Exam Context #
- Exam: AWS SAP-C02
- Scenario Category: Networking & Hybrid Connectivity
- Decision Focus: Direct Connect vs VPN selection, redundancy patterns, Transit Gateway integration
The SAP-C02 exam tests your ability to design hybrid connectivity architectures that meet specific requirements for bandwidth, latency, reliability, and cost. These scenarios require understanding the fundamental differences between Direct Connect and VPN, and when each is appropriate.
👉🏻 Read more pillar articles at Pillars
Hybrid Connectivity Trade-offs for AWS SAP-C02
Here’s the truth about SAP-C02 connectivity questions: they’re never about memorizing speeds and feeds. They’re about understanding constraints.
The exam presents scenarios with specific requirements—latency sensitivity, compliance mandates, budget limitations, availability targets—and expects you to match those constraints to the right connectivity option. Sometimes that’s VPN. Sometimes that’s Direct Connect. Often, it’s both.
This pillar gives you the decision framework that SAP-C02 actually tests.
Exam Context & Decision Framing #
Why DX vs VPN Is a Core SAP-C02 Topic #
Hybrid connectivity carries significant weight in SAP-C02 because it touches nearly every enterprise AWS deployment. You’ll encounter these decisions across multiple exam domains.
In migration scenarios, the exam asks how companies should establish connectivity during the transition from on-premises to cloud. For high availability and disaster recovery questions, you need to understand what provides resilient connectivity back to corporate data centers. Global architecture questions test your knowledge of connecting regional offices and branch locations to AWS workloads. Cost optimization scenarios require you to evaluate which option minimizes expenses while still meeting technical requirements.
Expect three to five questions directly about DX versus VPN decisions, plus another five to eight where connectivity is a component of a larger architecture question.
Typical Exam Triggers #
SAP-C02 uses specific language patterns to signal connectivity requirements. Learning to recognize these triggers accelerates your decision-making during the exam.
When you see “on-premises data center” in a question, you know hybrid connectivity is needed, but the specific choice depends on other factors in the scenario. The phrase “predictable bandwidth” or “consistent bandwidth” implies that throughput stability matters, which points toward Direct Connect. Similarly, “consistent latency” or “low jitter” signals that network predictability is important, again favoring Direct Connect.
The phrase “must not traverse the public internet” is a strong indicator that Direct Connect is required, as this is a hard constraint that VPN cannot satisfy. Conversely, “quickly establish connectivity” emphasizes deployment speed, which favors VPN since it can be configured in minutes rather than weeks.
Cost-related language requires careful interpretation. “Cost-sensitive” or “minimize costs” in the context of a startup or low-volume scenario typically points to VPN. However, “optimize transfer costs” with high data volumes might actually favor Direct Connect due to its lower egress rates.
“Mission-critical workloads” combined with availability requirements often signals that a hybrid approach using both DX and VPN is the correct answer.
| Exam Keywords | Architecture Signal | Likely Option |
|---|---|---|
| “Predictable bandwidth” | Throughput consistency required | Direct Connect |
| “Must not traverse public internet” | Private connectivity mandatory | Direct Connect |
| “Quickly establish” | Deployment speed priority | VPN |
| “Cost-sensitive startup” | Budget constraint, low volume | VPN |
| “Mission-critical with failover” | High availability required | DX + VPN |
| “Large nightly data sync” | High bandwidth transfers | Direct Connect |
| “Encryption required” | Data protection mandate | VPN or DX + encryption |
Connectivity Options Overview #
Site-to-Site VPN (Baseline Option) #
Site-to-Site VPN creates encrypted IPsec tunnels over the public internet between your on-premises network and AWS. This is the baseline hybrid connectivity option that most organizations start with.
The primary advantage of VPN is speed of deployment. You can establish connectivity in minutes to hours, requiring only configuration changes on your existing network equipment and the AWS console. There’s no physical infrastructure to provision, no contracts to negotiate with colocation providers, and no waiting for circuit installation.
VPN provides native encryption through IPsec, meaning your traffic is protected in transit without any additional configuration. This satisfies many compliance requirements around data protection.
