AWS · SOA-C03

Hybrid Network Connectivity — AWS SysOps Administrator (SOA-C03)

5%of exam questions (9 of 200)

Connectivity Language Steers the Answer Before You Choose

SOA-C03 hybrid connectivity questions embed the answer in the scenario's wording. "Consistent bandwidth," "low latency," and "dedicated connection" point to Direct Connect. "Quickly establish," "cost-effective," and "encrypted over the internet" point to Site-to-Site VPN. When both requirements appear — consistent primary path plus encrypted backup — the scenario is testing whether you select Direct Connect as primary and VPN as failover, not as equivalent alternatives.

What This Pattern Tests

The exam describes hybrid connectivity and tests VPN vs. dedicated link. Site-to-Site VPN runs encrypted over the public internet — 1.25 Gbps per tunnel, variable latency, deployable in minutes. Direct Connect provides a dedicated physical connection — 1 Gbps or 10 Gbps, consistent latency, takes weeks to provision. Direct Connect + VPN gives encrypted dedicated connectivity. The trap is recommending Direct Connect for a "need connectivity by tomorrow" requirement (VPN is immediate) or VPN for a "consistent sub-10ms latency for database replication" requirement (internet routing adds variable latency).

Decision Axis

Bandwidth requirement, latency consistency, and deployment timeline determine VPN (fast, variable) vs. Direct Connect (slow to deploy, consistent).

Associated Traps

Over-Provisioning (3)Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.Service Confusion (3)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.Operational Complexity Underestimation (3)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether the deployment timeline constraint (72 hours) acts as a hard filter that disqualifies Direct Connect before bandwidth optimization is considered, making Site-to-Site VPN the only viable option when throughput is below the VPN ceiling and time-to-live connectivity is the dominant constraint.

AWS Site-to-Site VPNAWS Direct ConnectAmazon Virtual Private Cloud

Whether to enable Virtual Private Gateway route propagation on the existing VPC route table versus provisioning AWS Direct Connect to replace the VPN — where tunnel-state evidence and route-table evidence together disqualify the DX path and confirm that the route propagation toggle is the correct immediate fix.

AWS Site-to-Site VPNAmazon Virtual Private CloudAWS Direct Connect

Speed-of-deployment is a hard filter that must be applied before bandwidth or latency optimization: Direct Connect provisioning lead time (weeks) disqualifies it regardless of its performance advantages, making Site-to-Site VPN the only option that satisfies all three constraints simultaneously.

AWS Site-to-Site VPNAWS Direct ConnectAWS Transit Gateway

Domain Coverage

Networking and Content Delivery

Difficulty Breakdown

Medium: 6Hard: 3

Build recognition speed →

See all SOA-C03 patterns →