This fifth post in the seven-part AWS SAP-C02 revision series shifts focus to the layers that sit between identity and applications: hybrid connectivity, VPC networking, and inspection services. These topics appear relentlessly in the exam, often embedded inside long scenarios where the challenge is understanding traffic flow, trust boundaries, and service limitations rather than individual features. The goal here is simple: reinforce how AWS networking and security components fit together in real architectures so that you can recognise the correct design quickly under exam pressure.
Section 1: Identity & Access Management (Getting In)
Memory Hook: “Federation lets you use your own key; Active Directory options come in three.”
Identity is always the starting point. Before traffic flows or workloads scale, users must authenticate, authorise, and assume roles safely.
Federation Options
Web Identity Federation
- Let’s users access AWS using public identity providers such as Facebook or Google.
- Flow:
- The application calls the identity broker
- The broker talks to the identity store
- STS (Security Token Service) issues temporary credentials
- Used for external users and consumer-facing apps.
SAML Federation
- Designed for corporate identities
- Flow:
- The Identity Provider (IdP) authenticates the user
- Returns a SAML assertion
- Assertion is sent to AWS IAM Identity Center endpoint (or STS)
- User is validated and redirected to the AWS Console
Active Directory Options (Three Types)
Active Directory Connector
- Acts as a gateway to on-premises AD
- Requests are redirected to on-prem
- No caching in AWS
Simple AD
- Standalone Samba 4 directory
- Limitations:
- No MFA
- No Trust relationships
- No PowerShell
- No RDS for SQL Server
AWS Managed Microsoft AD
- Full Microsoft AD feature set
- Standard / Enterprise editions:
- Users access AWS resources with existing credentials
- Hybrid Edition:
- Connects to self-managed AD
Active Directory Migration
- Use ADMT (Active Directory Migration Toolkit)
- Combine with Password Export Service (PES)
- Migrates:
- Users
- Encrypted passwords
- Target: AWS Managed Microsoft AD
Section 2: Hybrid Connectivity (The Pipes)
Memory Hook:
VPN for a tunnel, DX for a street;
combine them with CloudHub so branches can meet.
Once identities are sorted, the next concern is how data moves between on-premises and AWS.
AWS Direct Connect (DX)
Requirements
- Customer network device must support: BGP and BGP MD5 authentication is needed to establish a Direct Connect link from your data centre to your VP
Data Transfer Maths
- 1 Gbps at full utilisation ≈ 10 TB per day
- 10 Gbps ≈ 86 TB per day
Gateway Types
Direct Connect Gateway
- Connects to VPCs across multiple regions
- China regions excluded
- Prefix rules:
- Advertised prefixes must be equal to or broader than the VPC CIDR
Public Virtual Interface (VIF)
- To connect to AWS resources that are reachable by a public IP address (such as an Amazon Simple Storage Service bucket) or AWS public endpoints, use a public virtual interface.
- Required for S3
- Constraint: Private VIF canNOT be used for S3
- Create public virtual interfaces in any DX location to receive Amazon’s global IP routes.
VPN CloudHub
- Operates in a hub-and-spoke model
- Multiple sites with:
- VPN connections
- Direct Connect connections
- Sites communicate through the Virtual Private Gateway (VGW)
Section 3: VPC Networking Architecture
Memory Hook: “Peering is local, GWLB inspects the view; DHCP options set the DNS for you.”
This section defines the shape and limits of your private AWS network.
VPC Constraints
- IPv6
- You cannot bring your own IPv6 CIDR
- Must be assigned by Amazon
- Limits
- Five VPCs per Region by default
Gateway Load Balancer (GWLB)
- Used to deploy third-party virtual appliances
- Firewalls
- IPS
- Works transparently
- Creates a Gateway Load Balancer Endpoint (GWLBE) in the consumer VPC
- Traffic routing:
- Uses GENEVE encapsulation
- Routes traffic to the appliance fleet
- Diagram showing the Gateway Load Balancer endpoint in a VPC subnet routing traffic to appliances
credit: Tutorials Dojo
DHCP Option Sets
- Define network configuration values
- To use Amazon DNS:
- Set domain-name-servers = AmazonProvidedDNS
VPC Sharing
- An Owner account shares subnets
- The VPC itself is not shared
- Benefits:
- Better subnet density
- Avoids the 50 VIF limit on Direct Connect
- Centralises networking
VPC Lattice
- Managed service for application-to-application connectivity
- Handles:
- Service discovery
- Security
- Works across accounts and VPCs
- Operates at a logical boundary
Section 4: Security & Inspection
Memory Hook:
WAF watches the web, ACM locks the door;
EC2Rescue fixes the core.
