Hybrid Networking Flashcards

Q: What is the difference between dedicated and hosted Direct Connect?

A: Dedicated: physical port (1/10/100G) owned by you at DX location. Hosted: capacity from a partner on their port (50M–10G), faster provisioning.

Q: What does a Direct Connect Gateway do?

A: Global resource that connects a DX connection to VPCs (via VGW) or Transit Gateways in any region. Does NOT enable VPC-to-VPC routing.

Q: How does BGP route preference work with DX and VPN?

A: DX preferred over VPN (lower MED/AS-path). For multiple DX paths: shortest AS-path → lowest MED → oldest connection. Local preference overrides all.

Q: What is VPN CloudHub?

A: Multiple VPN connections to a single VGW enables site-to-site communication through AWS (hub-and-spoke). Low-cost alternative to private WAN.

Q: What is accelerated Site-to-Site VPN?

A: VPN traffic enters the nearest AWS edge location (Global Accelerator) instead of traversing public internet. Improves performance for distant on-prem sites.

Q: What are Route 53 Resolver inbound endpoints for?

A: Allow on-premises DNS resolvers to query AWS private hosted zones. Creates ENIs in VPC that accept inbound DNS queries from on-prem.

Q: What are Route 53 Resolver outbound endpoints for?

A: Allow AWS resources to resolve on-premises domain names. Forwards DNS queries matching forwarding rules to on-prem DNS servers.

Q: What is LAG in Direct Connect?

A: Link Aggregation Group bundles multiple DX connections (same bandwidth, same location) into a single logical connection for higher throughput.

Q: What is MACsec on Direct Connect?

A: Layer 2 encryption (IEEE 802.1AE) available on 10G and 100G dedicated connections. Encrypts frames between your router and the AWS device.

Q: How do you achieve maximum resiliency for Direct Connect?

A: Two connections at two separate DX locations. Each location connects to different on-prem routers. Provides resilience against device, connection, and location failures.