However, VPN has inherent limitations. Because traffic traverses the public internet, you cannot guarantee bandwidth or latency. Network performance varies based on internet conditions, time of day, and the specific path your traffic takes. The maximum throughput per tunnel is approximately 1.25 Gbps with acceleration enabled, which may be insufficient for large-scale data transfers.
AWS Direct Connect (Dedicated Connectivity) #
Direct Connect provides dedicated, private network connections from your premises to AWS through AWS Direct Connect locations. This is a fundamentally different approach from VPN.
With Direct Connect, your traffic never touches the public internet. Instead, it flows through dedicated fiber connections from your data center (or a colocation facility) to an AWS Direct Connect location, then across AWS’s private backbone to your VPCs. This dedicated path provides consistent bandwidth and predictable latency that VPN cannot match.
Direct Connect supports much higher throughput, ranging from 50 Mbps hosted connections up to 100 Gbps dedicated connections. For organizations moving large amounts of data, this capacity is essential.
The trade-off is complexity and time. Establishing Direct Connect requires physical infrastructure: cross-connects at a DX location, potentially new circuits from your data center, and coordination with AWS partners or colocation providers. This process typically takes weeks to months, not hours.
It’s also important to understand that Direct Connect does not encrypt traffic by default. The connection is private, but not encrypted. If you need both privacy and encryption, you must add MACsec at layer 2 or run a VPN tunnel over the Direct Connect connection.
Decision Dimensions That Matter in SAP-C02 #
SAP-C02 never directly asks “which is better?” The exam only asks: given specific constraints, which option is more appropriate? Understanding the dimensions the exam tests helps you parse scenarios quickly.
Latency & Network Predictability #
Network predictability is often the deciding factor for latency-sensitive applications. VPN traffic takes whatever path the internet provides at that moment, which can change based on routing decisions made by intermediate providers. This results in variable latency and jitter that applications cannot predict or control.
Direct Connect eliminates this variability. Your traffic follows a dedicated path with consistent characteristics. If your application requires sub-10ms latency with minimal jitter—such as real-time trading systems, video conferencing infrastructure, or industrial control systems—Direct Connect is typically the only viable option.
When exam scenarios mention “consistent latency,” “predictable network performance,” or “low jitter requirements,” these are signals pointing toward Direct Connect.
Bandwidth & Throughput #
The bandwidth ceiling differs dramatically between options. VPN tunnels max out at approximately 1.25 Gbps with acceleration, and scaling requires adding multiple tunnels with increasing complexity. Direct Connect scales from 50 Mbps to 100 Gbps, with straightforward upgrades by changing port speeds or adding connections.
For large data transfers—database replication, backup synchronization, media file distribution—the bandwidth difference is decisive. A nightly 50TB sync that would take over 100 hours on a saturated VPN tunnel could complete in under 2 hours on a 100 Gbps Direct Connect.
Exam scenarios mentioning “large data volumes,” “nightly synchronization of terabytes,” or “high-bandwidth requirements” signal Direct Connect.
Availability & Redundancy #
Both options can achieve high availability, but the failure modes differ. VPN depends on internet connectivity, which is generally reliable but outside your control. Direct Connect depends on physical infrastructure—fiber, ports, and the DX location itself—which you can design for redundancy but which fails differently than internet outages.
A single Direct Connect connection has multiple single points of failure: the physical port, the cross-connect, the fiber path, and the DX location. This is why AWS strongly recommends redundant connections at different locations for production workloads.
The combination of DX and VPN provides diverse failure domains: if your Direct Connect fails due to a fiber cut, your VPN backup uses an entirely different path through the internet.
Security & Compliance #
Security requirements often determine connectivity choice, but you must understand what each option actually provides.
VPN always encrypts traffic using IPsec. This satisfies requirements for encryption in transit regardless of the underlying network path.
Direct Connect provides private connectivity—traffic never traverses the public internet—but does not encrypt by default. “Private” and “encrypted” are different security properties. Some compliance frameworks require traffic to stay off the public internet (favoring DX), while others require encryption (favoring VPN or DX with encryption added).
When scenarios state “traffic must not traverse the public internet,” Direct Connect is required. When scenarios state “all traffic must be encrypted,” VPN satisfies this, or Direct Connect with MACsec or VPN overlay.
Cost Model & Scaling #
VPN has low fixed costs: approximately $0.05 per hour per connection, plus standard data transfer rates. This makes it economical for low-volume or temporary connectivity needs.
