Why Direct Connect?


Course Introduction
VPC Fundamentals
What is a VPC?
PREVIEW16m 20s
VPC Security and Control
VPC Connectivity
Introduction to AWS PrivateLink
VPC Sharing using the AWS Resource Access Manager
Understanding Direct Connect, Implementation and Configuration
Why Direct Connect?
5m 25s
Understanding AWS Direct Connect - Connectivity Options
7m 3s
Examining AWS Routing
AWS Default Routing

The course is part of this learning path

Why Direct Connect?
3h 55m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Get a foundational understanding of VPCs, their security, and connectivity
  • Learn about VPC sharing using the AWS Resource Access Manager
  • Discover inter-regional and intra-regional communication patterns in AWS
  • Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
  • Understand routing in AWS, including static and dynamic routing
  • Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
  • Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront

Hello and welcome to this lecture where I want to talk about why an organization would consider connecting their on-prem data center to AWS using an AWS Direct Connect. In my experience, even with the abundance of material extolling the benefits of AWS, many organizations begin their cloud journey by dipping their toes into AWS. Let me say clearly that there is nothing wrong with this approach. It's basic IT nature to view a new technology or service with a measure of healthy skepticism. Thus, it's perfectly acceptable for organizations to take careful and deliberate steps to validate AWS's ability to solve business challenges. I have seen several organizations begin their cloud journey by using Amazon S3 buckets to easily expand the storage capacity of their backup repositories to support long-term data retention goals.

Once this use case is tested and validated, this organization may expand its use of AWS by using infrastructure as code principles to deploy simple EC2 instances. Often, once EC2 instances are deployed, an organization will look to connect their AWS environment to their on-premises data center to support production applications by providing EC2 instances access to on-prem Active Directory domains, private DNS zones, database servers, file shares, Internet pages, anything, you name it. 

To securely facilitate this connectivity, an AWS site-to-site IPSec VPN tunnel can be created. Depending upon the configuration of the AWS environment and what resources must communicate with one another, organizations new to the cloud typically choose to do one of two things: deploy a virtual private gateway or deploy a transit gateway. A virtual private gateway is an AWS-managed VPN endpoint that includes redundancy and fail-over capabilities on the Amazon side of the site-to-site VPN connection.

A key point to remember, however, is that a virtual private gateway can only be attached and provide VPN access to a single AWS VPC. If an organization wishes to establish VPN connectivity from their on-premises data center to multiple AWS VPCs, they could choose to deploy a virtual private gateway in each of those VPCs or they could deploy a single AWS transit gateway. Like the virtual private gateway, the AWS transit gateway is an AWS-managed service which provides a highly available regional network transit hub. 

The transit gateway VPN attachment can be used as the VPN endpoint on the Amazon side of a site-to-site VPN connection, which will enable the interconnection of multiple AWS VPCs within the same AWS region and the on-premises network. There's no denying that the AWS virtual private gateway or transit gateway services are the easiest and quickest way to provision VPN IPSec connections to build a hybrid network between an on-premises data center and AWS.

However, as more and more resources and applications are deployed or migrated to AWS, the limitations of these VPN connections come into greater focus. For example, each VPN tunnel can achieve a maximum bandwidth of 1.25Gbps. Additionally, these VPN connections use the public Internet, which can have unpredictable and inconsistent performance, thus potentially making VPN connections unusable for latency-sensitive applications. Organizations needing to overcome the limitations of VPN connections in order to maximize the benefits of AWS will inevitably consider AWS Direct Connect.


About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.