Network Connectivity Design — AWS Advanced Networking (ANS-C01)

Whether VPC Flow Logs plus Transit Gateway Flow Logs queried via CloudWatch Logs Insights satisfy a connection-metadata monitoring requirement, or whether VPC Traffic Mirroring is necessary — the decision turns on whether the stated requirement is for metadata-level visibility or payload-level inspection.

Whether to use Transit Gateway with isolated route tables shared via RAM, or a VPC peering mesh, to satisfy transitive hub-and-spoke connectivity to the shared logging VPC without enabling lateral east-west paths between business units.

Whether connection-level metadata visibility (VPC Flow Logs and Transit Gateway Flow Logs surfaced through CloudWatch metric filters) is sufficient to diagnose intermittent hybrid connectivity drops, or whether payload-capture infrastructure (VPC Traffic Mirroring with a dedicated mirror target) is necessary — with the correct answer being that flow-level metadata fully satisfies the stated diagnostic requirement at materially lower cost and operational burden.

Whether to establish Transit Gateway hub-and-spoke network routing or to use PrivateLink service-endpoint exposure when consumer VPCs carry overlapping CIDRs and only single-service access—not arbitrary VPC-to-VPC traffic—is required.

Whether redundancy achieved by two circuits at the same DX location satisfies a single-facility-failure availability requirement, or whether a geographically independent backup path via Site-to-Site VPN terminating on Transit Gateway is required.

Whether to deploy Transit Gateway with a single shared route table or with per-spoke isolated route tables to satisfy the network segmentation boundary that the compliance mandate architecturally requires.

Whether a dedicated private Direct Connect connection alone satisfies FedRAMP High encryption-in-transit requirements, or whether a FIPS-validated encrypted overlay (VPN over Direct Connect) is mandatory in addition to redundant physical paths.

Whether transitive routing with centralized inspection at scale is better satisfied by a Transit Gateway shared via AWS RAM (hub-and-spoke with a single inspection attachment) or a full-mesh of VPC peering connections (which cannot route transitively through a third VPC and require n*(n-1)/2 individual constructs).

Whether a Link Aggregation Group at a single Direct Connect location satisfies a 99.99% SLA that explicitly requires surviving a facility-level failure, versus two Direct Connect connections terminating at geographically separate locations attached to a Transit Gateway with a VPN backup path.

Determine whether VPC peering or a Transit Gateway shared via AWS RAM satisfies the transitive-routing and zero-reconfiguration-on-account-addition constraints for any-to-any connectivity across 30+ VPCs in 8 accounts.

Whether to centralize hybrid routing through Transit Gateway attached to a Direct Connect Gateway versus provisioning individual Site-to-Site VPN connections per VPC, given that route-propagation-limits and transitive routing requirements become binding constraints at large VPC counts.

When packet-loss symptoms require packet-header or payload-level analysis — specifically MTU path discovery and fragmentation diagnosis — VPC Traffic Mirroring must be selected over VPC Flow Logs, which capture only five-tuple connection metadata and accept/reject outcomes and cannot expose frame size, DSCP markings, or IP fragmentation flags.

Choose VPC peering over Transit Gateway when the VPC count is small enough that the N*(N-1)/2 peering connections and per-VPC route-table entries are operationally manageable and the TGW per-GB processing fee would breach the stated cost constraint.

Whether the architecture routes hybrid traffic over the public internet (even when encrypted via VPN) or over a dedicated private path (Direct Connect), and whether transitive routing at 20-VPC scale requires Transit Gateway with a Direct Connect gateway rather than per-VPC virtual interfaces or peering meshes.

Choose VPC Traffic Mirroring over VPC Flow Logs when the scenario combines an MTU-level symptom (fragmentation, silent drop) with a compliance mandate requiring packet-header forensic capture, because Flow Logs record only connection-level metadata (source, destination, accept/reject) and cannot expose frame-size headers or satisfy a packet-capture audit trail requirement.