Direct Connect has higher fixed costs: port charges, cross-connect fees, and potentially partner charges. However, data transfer rates are significantly lower—roughly 30-50% less than standard internet egress rates.
The break-even point depends on your data transfer volume. At approximately 1-5 TB per month of egress (varying by region), Direct Connect becomes more cost-effective despite higher fixed costs. For organizations transferring tens or hundreds of terabytes monthly, the savings are substantial.
| Dimension | Site-to-Site VPN | Direct Connect | Exam Signal |
|---|---|---|---|
| Setup time | Minutes to hours | Weeks to months | “Quickly establish” → VPN |
| Bandwidth ceiling | 1.25 Gbps per tunnel | Up to 100 Gbps | “Large data volumes” → DX |
| Latency consistency | Variable | Consistent | “Predictable latency” → DX |
| Native encryption | Yes (IPsec) | No (optional add-on) | “Encryption required” → VPN or DX+VPN |
| Internet dependency | Yes | No | “No public internet” → DX |
| Initial cost | Low | High | “Cost-sensitive startup” → VPN |
| Egress cost per GB | Standard rates | Reduced rates | “Optimize transfer costs” → DX |
| Physical dependency | None | DX location required | “Remote location” → VPN |
| Maximum availability | ~99.95% | ~99.99% with design | “Mission-critical” → DX+VPN |
Availability & Resilience Patterns #
SAP-C02 heavily tests resilience architectures. Understanding the patterns for each option is essential for answering availability-focused questions.
VPN High Availability Patterns #
Dual Tunnels (Default) #
Every Site-to-Site VPN connection automatically includes two tunnels terminating on different AWS endpoints. This provides redundancy against AWS-side failures without any additional configuration. If one tunnel becomes unavailable, traffic automatically fails over to the other.
However, both tunnels originate from the same customer gateway device and traverse the same internet connection. This means your on-premises router and internet circuit remain single points of failure.
Multiple Customer Gateways #
For higher availability, you can deploy redundant customer gateway devices. Two routers at the same location protect against device failure. Two routers at different physical locations protect against site-level failures such as power outages or natural disasters.
Each customer gateway establishes its own VPN connection with dual tunnels, providing four total tunnels and eliminating the customer-side single points of failure.
Direct Connect Resilience Models #
Single DX (NOT Exam-Safe) #
A single Direct Connect connection has multiple failure points: the physical port at the DX location, the cross-connect fiber, your router, and the DX location itself. Any of these failures results in complete connectivity loss.
This is critical for exam purposes: single Direct Connect is almost never the correct answer for production or mission-critical workloads. If a scenario mentions high availability requirements and an answer option suggests single DX without backup, that option is likely wrong.
Dual DX Locations #
AWS recommends connections at two different Direct Connect locations for maximum resilience. This protects against location-level failures such as power outages, natural disasters, or major fiber cuts affecting a single facility.
Two connections at the same DX location provide some redundancy against port or device failures but share location-level risks.
DX + VPN Failover #
The combination of Direct Connect as primary and VPN as backup is a common pattern that appears frequently in SAP-C02. This architecture provides the performance benefits of Direct Connect during normal operations while maintaining connectivity through VPN if Direct Connect fails.
BGP manages the failover automatically. You configure the Direct Connect path with a shorter AS path (making it preferred) and the VPN path with a longer AS path (making it backup). When Direct Connect fails, BGP reconverges within seconds and traffic shifts to VPN. When Direct Connect recovers, traffic returns to the preferred path.
This pattern is cost-effective compared to dual Direct Connect while still providing high availability through diverse failure domains.
Security & Compliance Considerations #
Security requirements often determine connectivity choice. SAP-C02 tests your understanding of what each option actually provides versus what people assume it provides.
Encryption in Transit #
VPN provides encryption natively. Every packet is encrypted using IPsec before leaving your network and decrypted upon arrival at AWS. You don’t need to configure anything additional—encryption is inherent to how VPN works.
Direct Connect does not encrypt traffic by default. Your data travels in clear text across the dedicated connection. This is private—no one on the public internet can intercept it—but it’s not encrypted.
