4.3.2. Hybrid and Multi-Cloud Connectivity Security

First Principle: Extending your network to on-premises or other clouds introduces new trust boundaries. Every hybrid connection is a potential attack path between environments — secure connectivity ensures that cross-environment traffic is encrypted, authenticated, and access-controlled.

AWS Site-to-Site VPN:

• IPsec encrypted tunnels between on-premises and AWS VPC
• Two tunnels per connection for high availability
• Supports BGP for dynamic routing or static routes
• Customer Gateway device required on-premises
• Use case: encrypted connectivity for moderate bandwidth requirements

AWS Direct Connect:

• Dedicated physical connection between on-premises and AWS
• Higher bandwidth, lower latency, more consistent than VPN
• NOT encrypted by default — traffic traverses a private connection but is not encrypted
• MACsec (MAC Security) — new in C03: Layer 2 encryption for Direct Connect, encrypting frames between your router and the AWS Direct Connect endpoint

Direct Connect + MACsec Security:

For maximum security: Run a Site-to-Site VPN over Direct Connect — getting both the performance of Direct Connect and the encryption of IPsec.

⚠️ Exam Trap: Direct Connect alone is NOT encrypted. If a question requires encrypted hybrid connectivity, the answer is either VPN, MACsec on Direct Connect, or VPN over Direct Connect — not Direct Connect alone.

Scenario: A government agency needs to connect their classified network to AWS with guaranteed encryption and dedicated bandwidth. They deploy Direct Connect with MACsec for Layer 2 encryption and run a Site-to-Site VPN through the Direct Connect connection for IPsec encryption — achieving dual-layer encryption.

Reflection Question: Why does the exam consistently test whether candidates know that Direct Connect is not encrypted by default, and what does this reveal about common architectural mistakes?