8.3 Hybrid Architecture — DNS, Storage, and Compute
Key Takeaways
- AWS Outposts puts AWS-managed racks (EC2, EBS, S3 on Outposts, RDS) in YOUR data center for low latency to local systems and data residency, billed as a capacity reservation.
- Route 53 Resolver INBOUND endpoints let on-premises resolve VPC private zones; OUTBOUND endpoints plus forwarding rules let VPC resources resolve on-premises domains.
- Storage Gateway provides hybrid storage with a local cache: S3 File Gateway (NFS/SMB→S3), FSx File Gateway (SMB→FSx Windows), Volume Gateway (iSCSI block, cached or stored), and Tape Gateway (VTL→Glacier).
- AWS Local Zones place compute near a metro for single-digit-millisecond latency; AWS Wavelength embeds compute in 5G carrier networks for mobile-edge latency.
- Connectivity choices: Site-to-Site VPN is fast to set up over the internet (encrypted); Direct Connect is a dedicated private link (consistent throughput, lower latency); pair DX with a VPN backup for an encrypted, resilient hybrid link.
Quick Answer: Outposts = AWS-managed racks in your data center. Route 53 Resolver: inbound = on-prem resolves VPC names; outbound = VPC resolves on-prem names. Storage Gateway = hybrid storage with a local cache (File/FSx/Volume/Tape). Local Zones = AWS compute near a metro; Wavelength = compute inside 5G carrier networks. Link on-prem to AWS with Site-to-Site VPN (fast, encrypted, over internet) or Direct Connect (dedicated, consistent, private).
AWS Outposts
AWS Outposts ships physical, AWS-managed infrastructure into your own facility so you can run select AWS services locally with the same APIs and console.
| Feature | Detail |
|---|---|
| Services | EC2, EBS, S3 on Outposts, RDS, ECS, EKS, EMR (subset) |
| Management | AWS owns hardware, patching, and updates |
| Connectivity | Requires a service link back to its parent Region |
| Pricing | Capacity reservation (you pay for the rack, 3-year terms) |
| Use cases | Low latency to on-prem systems, data residency / sovereignty, local processing |
Common Trap: Outposts needs connectivity to its parent Region for the control plane. If a question says the site must keep running fully disconnected for long periods, that is a Snowball Edge compute scenario, not Outposts.
Route 53 Resolver (Hybrid DNS)
| Component | Direction | What it enables |
|---|---|---|
| Inbound endpoint | On-prem → VPC | On-prem DNS resolves Route 53 private hosted-zone names |
| Outbound endpoint | VPC → On-prem | VPC resources resolve on-prem domains (e.g., corp.local) |
| Resolver rules | Either | Conditional forwarding of specific domains to specific DNS servers |
Memory hook: Inbound = traffic coming into AWS to resolve AWS names; Outbound = queries leaving the VPC to reach on-prem DNS. If both directions are required, deploy both endpoints.
On the Exam: 'VPC apps must resolve app.corp.local' → outbound endpoint + forwarding rule. 'On-prem servers must resolve a private VPC record' → inbound endpoint.
AWS Storage Gateway
All gateway types keep a local cache of frequently accessed data while the bulk of data lives in AWS, giving on-prem latency for hot data and cloud durability for the rest.
| Gateway type | Protocol | AWS backend | Use case |
|---|---|---|---|
| S3 File Gateway | NFS / SMB | S3 (objects) | File shares backed by S3, lifecycle to Glacier |
| FSx File Gateway | SMB | FSx for Windows File Server | Windows shares with local caching |
| Volume Gateway | iSCSI | S3 + EBS snapshots | Block storage: cached (primary in S3) or stored (primary on-prem, async backup) |
| Tape Gateway | iSCSI VTL | S3 Glacier / Deep Archive | Drop-in replacement for physical tape backups |
On the Exam: 'Replace a physical tape library / existing backup software' → Tape Gateway. 'On-prem app needs an SMB/NFS share durably stored in S3' → **S3 File Gateway'. 'Back up on-prem block volumes to AWS with local low-latency reads' → Volume Gateway (cached mode).
Edge Compute
AWS Local Zones
| Feature | Detail |
|---|---|
| Purpose | Latency-sensitive apps near a specific metro |
| Services | EC2, EBS, VPC, ECS, EKS, some load balancing |
| Latency | Single-digit milliseconds to nearby users |
| Use cases | Media/VFX rendering, real-time gaming, AR/VR |
AWS Wavelength
| Feature | Detail |
|---|---|
| Purpose | Compute embedded in 5G carrier networks |
| Latency | Ultra-low for mobile devices (traffic never leaves the carrier network) |
| Use cases | Connected vehicles, live interactive video, edge ML inference |
Hybrid Connectivity: VPN vs Direct Connect
| Dimension | Site-to-Site VPN | Direct Connect (DX) |
|---|---|---|
| Medium | Encrypted tunnel over the public internet | Dedicated private physical link |
| Setup time | Minutes–hours | Weeks–months (provider provisioning) |
| Throughput / latency | Variable (internet-dependent) | Consistent, predictable, lower latency |
| Encryption | Built-in (IPsec) | Not encrypted by default — add a VPN over DX or MACsec |
| Cost | Low | Higher (port + data) |
On the Exam: 'Consistent, high-throughput, private connection' → Direct Connect. 'Need a connection quickly / as DX backup / must be encrypted' → Site-to-Site VPN. 'Resilient AND encrypted private link' → Direct Connect with a VPN backup tunnel. Connecting many VPCs and on-prem links together at scale → Transit Gateway.
Snow Family for Data Transfer
Hybrid questions sometimes hinge on moving bulk data, not steady connectivity. Pushing 100 TB over even a 1 Gbps link takes well over a week; the Snow Family ships physical, encrypted appliances instead.
| Device | Capacity / role | Use case |
|---|---|---|
| Snowcone | ~8–14 TB, small/rugged | Edge collection, light transfer |
| Snowball Edge Storage Optimized | ~80 TB usable | Bulk one-time migration |
| Snowball Edge Compute Optimized | Storage + EC2/Lambda | Disconnected edge processing |
| Snowmobile | Exabyte-scale (retired for most cases) | Massive datacenter evacuation |
On the Exam: 'Transfer 80 TB to AWS where bandwidth is limited and a one-time migration is acceptable' → Snowball Edge. 'Continuous, ongoing transfer of files to S3 over the network' → DataSync (not Snow). 'Run compute at a disconnected remote site' → Snowball Edge Compute Optimized.
Putting Hybrid Together
A typical hybrid design layers these: Direct Connect (or VPN) for the network path, Route 53 Resolver endpoints for cross-environment name resolution, Storage Gateway for file/backup integration, and optionally Outposts for workloads that must stay on-prem yet use AWS APIs. Transit Gateway becomes the hub once multiple VPCs and on-prem sites must interconnect, replacing a tangle of VPC peering connections with a single hub-and-spoke router that also attaches Direct Connect gateways and VPNs.
A manufacturer must run EC2 and RDS in its own factory to meet data-residency rules and keep single-digit-millisecond latency to local equipment, while using the same AWS APIs. Which service fits?
An enterprise is retiring its physical tape library and wants its existing backup software to write to AWS for long-term, low-cost archival. Which option requires the least change?