To add encryption to Direct Connect, you have two options. MACsec provides layer 2 encryption on supported connection types, encrypting all traffic on the physical link. Alternatively, you can run a VPN tunnel over the Direct Connect connection, providing layer 3 encryption while still benefiting from the dedicated path’s consistency.
The key insight is that “private” and “encrypted” are different security properties. Direct Connect provides privacy (traffic isolation from public internet). VPN provides encryption (traffic protection through cryptography). Some scenarios require one, some require the other, and some require both.
Regulatory Exam Scenarios #
Compliance requirements in exam scenarios map to specific solutions. Understanding these mappings helps you quickly identify correct answers.
When a scenario states that traffic must not traverse the public internet, Direct Connect is required. VPN cannot satisfy this requirement regardless of its encryption.
When a scenario requires all traffic to be encrypted, VPN satisfies this requirement. Direct Connect alone does not, unless MACsec or VPN overlay is added.
When a scenario requires both private connectivity and encryption, you need Direct Connect with an encryption layer—either MACsec or VPN running over the DX connection.
| Requirement | DX Alone | VPN Alone | DX + VPN Overlay |
|---|---|---|---|
| Traffic must not traverse public internet | Valid | Invalid | Valid |
| All traffic must be encrypted | Invalid | Valid | Valid |
| Private connectivity with encryption | Invalid | Invalid | Valid |
| Consistent latency with encryption | Invalid | Invalid | Valid |
| Quick setup with encryption | Invalid | Valid | Invalid |
Cost & Operational Trade-offs #
Cost optimization questions require understanding the full cost picture, not just headline prices.
VPN Cost Characteristics #
VPN costs are straightforward and predictable. You pay approximately $0.05 per hour per VPN connection, which works out to roughly $36 per month. Data transfer follows standard EC2 egress pricing, typically around $0.09 per GB depending on region.
If you enable VPN acceleration for improved performance, add approximately $0.04 per hour. Your customer gateway hardware or software is your own cost, but most organizations can use existing network equipment.
The cost profile is low fixed cost with variable data transfer cost. This makes VPN economical for low-volume scenarios and predictable for budgeting.
DX Cost Characteristics #
Direct Connect costs have more components. Port charges vary by speed: a 1 Gbps port costs approximately $0.30 per hour. Cross-connect fees at the DX location range from $50 to $500 per month depending on the facility. If you use a partner connection rather than a dedicated port, partner fees add to the cost.
However, data transfer rates are significantly lower than internet egress—approximately $0.02 per GB compared to $0.09 per GB for standard transfer. This difference becomes substantial at scale.
The cost profile is higher fixed cost with lower variable data transfer cost. The break-even point where DX becomes cheaper than VPN depends on your egress volume, typically somewhere between 1 and 5 TB per month.
| Cost Pattern | Best Fit Option | Reasoning |
|---|---|---|
| Low volume, temporary need | VPN | Low fixed cost, no long-term commitment |
| Low volume, permanent need | VPN | Fixed costs don’t justify DX investment |
| High volume (>5TB/month egress) | Direct Connect | Egress savings exceed port costs |
| Variable volume with peaks | Hybrid (DX + VPN) | DX for baseline, VPN for overflow |
| Cost-sensitive startup | VPN | Minimize upfront investment |
| Enterprise steady-state | Direct Connect | Predictable costs, better rates at scale |
Migration & Hybrid Workload Scenarios #
SAP-C02 frequently presents migration scenarios where connectivity requirements evolve over time.
Lift-and-Shift Migration #
During the assessment and pilot phases of migration, VPN is typically the right choice. You need connectivity quickly to validate your approach, and data volumes are limited. Spending weeks setting up Direct Connect before you’ve confirmed your migration strategy doesn’t make sense.
As you move into bulk migration—transferring large databases, file systems, and application data—bandwidth becomes critical. This is when Direct Connect pays off. The higher throughput dramatically reduces migration timelines, and the lower egress costs reduce the total migration expense.
After migration completes and you reach steady state, evaluate your ongoing needs. If you’re running a true hybrid architecture with continuous data flow between on-premises and AWS, Direct Connect likely remains the right choice. If AWS becomes your primary environment with only occasional on-premises connectivity, VPN might be sufficient and more cost-effective.
