I’ve ran into this Exam Simulator question quite a number of times and always seem to fall into the same trap. When I see parts of the question that I’ve underlined here I don’t see why a VPN is preferable than without VPN. I was thinking without VPN the traffic is self-contained between the On-Premise Network and the AWS VPC; no Internet traffic. When you introduce a VPN component that traffic starts flowing over the Internet. I understand the traffic over the VPN is secured, however, I don’t believe it could possibly be more secure than traffic that doesn’t go over the Internet at all.
I checked the reference documentation, but that didn’t give me any clarity so coming here if someone can help me understand.
Exam Simulator Question
You are working for an investment bank which is designing a new application to analyse historical trading data, and use machine learning to predict stock market performance. The application is running in AWS and needs to access the historical data stored in a proprietary time series database located in your data center. This information is highly confidential and could cause serious repercussions if any data was ever leaked to the public or your competitors. The application itself is extremely sensitive to network inconsistencies and during testing it frequently crashes if the network is not reliable. How should you configure the network connectivity for this application?
Configure a VPN between your VPC and the data center over a Direct Connect connection <– Correct
Access the data using a secure port on the times series database so that the data is encrypted in transit
Configure a VPN between your VPC and the data center and access the time series database using a secure port
Use a VPC Gateway Endpoint so that the data never leaves Amazon’s network
Configure a Direct Connect connection between the VPC and your data center <– Selected
With AWS Direct Connect plus VPN, you can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.
Reading the documentation you referenced (thank you for including that) my take is that the ‘plus VPN’ adds the IPSec encryption to traffic that is traversing the DX connection. One might wonder why this would be necessary if it’s a ‘private’ link that doesn’t cross the Internet. However, keep in mind that the Direct Connect service is deployed in data centers that are not under the customer control, and thus there are administrators responsible for and have access to the infrastructure supporting the routers supporting the service. Thus there’s still potential for someone to intercept that traffic. Even within the corporate or enterprise network there are likely several network hops between the egress point of the circuit that goes to the DX service and the location of the storage on the enterprise network. Again, those network segments and the devices in between offer potential for a rogue employee to intercept that traffic. Thus end to end encryption offered with the IPSec VPN becomes important for protecting those assets.
Thanks for the great explanation from Tom!
In this question you have 2 problems to solve: 1) You have sensitive data, which you want to protect from prying eyes and 2) Your application is going to crash if the network is unreliable.
Direct Connect will only solve one of your problems – network consistency. But by using a combination of Direct Connect and VPN, you will protect your sensitive data as well, covering both requirements of the question.
This design pattern of using Direct Connect plus VPN is also described in the VPC Connectivity Options Whitepaper, which we recommend you read before taking the exam for real:
VPN + DX – another dimension is redundancy – if Direct Connect fails.
The VPN connection has to be setup outside of Direct Connect for this. (It also can be setup with DX)