Choose VPC peering over Transit Gateway when the VPC count is small (≤ ~10), an explicit cost-per-GB budget constraint is stated, and the stated compliance requirement (GDPR data residency) is already satisfied by keeping traffic within a single Region — TGW adds per-attachment and per-GB processing fees without providing incremental data-residency assurance.

Whether to terminate individual Direct Connect private virtual interfaces per VPC or consolidate hybrid routing through a Transit Gateway paired with a Direct Connect Gateway, which stays within route-propagation limits and absorbs VPC growth behind a single on-premises BGP session.

Whether VPC Flow Logs (connection metadata, SOC-2-approved) or VPC Traffic Mirroring (packet-header inspection) is the correct observability tool when the symptom is intermittent loss attributed to jumbo-frame MTU fragmentation across a Transit Gateway attachment.

Whether to deploy a Transit Gateway attachment mesh (per-attachment-hour plus per-GB processing fee) or a VPC full-mesh peering topology (no per-GB processing surcharge) when the VPC count is low enough that peering route-table complexity remains manageable.

Whether to attach each VPC individually to Direct Connect private virtual interfaces (which multiplies BGP prefix advertisements and breaches per-VIF route limits at this scale) or consolidate all VPCs through a Transit Gateway paired with a Direct Connect gateway (which aggregates CIDR advertisements into a single BGP session and enables transitive routing within service limits).

Select VPC Traffic Mirroring over VPC Flow Logs when the diagnostic symptom requires inspection of actual packet headers (e.g., DF-bit set, observed MTU ceiling) to confirm jumbo-frame fragmentation, because Flow Logs capture only connection-level accept/reject metadata and cannot expose packet-size or IP-header fields.

Whether to replace Transit Gateway with full-mesh VPC peering when VPC count is small enough that the combinatorial peering connection count (n*(n-1)/2) is operationally manageable and TGW's combined hourly-attachment plus per-GB data-processing charges demonstrably exceed the stated monthly budget.

Whether VPC Flow Logs (connection metadata only) or VPC Traffic Mirroring (full packet payload delivery to an inspection target) satisfies a compliance mandate that explicitly requires payload-level content inspection, not just connection-level visibility.

Whether to rely on Direct Connect's dedicated physical isolation as the confidentiality control or enable MACsec on the dedicated connection to supply the hardware-level cryptographic encryption layer that PCI-DSS v4.0 Requirement 4.2.1 explicitly requires.

Whether VPC Flow Logs (connection metadata only) or VPC Traffic Mirroring (full packet capture to an out-of-band target) satisfies a compliance mandate that explicitly requires demonstration that packet payloads were inspected for sensitive data patterns.

Whether to enable MACsec on the dedicated Direct Connect connection (Layer 2, no tunneling penalty, Connectivity Association Key management) versus overlaying a Site-to-Site VPN tunnel (IPsec Layer 3, satisfies encryption compliance but introduces tunneling latency and certificate or PSK rotation overhead that the scenario explicitly prohibits).

Whether to deploy VPC Traffic Mirroring scoped to cardholder-data-environment subnet ENIs with session-level traffic filters (payload inspection at controlled cost) versus enabling Traffic Mirroring broadly across all ENIs without filters (audit-complete but cost-blind) or substituting VPC Flow Logs (cost-efficient but payload-blind and audit-insufficient).

Whether to overlay Site-to-Site VPN tunnels on the existing Direct Connect path for IPsec encryption (satisfies mandate but adds per-VPN-connection-hour and TGW-attachment charges at sustained scale) or enable MACsec on the Dedicated Direct Connect connection (satisfies the Layer 2 cryptographic mandate with no additive per-tunnel recurring cost).

Whether VPC Flow Logs (connection metadata only: source/destination IP, port, protocol, byte count) or VPC Traffic Mirroring (full raw packet payload copy to a monitoring target) satisfies the compliance mandate requiring payload-level inspection and pattern matching within live traffic.

Whether to layer a Site-to-Site VPN IPsec tunnel over the existing Direct Connect connection to deliver mandatory cryptographic encryption, rather than treating Direct Connect's dedicated private circuit as a compliant substitute for encryption.