JT
JT Exams
Log inStart Free Trial
AWSAWS SAA-C03

AWS Advanced Networking Explained for AWS SAA-C03

A VPC gives you a private network inside AWS. But production architectures need more: VPCs connected to each other, private networks connected to on-premises data centers, services reachable without exposing them to the public internet, and traffic inspected by firewalls before it reaches its destination. VPC Peering, Transit Gateway, Direct Connect, VPN, and VPC Endpoints each solve a different connectivity problem. The SAA-C03 exam presents network architecture scenarios that require choosing the right connection type based on requirements like transitive routing, bandwidth, latency, cost, and whether traffic can traverse the public internet.

9 min
3 sections · 7 exam key points

VPC Peering and Transit Gateway

VPC Peering connects two VPCs so that their instances can communicate using private IP addresses, as if they are on the same network. Peering works within a region or across regions (inter-region peering). The critical constraint: VPC peering is non-transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot reach VPC C through VPC B. Each pair of VPCs that needs to communicate requires its own peering connection. With many VPCs, the number of peering connections grows quadratically and becomes unmanageable.

Transit Gateway solves the scaling problem. It acts as a central hub that multiple VPCs, VPN connections, and Direct Connect connections attach to. Traffic between any two attached networks routes through the Transit Gateway, which supports transitive routing. Ten VPCs need ten attachments to Transit Gateway rather than 45 individual VPC peering connections. Transit Gateway also enables shared services VPCs, centralized egress, and centralized network inspection through integration with Gateway Load Balancer.

Transit Gateway Connect extends Transit Gateway to support SD-WAN appliances using GRE tunnels, and Transit Gateway Network Manager provides a global view of the network across multiple regions and on-premises locations.

Direct Connect, VPN, and VPC Endpoints

AWS Direct Connect is a dedicated physical network connection from an on-premises data center to an AWS Direct Connect location. Unlike a VPN that tunnels traffic over the public internet, Direct Connect provides a private, dedicated line with consistent bandwidth and latency. Direct Connect is available in 1 Gbps, 10 Gbps, and 100 Gbps speeds. For organizations that cannot achieve Direct Connect, a Site-to-Site VPN creates an encrypted IPsec tunnel over the public internet. VPN is faster to provision (minutes versus weeks for Direct Connect) and cheaper, but bandwidth and latency are variable because it shares the public internet.

VPC Endpoints allow resources inside a VPC to access AWS services privately without routing traffic through the public internet. Gateway Endpoints work for S3 and DynamoDB only. They are free and add a route to the VPC route table pointing to the endpoint. Interface Endpoints (powered by AWS PrivateLink) create an Elastic Network Interface in your subnet with a private IP address. Services accessed through Interface Endpoints include Secrets Manager, Systems Manager, Kinesis, SQS, and hundreds of other AWS and third-party services. Interface Endpoints incur an hourly charge per AZ.

PrivateLink is the underlying technology for Interface Endpoints and also lets you expose your own services to other VPCs without peering. You deploy your service behind an NLB, create a VPC Endpoint Service, and grant consumers permission to create Interface Endpoints into your service. Traffic stays on the AWS network and never crosses the public internet.

How to choose the correct answer

VPC Peering: two VPCs, direct connection, non-transitive. Simple, free data transfer within same region.

Transit Gateway: many VPCs, hub-and-spoke, transitive routing, centralized connectivity. Use when managing multiple VPCs.

Direct Connect: dedicated physical line, consistent bandwidth and latency, private network. Use for high-bandwidth or latency-sensitive hybrid workloads.

Site-to-Site VPN: encrypted tunnel over public internet, fast to set up, variable performance. Use when Direct Connect is not available or needed.

Gateway Endpoint: free, S3 and DynamoDB only, route table entry. Use to keep S3 traffic off the internet.

Interface Endpoint (PrivateLink): private IP in subnet, supports most AWS services, per-AZ cost. Use for private access to services beyond S3 and DynamoDB.

VPN CloudHub: connect multiple on-premises sites to each other through a single Virtual Private Gateway.

AWS connectivity options

OptionConnection typeTransitive?Best for
VPC PeeringVPC to VPC, privateNoSimple two-VPC connections, low cost
Transit GatewayHub-and-spoke, privateYesMany VPCs, centralized routing, hybrid networks
Direct ConnectDedicated physical lineN/A (hybrid)High-bandwidth, low-latency on-premises to AWS
Site-to-Site VPNIPsec over internetN/A (hybrid)Encrypted on-premises connectivity, quick setup
Gateway EndpointPrivate AWS service accessN/A (service)S3 and DynamoDB without internet routing
Interface EndpointPrivate IP in VPC (PrivateLink)N/A (service)Private access to most AWS and third-party services

Key exam facts — AWS SAA-C03

  • VPC Peering: non-transitive, no overlapping CIDR blocks, works across regions and accounts.
  • Transit Gateway: transitive routing, scales to thousands of VPCs, supports VPN and Direct Connect attachments.
  • Direct Connect: dedicated private line, consistent bandwidth, does not traverse public internet.
  • Gateway Endpoints: S3 and DynamoDB only, free, route table entry in VPC.
  • Interface Endpoints: PrivateLink, Elastic Network Interface in subnet, per-AZ hourly charge.
  • VPC Flow Logs: capture IP traffic metadata for VPC, subnet, or ENI. Stored in CloudWatch Logs or S3.
  • Egress-only Internet Gateway: allows IPv6 instances to initiate outbound internet connections, blocks inbound.

Common exam traps

VPC Peering allows connected VPCs to route traffic transitively through intermediate VPCs.

VPC Peering is strictly non-transitive. If VPC A peers with VPC B, and VPC B peers with VPC C, traffic from VPC A cannot reach VPC C through VPC B. Each pair that needs to communicate requires its own direct peering connection. For transitive routing between many VPCs, use Transit Gateway.

Direct Connect is always faster and more reliable than VPN.

Direct Connect provides consistent, dedicated bandwidth and lower latency than VPN, but it is not inherently more reliable out of the box. Direct Connect connections can fail. High-availability Direct Connect architectures use two connections to different Direct Connect locations, often combined with a Site-to-Site VPN as a backup path. Direct Connect alone with no redundancy can be a single point of failure.

VPC Endpoints are only useful for accessing S3.

Gateway Endpoints cover S3 and DynamoDB. Interface Endpoints (PrivateLink) cover hundreds of AWS services including Secrets Manager, Systems Manager, Kinesis, SQS, SNS, CloudWatch, and many third-party services available in AWS Marketplace. VPC Endpoints enable private connectivity to all these services without routing traffic through the public internet.

Practice this topic

AWS SAA-C03practice questions

Test yourself on Advanced Networking

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

AWS VPC

AWS SAA-C03

AWS Security Services

AWS SAA-C03

CloudFront & Route 53

AWS SAA-C03

AWS High Availability

AWS SAA-C03