Other Networking Services —
Hybrid, Private & Security
Direct Connect, VPN, Transit Gateway, PrivateLink, WAF & Shield — the services that connect your on-premises infrastructure, enable private access across accounts, and protect your edge.
AWS Direct Connect
AWS Direct Connect is a dedicated physical network connection between your on-premises data centre and AWS. Instead of routing traffic over the public internet, you get a private fibre link — lower latency, consistent bandwidth, and reduced data transfer costs.
👉 One-liner: Direct Connect = private fibre cable from your data centre to AWS. No internet involved. Consistent performance, lower cost for high-volume transfers.
Connection Types
- Dedicated: 1 Gbps or 10 Gbps (physical port)
- Hosted: 50 Mbps – 10 Gbps (via partner)
- Provisioning takes weeks (physical cable!)
Virtual Interfaces (VIFs)
- Private VIF: access VPC (private IPs)
- Public VIF: access AWS public services (S3, DynamoDB)
- Transit VIF: access via Transit Gateway
Key Properties
- NOT encrypted by default (add VPN on top for encryption)
- Consistent latency (no internet hops)
- Lower data transfer cost vs internet
- Supports BGP routing
Use Direct Connect When
- Large data transfers (>100 GB/day) — cheaper than internet
- Need consistent latency (real-time workloads)
- Hybrid architecture (on-prem + AWS)
- Regulatory requirement for private connectivity
- High-bandwidth database replication
Don't Use When
- Need quick setup (takes weeks to provision)
- Low bandwidth needs (<50 Mbps)
- Need encryption only (use VPN instead)
- Budget-constrained (minimum ~$200/month)
- Temporary/short-term connectivity
Best Practice (Production)
- Primary: Direct Connect (consistent latency, lower cost)
- Backup: Site-to-Site VPN over internet
- BGP routing auto-fails over if DX goes down
- VPN encrypts — DX does not (defense-in-depth)
- Can also do DX + DX (two connections, different locations)
Exam Pattern
- “Redundant hybrid connectivity” → DX + VPN backup
- “Encrypted + consistent” → VPN over DX (IPsec on top)
- “Maximum resilience” → 2 DX connections at different locations
Direct Connect = dedicated private fibre (not internet). Takes weeks to set up. NOT encrypted by default — add IPsec VPN on top if you need encryption. Exam keyword: “consistent latency” or “large data transfer” → Direct Connect.
AWS VPN (Site-to-Site & Client)
AWS VPN creates encrypted tunnels over the public internet between your on-premises network (or individual users) and AWS. Unlike Direct Connect, VPN uses the internet as transport — faster to set up, cheaper, but variable latency.
👉 One-liner: VPN = encrypted tunnel over internet. Quick to set up (minutes, not weeks). Two types: Site-to-Site (office to AWS) and Client VPN (individual users to AWS).
Site-to-Site VPN
- Connects entire on-prem network to VPC
- IPsec encrypted (2 tunnels for HA)
- Needs: Customer Gateway (your router) + Virtual Private Gateway (AWS side)
- Bandwidth: up to 1.25 Gbps per tunnel
- Setup: minutes (vs weeks for DX)
- Cost: ~$0.05/hr + data transfer
- Use: hybrid cloud, backup to DX
Client VPN
- Individual users connect to AWS (laptop → VPC)
- OpenVPN-based managed service
- Authenticates via: AD, SAML, mutual TLS
- Split-tunnel or full-tunnel
- Use: remote workers accessing private resources
- Cost: $0.10/hr per active connection
- Scales to thousands of connections
| Aspect | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Transport | Public internet | Private fibre |
| Encryption | ✓ IPsec (always) | ✘ Not by default |
| Setup time | Minutes | Weeks |
| Bandwidth | Up to 1.25 Gbps | Up to 100 Gbps (LAG) |
| Latency | Variable (internet) | Consistent (private) |
| Cost | Low (~$36/month) | High ($200+/month) |
VPN = encrypted over internet (fast to set up, variable latency). Direct Connect = private fibre (weeks to set up, consistent latency). Best practice: use both — DX as primary, VPN as backup. Exam: “need encryption” → VPN; “consistent latency” → DX.
Transit Gateway
AWS Transit Gateway is a regional network hub that connects multiple VPCs, on-premises networks (via VPN or Direct Connect), and even other AWS accounts — through a single central point. Without it, you need VPC peering between every pair of VPCs (N² connections).
👉 One-liner: Transit Gateway = hub-and-spoke router for all your VPCs and on-premises. One connection per VPC instead of peering every pair. Centralised routing.
Without Transit Gateway (Full Mesh)
- 5 VPCs = 10 peering connections
- 10 VPCs = 45 peering connections
- 20 VPCs = 190 peering connections!
- Each peering managed separately
- No transitive routing — A→B→C not possible
- On-prem needs VPN to each VPC
With Transit Gateway (Hub & Spoke)
- 5 VPCs = 5 attachments (to hub)
- 20 VPCs = 20 attachments
- One central route table
- Transitive routing works (A→TGW→C)
- On-prem connects once to TGW
- Cross-region via TGW peering
Transit Gateway = central router for multi-VPC architectures. Eliminates N² peering. Exam keyword: “connect multiple VPCs” or “transitive routing” or “centralised network” → Transit Gateway.
Route Table Segmentation
- Multiple route tables for isolation
- Prod VPCs in one table, Dev in another
- Control which VPCs can communicate
- Default: single shared route table
- Use for: compliance, blast-radius control
Appliance Mode
- Required for 3rd-party firewalls (Palo Alto, Fortinet)
- Preserves source IP between attachments
- Without it: TGW replaces source with internal IP
- Enable per-attachment
- Use: centralized inspection VPC pattern
AWS PrivateLink
AWS PrivateLink lets you access services privately — without traffic leaving the AWS network. Instead of going over the internet or through a NAT Gateway, you create an endpoint in your VPC that connects directly to the service via AWS's backbone.