Security is layered: certificates, inspection, automation, and filtering.
AWS Certificate Manager (ACM)
Regional Constraints
- CloudFront
- Certificate must be requested in us-east-1 (N. Virginia)
- Application Load Balancers
- Certificate must be in the same region as the ALB
SNI Support
- Both CloudFront and ALBs support Server Name Indication
- Allows multiple HTTPS domains on a single IP
Network Firewall
Rule Types
- Stateless rules
- Processed by priority
- Inspect packets in isolation
- Stateful rules
- Inspect the entire traffic flow
Deployment Model
- Uses a dedicated firewall endpoint (vpce-id)
- Centralised inspection:
- Transit Gateway routes traffic
- Traffic flows into an Inspection VPC
- Diagram of Centralised Egress with Inspection VPC and Transit Gateway
Automation Tools
AWSSupport-EC2Rescue
- Automation tool for EC2 remediation
- Uses:
- Lambda
- IAM
- Safely attempts to fix common instance issues
AWS WAF
- Logging destinations:
- CloudWatch Logs
- S3
- Kinesis Data Firehose
- Supports:
- Geo-match blocking
- IP sets (e.g. allow developer access)
Section 5: DNS & Domains (Route 53)
Memory Hook: “DNSSEC signs it so spoofers get caught; 18% healthy is the consensus sought.”
DNS underpins everything — availability and trust both matter.
Health Checks
- Endpoint is considered healthy when:
- More than 18% of health checkers report being healthy
- Intervals:
- Standard: 30 seconds
- Fast: 10 seconds
DNS Security
DNSSEC
- Cryptographically signs DNS records
- Prevents spoofing and tampering
- Enable validation on Route 53 Resolver
Route 53 Resolver Endpoints
Inbound Endpoint
- Resolves AWS resources for on-premises networks
Outbound Endpoint
- Forwards DNS queries:
- From AWS
- To on-premises
- Uses forwarding rules
Section 6: Application Services & Scaling
Memory Hook: “SFTP stays private inside the VPC; Auto Scale triggers on count or CPU.”
This final layer focuses on service exposure and elasticity.
AWS Transfer Family
- Supported protocols:
- SFTP
- FTPS
- FTP
- Backend storage:
- S3
- EFS
Security Best Practice
- Do not expose unrestricted public endpoints
- Host inside a VPC
- Restrict access using Security Groups
- Allow only partner IP ranges
Auto Scaling
Simple Scaling Policies
- Trigger based on:
- CPU utilisation (e.g. >70%)
- Request Count per target (e.g. >1200)
Instance Tenancy Rules
- VPC Tenancy = Default
- Launch Configuration = Dedicated
→ Dedicated Instance
- Launch Configuration = Dedicated
- VPC Tenancy = Dedicated
- Launch Configuration = Default
→ Dedicated Instance
- Launch Configuration = Default
What’s Next?
At this point in the series, the fundamentals are no longer optional. Identity controls who gets in, hybrid connectivity defines how traffic moves, and the network perimeter now securely wraps the Data Storage and Database Solutions from the previous post. These are the layers the exam assumes you already understand. With that groundwork complete, we can move away from infrastructure mechanics and into service behaviour. Post 6 will shift focus to Serverless architectures and the key miscellaneous services that appear frequently in scenario-based questions—where scaling, permissions, and event-driven design matter more than managing instances or networks.
Catch up on the series:
- Last-Minute Revision for the Solutions Architect – Professional exam – Introduction
- AWS Organisations
- Policies and Encryptions
- Data Storage
- Networking – this post
- Serverless
- Final