AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Hybrid Connection

I’ve seen several questions on practice tests involving communication between VPCs on a hybrid network. The question involves communication between resources on the VPCs and I always seem to get it wrong.

The basic scenario, you have an on-prem data center connected to two or more VPCs. Under what circumstances can an EC2 instance in one VPC connect to a resources, such as a database, SQS, etc. in another VPC? Sometimes the scenario involves Direct Connect, VPN, or transit gateway.

Non-overlapping CIDRs are a given, and the VPCs are usually in the same account or organization.

1. Will Direct Connect do this if you add the VGWs of both VPCs to the Direct Connect Gateway? Or can it be done with routing configuration in the on-prem side?

2. I don’t think AWS Managed VPN does this, but could you configure on-prem routers to do this?

3. CloudHub seems to be the same as AWS Managed VPN.

4. Transit Gateway, yes but the Transit Gateway has to be shared using Resource Access Manager. Sound correct?

5. It seems you can do this with Software VPN. The routing is in your control and you could set up a hub-and-spoke for complex organizations

6. VPC Peering would also work. This is good for simple cases with a few VPCs, but quickly gets complicated with multiple VPCs.

7. PrivateLink would work, but the scenario usually involves connecting to resources in general and not to a specific resource.

Sorry for the long question. I’ve been looking through the documentation and this doesn’t seem to be addressed often, and sometimes it’s contradictory.


1 Answers

Hi Brian,

Yes, this space is pretty complex as there are X number of ways you can connect stuff together.   AWS doesn’t do itself any favors either by how it names things and how you can assemble things to do the same as specific products…like the Transit Gateway for example.  People were creating transit gateway type architectures before Transit Gateway was a thing using on-prem routers, MPLS networks, etc.

It’s hard to suggest a best path just based on what you’ve shared, but I’m leaning towards Transit VPC.  You can use Resource Access Manager to share a transit gateway between AWS Accounts, but thats not required if the VPCs are in the same account.  Plus, there are other ways to share resources…RAM makes it easier to manage.

I probably wouldn’t use VPN or Direct Connect as there is no reason traffic between VPCs has to go back to a core router on-prem….  But it could…and would probably work ok….if for example you wanted to apply some QOS traffic shaping or NAT.  Lots of crazy scenarios.

A resource that really helped me was   Half-way down that page are a list of technical briefs with all sorts of multiple VPC and networking variations.  This might help clarify some things.


Brian Nivens

Thanks. Those help. Also found this The title is misleading, but it’s a good explanation on the Direct Connect Gateway.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?