performance by combining multiple physical connections into a single logical link.

Key Features of AWS Direct Connect Gateway

An AWS Direct Connect gateway is a globally available network device that connects AWS Direct Connect connections to Virtual Private Clouds (VPCs) across multiple AWS Regions. It acts as a central hub for connecting your on-premises network to AWS resources, letting you establish a single connection that multiple VPCs or VPNs can use.

• Global Connectivity: The Direct Connect gateway connects to VPCs in any AWS Region from a single Direct Connect location and supports AWS China Regions[]](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html).
• Association with Gateways: You can associate a Direct Connect gateway with a transit or virtual private gateway, enabling connectivity across multiple VPCs within the same Region or across different Regions[]](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html).
• Support for Virtual Interfaces (VIFs): The Direct Connect gateway supports private, public VIFs, and transit VIFs, which connect to VPCs.
• Simplified BGP Sessions: Instead of establishing separate Border Gateway Protocol (BGP) sessions for each VPC, you need only one BGP session with the Direct Connect gateway per location, simplifying network management.

A transit virtual interface (transit VIF) connects to one or more Amazon VPC Transit Gateways via a Direct Connect gateway. This setup connects multiple VPCs attached to a transit gateway, facilitating scalable network management across different AWS regions and accounts.

• Multi-Region VPC Connectivity: Using a Direct Connect gateway, you can connect your on-premises network to multiple VPCs spread across different AWS Regions without multiple physical connections[]](https://www.edge-cloud.net/2019/09/06/dx-gateway-deep-dive/).
• Integration with AWS Transit Gateway: The Direct Connect gateway works with an AWS Transit Gateway to facilitate cross-VPC and cross-region communication, providing a centralized routing hub for your network architecture[]](https://www.edge-cloud.net/2019/09/06/dx-gateway-deep-dive/).

Limitations

• No Transitive Routing: The Direct Connect gateway does not support transitive routing between associated gateways. Traffic cannot route directly between two virtual private gateways or between two transit gateways through the same Direct Connect gateway[]](https://www.edge-cloud.net/2019/09/06/dx-gateway-deep-dive/).

An exception to this rule was implemented in November 2021.

This exception applies when: a supernet is advertised across two or more VPCs, which have their attached virtual private gateways (VGWs) associated to the same Direct Connect gateway and on the same virtual interface. In this case, VPCs can communicate with each other via the Direct Connect endpoint.

This exception only applies to the specific scenario described. In most other cases, the general rule of no transitive routing still applies.

AWS documentation also warns that a Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself (for example, when you have an on-premises supernet route that contains the prefixes from the gateway association).

If you have a configuration with multiple VPCs connected to transit gateways associated to the same Direct Connect gateway, the VPCs could potentially communicate. To prevent this, AWS recommends associating a route table with the VPC attachments that have the “blackhole” option set.

• CIDR Overlap Restrictions: When connecting VPCs through a Direct Connect gateway, ensure their CIDR blocks do not overlap, as this could cause routing issues.

What You Need to Know for the SAP-C02 Exam

For the AWS Certified Solutions Architect – Professional (SAP-C02) exam, understand these key aspects of AWS Direct Connect:

1. Designing Network Connectivity: Architect network connectivity strategies using AWS Direct Connect, considering bandwidth requirements, latency, and redundancy[7].
2. Security and Compliance: Implement security controls with Direct Connect, including encryption options and compliance with standards like PCI DSS[7].
3. Cost Optimization: Optimize costs using Direct Connect, understanding pricing models and data transfer costs[7].
4. Integration with Hybrid Architectures: Design hybrid architectures using Direct Connect alongside VPNs and AWS Transit Gateway[7].
5. Performance Considerations: Assess performance needs and design solutions that leverage Direct Connect for high availability and low latency[7].
6. Disaster Recovery and Business Continuity: Use Direct Connect in disaster recovery strategies to provide reliable and redundant connections[7].

Focus on these aspects to prepare for questions related to AWS Direct Connect on the SAP-C02 exam.

Question

Scenario-Based AWS Certified Solutions Architect – Professional Question

Domain: Design for Organizational Complexity

Scenario:

TechCorp, a multinational technology company, is migrating its on-premises data center to AWS. The company needs a secure and reliable network connection between its corporate offices and AWS resources. TechCorp’s key requirements include:

• High Bandwidth and Low Latency: The connection must support high data transfer rates with minimal latency for critical applications.
• Security: All data transferred between the corporate network and AWS must be secure.
• Redundancy and Reliability: The solution must ensure continuous connectivity, even if a failure occurs.
• Cost Efficiency: TechCorp wants to optimize costs while meeting its connectivity needs.

TechCorp plans to use AWS Direct Connect to establish a dedicated network connection to AWS.

Question:

Which architecture would best meet TechCorp’s requirements for connecting its corporate network to AWS?

A) Establish a single AWS Direct Connect connection with a VPN backup over the internet. Use BGP for dynamic routing and enable encryption on the VPN connection for security.

B) Deploy two AWS Direct Connect connections at different locations. Use Link Aggregation Groups (LAG) to combine them into a single logical connection for increased bandwidth and redundancy. Implement MACsec for encryption.

C) Set up multiple AWS Direct Connect connections simultaneously using LAG for increased bandwidth. Use the AWS Direct Connect Gateway to connect to multiple VPCs and enable MACsec encryption.

D) Use a single AWS Direct Connect connection with AWS Transit Gateway to manage connectivity across multiple VPCs. Implement a VPN backup and use IPsec for encryption over the Direct Connect link.

Explanation:

Correct Answer: B

• Two Direct Connections at Different Locations: Provides redundancy by ensuring connectivity continues through the other location if one fails.
• Link Aggregation Groups (LAG): Combines multiple connections into a single logical connection, increasing bandwidth and providing fault tolerance.
• MACsec Encryption: Provides layer two encryption, ensuring secure data transfer over the Direct Connect link and meeting security requirements.

Incorrect Options:

• Option A: While it provides a VPN backup, a single Direct Connect connection does not offer sufficient redundancy in case of failure.
• Option C: Using multiple connections at the same location does not provide geographic redundancy, which is important for reliability.
• Option D: Although it uses Transit Gateway for VPC management, a single Direct Connect connection lacks redundancy. Additionally, IPsec is not typically used directly over Direct Connect; MACsec is preferred for layer two encryption.

Citations:
[1] https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
[2] https://aws.amazon.com/directconnect/features/
[3] https://tutorialsdojo.com/aws-direct-connect/
[4] https://www.coresite.com/cloud-networking/aws-direct-connect
[5] https://aws.amazon.com/directconnect/faqs/
[6] https://aws.amazon.com/certification/certified-solutions-architect-professional/?ch=sec&d=1&sec=rmg
[7] https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS-Certified-Solutions-Architect-Professional_Exam-Guide.pdf