Ongoing Hybrid Operations #
For permanent hybrid architectures, match your connectivity to your workload patterns.
Steady, predictable traffic with consistent bandwidth requirements favors Direct Connect. You’re paying for dedicated capacity, and you’re using it consistently.
Bursty, variable traffic might favor a hybrid approach: Direct Connect sized for your baseline load, with VPN available for overflow during peak periods.
Latency-sensitive applications almost always require Direct Connect. The variability of internet-based VPN is incompatible with real-time requirements.
DR & Backup Connectivity #
Disaster recovery connectivity depends on your DR strategy.
Active-active architectures where both sites handle production traffic need high-quality connectivity to both. This typically means Direct Connect to both locations, potentially at different DX facilities for geographic diversity.
Active-passive architectures can use Direct Connect for the primary site and VPN for the DR site. The DR site only needs connectivity for replication and occasional failover testing, making VPN’s lower cost appropriate.
Pilot light or backup-only scenarios where the DR site is dormant most of the time are well-suited to VPN. You’re not paying for dedicated capacity you rarely use.
Common SAP-C02 Traps & Wrong Assumptions #
The exam includes deliberately misleading options based on common misconceptions. Recognizing these traps helps you eliminate wrong answers.
“DX Is Always More Secure” #
Many people assume Direct Connect is more secure than VPN because it’s “dedicated” or “private.” This conflates privacy with security.
Direct Connect provides network isolation—your traffic doesn’t share infrastructure with public internet traffic. But isolation isn’t encryption. Your data travels in clear text unless you add MACsec or a VPN overlay.
VPN provides encryption—your traffic is cryptographically protected regardless of what network it traverses. The internet path is shared, but the content is unreadable to anyone without the keys.
For scenarios requiring encryption, VPN satisfies the requirement. Direct Connect alone does not.
“DX Replaces VPN Completely” #
Once organizations invest in Direct Connect, there’s a temptation to eliminate VPN entirely. This is often a mistake.
Direct Connect and VPN serve complementary roles. Direct Connect provides performance and cost benefits for primary connectivity. VPN provides a backup path through an entirely different infrastructure.
A fiber cut affecting your Direct Connect doesn’t affect your VPN. A DX location outage doesn’t affect your VPN. Maintaining VPN as a backup provides resilience that dual Direct Connect at the same location cannot match.
Many production architectures correctly use both—DX for primary, VPN for backup.
“VPN Can’t Be Highly Available” #
Some assume VPN is inherently unreliable or unsuitable for production. This underestimates what proper VPN design can achieve.
A single VPN connection includes dual tunnels by default, providing redundancy against AWS-side failures. Multiple customer gateways eliminate on-premises single points of failure. Multiple VPN connections across different internet circuits provide path diversity.
VPN with proper redundancy can achieve high availability suitable for many production workloads. It’s not as resilient as geographically diverse Direct Connect, but it’s far from fragile.
| Wrong Belief | Correct Reasoning |
|---|---|
| DX is always more secure than VPN | DX is private but not encrypted; VPN is encrypted but uses public internet |
| DX replaces VPN completely | They’re complementary; VPN provides valuable backup path |
| VPN can’t be highly available | Proper design with multiple CGWs achieves high availability |
| DX is always faster to deploy | DX takes weeks/months; VPN deploys in minutes/hours |
| VPN is always cheaper | DX has lower egress rates; high-volume scenarios favor DX |
Exam Answering Framework (5-Step Logic) #
Use this decision flow when encountering DX versus VPN questions on the exam.
Step-by-Step Decision Flow #
Start by checking if public internet is explicitly disallowed. Phrases like “traffic must not traverse the public internet” or “private connectivity required” mean Direct Connect is mandatory. VPN cannot satisfy this requirement.
If public internet is acceptable, check bandwidth requirements. Does the scenario mention large data transfers, high throughput needs, or bandwidth exceeding 1 Gbps? These signal Direct Connect.
Next, evaluate latency requirements. Does the scenario mention consistent latency, low jitter, or real-time applications? Variable internet latency makes VPN unsuitable for these use cases.
Check encryption requirements. If encryption is mandatory and Direct Connect is otherwise indicated, you need DX with VPN overlay or MACsec. If encryption is the primary requirement without other DX drivers, VPN alone may suffice.
