You have been asked to design network connectivity between your existing data centres and AWS. Your application’s EC2 instances must be able to connect to existing backend resources located in your data centre. Network traffic between AWS and your data centres will start small, but ramp up to 10’s of GB per second over the course of several months. The success of your application is dependent upon getting to market quickly. Which of the following design options will allow you to meet your objectives? (Choose 1)
a. Quickly submit a DirectConnect request to provision a 1Gbps cross connect between your data centre and VPC, and then increase the number or size of your Direct Connect connections as needed.
b. Provision a VPN connection between a VPC and existing on-premises equipment, submit a Direct Connect partner request to provision cross connects between your data centre and the Direct Connect location, then cut over from the VPN connection to one or more DirectConnect connections as needed.
c. Allocate EIPs and an Internet Gateway for your VPC instances to use for quick, temporary access to your backend applications, then provision a VPN connection between a VPC and existing on-premises equipment.
d. Quickly create an internal ELB for your backend applications, submit a Direct Connect request to provision a 1Gbps cross connect between your data centre and VPC, then increase the number or size of your Direct Connect connections as needed.
This question is testing your understanding of connectivity using Virtual Private Networks (VPN) and Direct Connect as well as the use cases for both.
I’d strongly recommend reading through the following links:
and also watch the following AWS re:invent Video:
As per my previous posts; lets work through ruling out the obvious answers to make answering the question easier.
“Answer C” isn’t meeting the objectives for the Network Connectivity. The design is not asking for the Services to be connected to the Internet therefore and Internet Gateway and Elastic IP’s aren’t assisting with the Solution. The implementation of a VPN between the VPC and the Data Centre would definitely be required as a first phase for the requirements, however the solution is not considering the long term requirements for large data throughput rates (10 Gbps) between the VPC and Data Centre.
“Answer D” is doing a couple of things wrong in my opinion. Firstly its suggesting to create an internal Elastic Load Balancer for the backend systems that are currently in the Data Centre and at present you can’t do this. Secondly it then only says to submit a Direct Connect to provision the 1 Gbps connection between the VPC and the Data Centre and ultimately increase these as and when required. This isn’t meeting the intial requirements around the time to market element which is meaning that they need to do something to establish connectivity quickly rather than having to wait for a private network connection to be provisioned (i.e. Direct Connect) that could take a number of weeks.
“Answer A” is in a similar position to “Answer D” as it isn’t meeting the intial requirements around the time to market element which is meaning that they need to do something to establish connectivity quickly rather than having to wait for a private network connection to be provisioned (i.e. Direct Connect) that could take a number of weeks.
“Answer B” is doing everything correct. It’s meeting the first objective around time to market by implementing a VPN between the VPC and the Data Centre as it’s something that can be achieved very quickly. As you’ve established a connection via the VPN you can then submit the Direct Connect request for the longer term requirements of the high throughput traffic given it will be a dedicated connection. Once the Direct Connect is provisioned you can then perform the cut over in an efficient and non impacting manner and potentially even keeping the VPN as a backup connection should there be any issues with the Direct Connect circuit.
The diagram below shows the representation of the connectivity for “Answer C” obviously excluding any of the actual servers themselves.
Hopefully this explains the rationale of how I got to the correct answer.