While preparing for the AWS SAP-C02 exam, many candidates get confused by Direct Connect multi-region architectures. In reality, this challenge boils down to a fundamental trade-off between network resilience and cost efficiency. Let’s drill into a simulated architecture scenario.
The Scenario #
TechNova International is a global enterprise with offices across multiple continents. Currently, their on-premises network connects to AWS via a single 1 Gbps Direct Connect (DX) connection targeting one AWS region. This connection uses a private virtual interface attached to a single AWS VPC within that region. As TechNova plans to expand worldwide, their network team requires a robust design:
- The solution must provide redundancy for the Direct Connect link within the same region to avoid a single point of failure.
- It must also enable seamless connectivity to resources in multiple AWS regions using the existing Direct Connect infrastructure, avoiding new physical connections per region as they expand.
Key Requirements #
Design an AWS Direct Connect architecture that balances operational resilience and multi-region access, minimizing future costs and complexity.
The Options #
- A) Configure a Direct Connect Gateway; delete the existing private virtual interface on the current connection; create a second Direct Connect connection; create new private virtual interfaces on both connections and attach them to the Direct Connect Gateway; connect the Direct Connect Gateway to the existing VPC.
- B) Keep the existing private virtual interface; create a second Direct Connect connection; create a new private virtual interface on the new connection and attach it directly to the same VPC.
- C) Keep the existing private virtual interface; create a second Direct Connect connection; create a new public virtual interface on the new connection and attach it to the same VPC.
- D) Configure a Transit Gateway; delete the existing private virtual interface; create a second Direct Connect connection; create new private virtual interfaces on both connections attached to the Transit Gateway; associate the Transit Gateway with the VPC.
Correct Answer #
Option A.
The Architect’s Analysis #
Correct Answer #
Option A
Step-by-Step Winning Logic #
Option A leverages the Direct Connect Gateway, which acts as a multi-region aggregation point for private virtual interfaces. This design enables multiple Direct Connect connections to serve as redundant links, increasing resilience within a region. Critically, it supports extending connectivity to multiple VPCs across different AWS regions without needing new physical Direct Connect connections for each region.
This approach balances operational reliability (redundancy via dual connections) with cost efficiency by minimizing Direct Connect port fees and reducing cross-region transit costs. It also simplifies management since only the Direct Connect Gateway requires configuration changes when expanding regions, versus managing multiple private virtual interfaces per connection per region.
The Traps (Distractor Analysis) #
-
Why not Option B?
It lacks redundancy at the interface level because the second private virtual interface connects only to the same VPC without a means for multi-region expansion. Future region expansion would require additional Direct Connect physical connections, increasing cost and complexity. -
Why not Option C?
A public virtual interface connects to AWS public endpoints, not directly to the VPC’s private subnet. This does not fulfill the requirement of private, resilient VPC connectivity nor multi-region private access. -
Why not Option D?
While Transit Gateway can centralize VPC connectivity, the scenario concerns Direct Connect connections and virtual interfaces, not Transit Gateway attachments for Direct Connect. Transit Gateway here complicates the architecture unnecessarily and does not directly enable multi-region Direct Connect aggregation the same way as a Direct Connect Gateway.
The Architect Blueprint #
Diagram Note: On-Premises network connects via two independent Direct Connect connections to a Direct Connect Gateway, which aggregates connectivity to VPCs across multiple regions providing both high availability and multi-region reachability with minimal physical infrastructure.
The Decision Matrix (Mandatory for Professional Level) #
| Option | Est. Complexity | Est. Monthly Cost (Relative) | Pros | Cons |
|---|---|---|---|---|
| A | Medium | Medium ($1000/mo approx) | Supports redundancy and multi-region via one DX pair; scalable; operationally simpler | Slightly higher initial setup effort; need to delete current VIF |
| B | Low | Medium ($1000/mo approx) | Easy incremental add of 2nd private VIF | No multi-region; no true redundancy |
| C | Low | Low ($600/mo approx) | Quick to setup public VIF | Does not provide private VPC connectivity; doesn’t meet requirements |
| D | High | High ($1500+ mo approx) | Centralizes connectivity if TGW needed | Overkill for this problem; adds complexity; no multi-region DX aggregation |
Real-World Practitioner Insight #
Exam Rule #
For the AWS SAP-C02 exam, when asked about multi-region Direct Connect access with redundancy, always prefer a Direct Connect Gateway over multiple individual private virtual interfaces attached directly to VPCs.
Real World #
In production, companies often combine Direct Connect Gateway with AWS Transit Gateway for large-scale networking, factoring in traffic patterns and cost control measures like data egress pricing. Hybrid WAN integration or SD-WAN controllers might also complement such designs, which is beyond the scope of certification questions but vital operationally.