Finally, consider deployment timeline and duration. “Quickly establish” or “temporary connectivity” favor VPN. Long-term, steady-state operations favor Direct Connect if other requirements support it.
For high availability scenarios, consider whether the answer should be “both.” DX plus VPN provides diverse failure domains that neither option alone can match.
When the Correct Answer Is “DX + VPN” #
Many SAP-C02 questions have hybrid answers. Recognizing when “both” is correct is a key skill.
Exam Pattern Recognition #
Certain scenario patterns strongly indicate that the hybrid DX plus VPN architecture is the correct answer.
When scenarios mention “high availability for hybrid connectivity,” a single connectivity option has single points of failure that the hybrid approach eliminates.
“Mission-critical with failover requirements” signals the need for diverse failure domains. Direct Connect and VPN fail independently—a fiber cut doesn’t affect your internet connection, and an ISP outage doesn’t affect your dedicated circuit.
“Consistent performance with backup connectivity” describes exactly what the hybrid pattern provides: Direct Connect for day-to-day performance, VPN for resilience.
“Private connectivity with encryption” requires both properties. Direct Connect provides privacy; VPN overlay provides encryption.
Architecture Explanation #
The hybrid pattern works because Direct Connect and VPN complement each other’s strengths and weaknesses.
Direct Connect provides the primary path with consistent bandwidth, predictable latency, and lower data transfer costs. This handles your normal operational traffic optimally.
VPN provides the backup path through entirely different infrastructure. When Direct Connect fails—whether due to port failure, fiber cut, or DX location issues—traffic automatically shifts to VPN.
BGP manages the failover. You configure the Direct Connect path with a shorter AS path, making it the preferred route. The VPN path has a longer AS path, making it the backup. BGP’s standard route selection prefers shorter AS paths, so traffic uses Direct Connect when available.
When Direct Connect fails, BGP detects the path loss and reconverges to the VPN path within seconds. When Direct Connect recovers, BGP sees the preferred path return and shifts traffic back.
This automatic failover requires no manual intervention and provides resilience that neither option alone can match.
Key Takeaways for SAP-C02 #
What You Must Remember #
VPN is fast, cheap, encrypted, and variable. You can deploy it in minutes, it costs relatively little, it always encrypts your traffic, but performance varies with internet conditions. Choose VPN when speed of deployment matters, when costs must stay low, when traffic volumes are modest, or when you need backup connectivity.
Direct Connect is stable, predictable, scalable, and private. It takes weeks to deploy, costs more upfront but less per gigabyte transferred, doesn’t encrypt by default, and provides consistent performance. Choose Direct Connect when you need high bandwidth, consistent latency, large data transfers, or when traffic must stay off the public internet.
SAP-C02 loves hybrid answers. The combination of DX plus VPN appears frequently because it’s genuinely good architecture. Don’t assume “both” is a cop-out answer—it’s often the most resilient and appropriate solution.
Match constraints to capabilities. “No public internet” requires Direct Connect. “Encryption required” requires VPN or DX with encryption. “Quick setup” favors VPN. “High bandwidth” favors Direct Connect. “Mission-critical availability” often means both.
Understand the cost crossover. Low data volumes favor VPN’s lower fixed costs. High data volumes favor Direct Connect’s lower per-gigabyte rates. The break-even is typically between 1 and 5 TB monthly egress.
Resilience requires intentional design. Single Direct Connect is not highly available. VPN with multiple customer gateways improves availability. DX plus VPN provides diverse failure domains that maximize resilience.
Related Pillars & Internal Links #
This pillar connects to several related topics in the SAP-C02 curriculum.
For DNS considerations in hybrid environments, see the Hybrid DNS Resolution Logic pillar, which covers how to configure Route 53 Resolver for bidirectional name resolution across your connectivity.
Transit Gateway Routing Patterns explains how to centralize hybrid connectivity across multiple VPCs, including how Transit Gateway integrates with both Direct Connect Gateway and VPN attachments.
The HA/DR Connectivity Design pillar provides deeper coverage of resilience patterns, including multi-region considerations and RPO/RTO implications of different connectivity architectures.
Migration Network Strategy covers how connectivity requirements evolve through migration phases, with detailed guidance on sizing and timing your connectivity investments.