Day 3: AWS Solutions Architect Professional Prep —Hybrid Networking & Centralized Security Controls

Today I studied how large companies that want to connect their traditional offices and data centers to Amazon’s cloud (AWS) can do so while making sure everything is highly secure and runs smoothly worldwide.

As I always do, I broke that down further into key questions I wanted to be able to answer by the end of the day:

1. How do we connect our offices to the cloud securely and reliably?

2. When our network grows huge, how do we connect everything without chaos?

3. How do we ensure global users get the absolute fastest performance?

4. How do we catch cyber threats and manage compliance from one place?

1. How do we connect our offices to the cloud securely and reliably?

For dedicated bandwidth, the best choice is AWS Direct Connect (DX), since it provides a dedicated fiber connection. It is fast and reliable, unlike using the public internet. Direct Connect goes beyond basic connectivity and offers specialized connections called Virtual Interfaces (VIFs):

1. Private VIFs: For accessing private cloud networks (VPCs).

2. Public VIFs: For accessing AWS public services like S3 or DynamoDB, without routing over the general internet.

3. Transit VIFs: The most scalable option, connects to your central router, the Transit Gateway (TGW)

For high availability, DX uses redundant connections, or it can be paired with a less expensive Site-to-Site VPN as a backup, utilizing BGP route preferences for automatic failover. VPN connections themselves provide automatic redundancy via two tunnels and prefer dynamic BGP routing for production environments. Site-to-Site VPN  is like an encrypted tunnel built over the public internet to reach AWS. It is often used as a reliable backup connection, ready to take over if the Private Highway (DX) fails. Using BGP (Dynamic Routing) is like having a smart map that automatically finds the best route if one path goes down.

2. When our network grows huge, how do we connect everything without chaos?

Transit Gateway (TGW) is the answer. VPC Peering connects two networks directly but it is limited because it does not support transitive routing—meaning if Network A is connected to B, and B is connected to C, A cannot talk to C. VPC  peering also maxes out at 125 connections per VPC.

TGWs can be likened to a central hub in the cloud that connects all VPCs and all DX and VPNs, so you do not have to build individual connections between every one of them

It uses multiple route tables for fine-grained traffic segmentation (e.g., separating production from development traffic to enforce security compliance boundaries), supports high-bandwidth Cross-Region Peering (up to 50 Gbps), and supports DX Gateway connections.

3. How do we ensure global users get the absolute fastest performance?

When managing global traffic, you must differentiate between Route 53 and Global Accelerator.

Route 53 is like a Smart GPS System that directs users to the closest, healthiest cloud location using smart rules, like sending everyone in Europe to the European servers. Latency-Based routing sends users to the location that responds the fastest. Geolocation routing sends users based on where they physically are (e.g., users in Germany go to the Frankfurt region). It operates at the DNS layer.

Global Accelerator(GA) operates at the network layer and may be compared to a fast pass lane. Instead of relying on R53, the GPS, to find the fastest public road, GA puts users onto the fast-pass lane of the AWS global network immediately, ensuring consistent performance. It is used for real-time applications like video or gaming (TCP/UDP).

4. How do we catch cyber threats and manage compliance from one place?

A centralized security strategy integrates multiple specialized tools for detection, assessment, and governance, managed ideally from a dedicated security account.

Amazon GuardDuty is a detection-only service that analyses all network and activity logs for suspicious behaviour, like unauthorized people trying to use a compromised server for cryptocurrency mining or communicating with known malicious sites. It is like a silent watchman; it doesn’t block anything.

Amazon Macie is like a Data Auditor that specializes in searching through your stored files (in S3) to find and alert you to sensitive information, such as credit card numbers or passports (PII), so you can protect them

Amazon Inspector v2 is like a building inspector. It performs continuous vulnerability assessments on computing resources (EC2 instances and containers). It checks for known software security holes (CVEs) and assesses how easily the resource can be reached from the network.

AWS Security Hub is the central dashboard that collects and aggregates all the security findings from GuardDuty, Macie, and Inspector, and then scores your environment against industry standards like PCI DSS.

AWS Config is the rulebook and historian. It tracks the inventory and history of your AWS resources and checks them against rules called Conformance Packs to ensure continuous compliance (e.g., verifying that all databases are encrypted)

Overall, some of the big takeaways on how to create a hybrid network and implement a security command center include:

1.Choose Direct Connect for dedicated bandwidth

2. Use TGW for high-scale network segmentation

3. Use Global Accelerator when latency is absolutely critical.

4. For security, use GuardDuty for detection, Security Hub for aggregation, Macie for sensitive data protection, and AWS Config for governance and compliance tracking via Conformance Packs.

See you tomorrow!