AWS · SAP-C02

Hybrid Network Connectivity — AWS Solutions Architect Pro (SAP-C02)

5%of exam questions (10 of 200)

Direct Connect vs Site-to-Site VPN: Bandwidth Guarantee Decides

Site-to-Site VPN runs over the public internet and shares bandwidth with other traffic, so latency and throughput are not guaranteed. Direct Connect provides a dedicated private connection with consistent throughput and no public internet routing. The question between them is whether the scenario specifies a throughput floor, a latency SLA, or a compliance rule that prohibits public internet traversal. When none of those constraints appear, VPN is faster to provision and less expensive. When any one of them appears, Direct Connect is the only option that satisfies the stated requirement. Multi-path redundancy uses both: Direct Connect as primary, VPN as failover.

What This Pattern Tests

The exam describes hybrid connectivity and tests VPN vs. dedicated link. Site-to-Site VPN runs encrypted over the public internet — 1.25 Gbps per tunnel, variable latency, deployable in minutes. Direct Connect provides a dedicated physical connection — 1 Gbps or 10 Gbps, consistent latency, takes weeks to provision. Direct Connect + VPN gives encrypted dedicated connectivity. The trap is recommending Direct Connect for a "need connectivity by tomorrow" requirement (VPN is immediate) or VPN for a "consistent sub-10ms latency for database replication" requirement (internet routing adds variable latency).

Decision Axis

Bandwidth requirement, latency consistency, and deployment timeline determine VPN (fast, variable) vs. Direct Connect (slow to deploy, consistent).

Associated Traps

Near-Right Architecture (5)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Operational Complexity Underestimation (5)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether to use Transit Gateway with a Direct Connect gateway (hub-and-spoke, transitive routing, fixed VIF count) versus flat VPC peering or per-VPC Direct Connect VIFs (non-transitive, O(N) operational surface)—the VPC fan-out count and private-traffic requirement disqualify all flat approaches.

AWS Direct ConnectAWS Transit GatewayAmazon Virtual Private Cloud (Amazon VPC)

Whether to centralize multi-VPC-to-on-premises connectivity through a Transit Gateway attached to a Direct Connect gateway—providing transitive routing and a single control plane—or to provision individual Direct Connect private VIFs per VPC (even when automated), which creates linear management burden and does not support transitive routing at scale.

AWS Direct ConnectAWS Transit GatewayAmazon Virtual Private Cloud (Amazon VPC)

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Medium: 5Expert: 5

Build recognition speed →

See all SAP-C02 patterns →