👉 One-liner: PrivateLink = private access to AWS services (or third-party SaaS) from your VPC without internet. Traffic stays on AWS network. Zero exposure.
Gateway Endpoint (Free)
- S3 and DynamoDB only
- Route table entry (not ENI)
- Free — no hourly or data charges
- Specified in route table → traffic routed via AWS backbone
- Cannot be accessed from on-premises
Interface Endpoint (PrivateLink)
- Most AWS services (100+): SQS, SNS, KMS, Secrets Manager...
- Creates ENI in your subnet (private IP)
- Cost: ~$0.01/hr + $0.01/GB processed
- Access from on-prem (via VPN/DX)
- Third-party SaaS services too (Marketplace)
- NLB required on provider side
PrivateLink = “access without internet.” Gateway Endpoint (S3/DDB) is free. Interface Endpoint (everything else) costs ~$7/month. Exam: “private access to S3 from VPC” → Gateway Endpoint; “private access to SQS/KMS” → Interface Endpoint (PrivateLink).
What Endpoint Policies Do
- JSON policy attached to VPC endpoint
- Controls which principals/resources are accessible via endpoint
- Example: only allow specific IAM role to access SQS
- Example: restrict S3 gateway to specific buckets only
- Default: full access (anything IAM allows)
- Works with both Gateway and Interface endpoints
Use Cases
- Restrict data exfiltration (only access your own S3 buckets)
- Compliance: limit which services are reachable from VPC
- Least privilege at network layer (on top of IAM)
- Defense-in-depth with SCPs + IAM + endpoint policies
WAF & Shield
AWS WAF (Web Application Firewall) protects your web applications from common exploits — SQL injection, cross-site scripting (XSS), bot traffic, and custom rules. It sits in front of CloudFront, ALB, or API Gateway and inspects every request.
AWS Shield provides DDoS protection. Shield Standard is free and automatic for all AWS accounts. Shield Advanced ($3,000/month) adds 24/7 DRT support, cost protection, and advanced DDoS mitigation.
AWS WAF
- Layer 7 (HTTP) inspection
- Rules: SQL injection, XSS, IP block, geo-block, rate limit
- Attaches to: CloudFront, ALB, API Gateway
- Managed rule groups (AWS + Marketplace)
- Cost: $5/web ACL + $1/rule + $0.60/1M requests
- Bot Control add-on available
AWS Shield
- Standard: free, automatic, all accounts — Layer 3/4 DDoS
- Advanced: $3,000/month — Layer 3/4/7 + DRT team
- Advanced: cost protection (refund for DDoS scaling)
- Advanced: real-time visibility + attack forensics
- Protects: CloudFront, Route 53, ALB, EIP, Global Accelerator
- Exam: “DDoS protection” → Shield
Shield = DDoS protection (Standard free, Advanced $3K/mo). WAF = Layer 7 inspection (SQL injection, XSS, bots, rate limiting). Both attach to CloudFront/ALB/API Gateway. They work together — Shield handles volumetric attacks, WAF handles application-layer attacks.
WAF Rate Limiting Example
- Rule: max 100 requests per 5 minutes per IP
- Exceed → block for 10 minutes (auto-release)
- Protects: login endpoints, API scraping, bot attacks
- Applied at edge — origin never sees throttled requests
- Combine with: geo-blocking, IP reputation lists
Shield Advanced Cost Protection
- Refund for resources scaled due to DDoS attack
- EC2, ELB, CloudFront, Route 53 costs covered
- Prevents bill shock from auto-scaling during attack
- 24/7 DDoS Response Team (DRT) access
- Exam: “prevent cost increase from DDoS” → Shield Advanced
AWS Global Accelerator
AWS Global Accelerator provides two static anycast IP addresses that route traffic over the AWS global backbone to your application endpoints. Instead of traversing the public internet (variable hops), traffic enters AWS at the nearest edge location and travels on AWS's private network.
👉 One-liner: Global Accelerator = static IPs + AWS backbone routing. Improves TCP/UDP latency and provides instant failover. NOT a CDN (doesn't cache) — it optimizes the network path.
| Aspect | CloudFront | Global Accelerator |
|---|---|---|
| Purpose | Content caching (CDN) | Network path optimization |
| Protocols | HTTP/HTTPS only | TCP + UDP (any protocol) |
| Caching | ✓ Yes (content at edge) | ✘ No caching |
| IP type | Dynamic DNS (many IPs) | 2 static anycast IPs |
| Failover | DNS-based (minutes) | Instant (<60 seconds) |
| Use case | Websites, APIs, static assets | Gaming, VoIP, IoT, financial |
Use Global Accelerator When
- Need static IP addresses (whitelist by partners)
- TCP/UDP apps needing low latency (gaming, VoIP)
- Multi-region with instant failover (<60s)
- Non-HTTP protocols (MQTT, custom TCP)
- Want AWS backbone routing (skip internet hops)
Use CloudFront Instead When
- HTTP/HTTPS content that benefits from caching
- Static websites, images, videos
- API responses that can be cached
- Need WAF integration at CDN layer
- Don't need static IPs
Global Accelerator ≠ CloudFront. GA = static IPs + TCP/UDP path optimization + instant failover. CloudFront = HTTP caching CDN. Exam: “static IP + global acceleration” or “gaming/VoIP latency” → Global Accelerator.