5.2 VPC Connectivity — Peering, Transit Gateway, and Direct Connect

Quick Answer: VPC peering = simple, private, unlimited-bandwidth VPC-to-VPC link, but not transitive. Transit Gateway = transitive hub connecting thousands of VPCs and on-premises, with segmented route tables. Direct Connect = dedicated physical link (1/10/100 Gbps), consistent latency, not encrypted by default. Site-to-Site VPN = IPsec over the internet, minutes to set up, variable latency.

VPC Peering

VPC peering creates a private connection between two VPCs (same or cross-Region, same or cross-account). Traffic stays on the AWS backbone and there is no bandwidth bottleneck.

The defining limitation is that peering is non-transitive: if A↔B and B↔C are peered, A still cannot reach C through B. CIDR blocks must not overlap. Full mesh scales quadratically — the formula n(n-1)/2* is worth memorizing:

That explosion is exactly why the exam steers larger topologies toward Transit Gateway.

Transit Gateway, Direct Connect, and Site-to-Site VPN

AWS Transit Gateway (TGW) is a regional hub-and-spoke router. Every VPC, VPN, and Direct Connect gateway attaches once, and TGW provides transitive routing among them. Multiple TGW route tables let you segment environments (for example, isolate dev from prod). Share a TGW across accounts with AWS Resource Access Manager (RAM); connect Regions with TGW peering. Each attachment supports up to ~50 Gbps.

AWS Direct Connect (DX) is a dedicated, private fiber link from your data center into an AWS Direct Connect location, available at 1, 10, or 100 Gbps (sub-1 Gbps via hosted-connection partners). It delivers consistent, predictable latency but is not encrypted — wrap a Site-to-Site VPN over the DX link when encryption is required. Provisioning takes weeks to months (physical cross-connect), and a single link is a single point of failure, so resilient designs use two links.

AWS Site-to-Site VPN establishes an IPsec tunnel over the public internet in minutes. Each connection provides two tunnels (for HA) at up to 1.25 Gbps each, with variable latency tied to internet routing.

On the Exam: "50 VPCs plus on-premises with centralized routing" → Transit Gateway. "Dedicated link, consistent low latency, hybrid analytics" → Direct Connect. "Encrypted connection to AWS today" → Site-to-Site VPN. "Lowest-latency hybrid link that is also encrypted" → Direct Connect with a VPN on top.

Hybrid Resilience and Failover Patterns

The exam frequently layers connectivity options for high availability, so know the standard combinations.

• DX primary, VPN backup: run Direct Connect for steady-state performance and configure a Site-to-Site VPN as a failover path. If the DX link drops, BGP reconverges to the VPN. This is the canonical "cost-effective resilience" answer.
• Dual Direct Connect: for the highest resilience, provision two DX links at two different Direct Connect locations. AWS's highest-resilience model uses connections terminating on separate devices in separate locations.
• Transit Gateway as the hybrid hub: attach a Direct Connect Gateway and VPN to a Transit Gateway so every spoke VPC reaches on-premises without per-VPC links.

Migration and Bandwidth Decision Aids

When a question asks how to move large data volumes, distinguish the connection from the transfer tool. For ongoing low-latency access, choose DX. For a one-time bulk migration of terabytes-to-petabytes, AWS Snowball/Snow Family is often cheaper and faster than saturating a network link for weeks.

A recurring trap: candidates pick Direct Connect for a "connect today / urgent" scenario. Direct Connect requires a physical cross-connect and takes weeks to months to provision — so an urgent encrypted link is always Site-to-Site VPN, even if DX is the long-term goal. Another trap is assuming peering or DX is encrypted; only VPN provides encryption out of the box, while peering and DX keep traffic private on the AWS backbone but unencrypted.

Routing Glue and Gateways

Two gateway objects tie hybrid routing together and are easy to confuse. A Virtual Private Gateway (VGW) is the VPC-side endpoint for a single VPC's VPN or DX connection — fine for one or two VPCs. A Direct Connect Gateway is a global object that lets one Direct Connect connection reach VPCs in multiple Regions and attach to Transit Gateways, which is why large hybrid designs pair Direct Connect Gateway with Transit Gateway rather than a per-VPC VGW. Routing across all of these is exchanged dynamically with BGP, so failover between a DX primary and VPN backup is automatic once both advertise the same prefixes.

Remember that Transit Gateway, like a VPC, cannot route between attachments whose CIDRs overlap, so non-overlapping address planning remains mandatory even with a transitive hub.