While preparing for the AWS SAA-C03, many candidates get confused by hybrid connectivity options. In the real world, this is fundamentally a decision about High Availability vs. Cost Optimization. Let’s drill into a simulated scenario.
The Scenario #
GlobalManufacture Inc., a mid-sized industrial equipment manufacturer, is modernizing its IT infrastructure by extending its on-premises data center operations to AWS. The company runs critical ERP systems on-premises that need to communicate with cloud-based analytics workloads in real-time.
The IT leadership has identified the following business drivers:
- Predictable Performance: Manufacturing workflows require consistent, low-latency connectivity (< 10ms jitter)
- Cost Consciousness: The CFO has mandated a “value-first” approach—premium costs must be justified
- Acceptable Degradation: During rare outages, the business can tolerate temporary performance reduction (up to 30 minutes of slower throughput) without significant operational impact
Key Requirements #
Design a hybrid network architecture that provides high availability and stable latency to an AWS Region, while minimizing total cost of ownership and accepting degraded performance during primary connection failures.
The Options #
- A) Deploy an AWS Direct Connect connection to the target Region. Configure a Site-to-Site VPN connection as backup when the primary Direct Connect connection fails.
- B) Deploy a VPN tunnel connection to the target Region for private connectivity. Deploy a second VPN tunnel for redundancy and failover when the primary VPN connection fails.
- C) Deploy an AWS Direct Connect connection to the target Region. Deploy a second Direct Connect connection to the same Region as backup when the primary Direct Connect connection fails.
- D) Deploy an AWS Direct Connect connection to the target Region. Use the AWS CLI’s Direct Connect failover property to automatically create a backup connection when the primary Direct Connect connection fails.
Correct Answer #
Option A - AWS Direct Connect with VPN Backup.
Step-by-Step Winning Logic #
This solution achieves the optimal three-way balance:
-
Stable Latency (Primary State): Direct Connect provides dedicated, private connectivity with consistent performance and low latency—ideal for real-time ERP-to-analytics data flows.
-
High Availability: The architecture remains resilient with VPN failover. AWS supports automatic BGP failover from Direct Connect to VPN when the primary path fails.
-
Cost Optimization: By accepting VPN’s lower throughput and higher latency only during failures (which are statistically rare for Direct Connect—99.9% SLA), you avoid the 2x cost penalty of dual Direct Connect while still meeting the “willing to accept slower traffic” constraint.
Key Technical Detail: AWS supports Active/Passive failover between Direct Connect and VPN using BGP route metrics (AS_PATH prepending or Local Preference). The VPN connection costs ~$36/month (connection fee) plus minimal data transfer, versus a second Direct Connect port at ~$900/month.
đź’Ž The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
-
Why not Option B (Dual VPN)?
- Fails the “stable latency” requirement. VPN runs over the public internet, meaning latency and jitter vary based on internet routing conditions. This violates the core business need for predictable performance during normal operations.
- While cost-effective (~$72/month for dual VPN), it sacrifices the primary requirement for a secondary benefit.
-
Why not Option C (Dual Direct Connect)?
- Violates the “minimize cost” constraint. Two Direct Connect connections (1 Gbps each) would cost approximately:
- Port hours: $0.30/hour Ă— 2 Ă— 730 hours = ~$438/month
- Data transfer out: Assume 10TB/month Ă— $0.02 Ă— 2 = ~$400/month
- Total: ~$838/month vs. Option A: ~$480/month (DX + VPN)
- This is a 75% cost increase for redundancy the business explicitly said it doesn’t need (they accept slower failover performance).
- Violates the “minimize cost” constraint. Two Direct Connect connections (1 Gbps each) would cost approximately:
-
Why not Option D (CLI Auto-Creation)?
- This feature doesn’t exist. AWS Direct Connect does not have an automatic “failover property” that creates backup connections on-demand via CLI. This is a fictitious distractor testing whether you know actual AWS capabilities.
- Even if it existed, provisioning a new Direct Connect circuit takes days/weeks (physical cross-connects required), making it useless for failover.
The Architect Blueprint #
graph TB
subgraph "On-Premises Data Center"
OnPremRouter[Corporate Router]
OnPremERP[ERP System]
end
subgraph "AWS Region"
VGW[Virtual Private Gateway]
VPC[VPC - Analytics Workloads]
end
subgraph "Connectivity Layer"
DX[Direct Connect
1Gbps Dedicated
Primary Path]
VPN[Site-to-Site VPN
IPsec Tunnel
Backup Path]
end
OnPremERP -->|Production Traffic| OnPremRouter
OnPremRouter -->|BGP Priority 100| DX
OnPremRouter -->|BGP Priority 200
Standby| VPN
DX -->|Private VLAN| VGW
VPN -->|Encrypted Over Internet| VGW
VGW --> VPC
style DX fill:#2E7D32,stroke:#1B5E20,color:#fff
style VPN fill:#F57C00,stroke:#E65100,color:#fff
style VGW fill:#1976D2,stroke:#0D47A1,color:#fff
Diagram Note: Traffic flows through Direct Connect (lower BGP metric) during normal operations; BGP automatically shifts to VPN if the Direct Connect link fails, providing seamless failover with degraded but functional connectivity.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A - DX + VPN | Medium | ~$480 (DX port $220 + data $240 + VPN $36) | âś… Stable primary latency âś… Cost-effective HA âś… Automatic BGP failover |
⚠️ Backup path slower (acceptable per requirements) |
| B - Dual VPN | Low | ~$120 (2Ă— VPN connections + data transfer) | âś… Lowest cost âś… Quick setup |
❌ Unstable latency (internet routing) ❌ Fails core requirement |
| C - Dual DX | High | ~$900 (2Ă— DX ports + data transfer) | âś… Highest performance âś… Maximum availability |
❌ 87% cost increase vs. Option A ❌ Over-engineered for stated tolerance |
| D - DX Auto-Failover | N/A | N/A | N/A | ❌ Feature does not exist ❌ DX provisioning takes weeks |
FinOps Insight: Option A saves ~$5,000 annually compared to dual Direct Connect while still achieving 99.9%+ uptime. The cost difference funds approximately 104 hours of senior cloud architect time for other optimizations.
Real-World Practitioner Insight #
Exam Rule #
For the AWS SAA-C03 exam, when you see:
- “Stable latency” + “minimize cost” + “accept slower backup” → Direct Connect + VPN backup
- “Maximum performance at all times” + “no degradation tolerance” → Dual Direct Connect
- “Fastest deployment” + “cost is top priority” → Dual VPN
Real World #
In production environments, I typically enhance Option A with:
-
Multi-Region VPN Endpoints: Configure VPN tunnels to two different AWS Regions to protect against regional DX facility failures (adds ~$36/month).
-
Direct Connect Gateway: If the company expands to multiple VPCs across regions, use DX Gateway to share the connection (no additional cost, huge complexity reduction).
-
Monitoring & Automated Testing: Implement CloudWatch alarms for DX link status and monthly failover drills using BGP weight manipulation—many teams discover their “backup” VPN was misconfigured only during actual outages.
-
Vendor SLA Verification: Review the Direct Connect provider’s SLA carefully—some third-party colocation facilities have lower availability than AWS’s published metrics.
The Gotcha: In real projects, the “willing to accept slower traffic” statement requires quantified capacity planning. I’ve seen companies discover during failovers that their VPN bandwidth (typically 1.25 Gbps max per tunnel) was insufficient for actual traffic volumes, causing application timeouts. Always test failover under realistic load.