Published on

Introduction to Hybrid Networking


Image description

  • Hybrid Networking refers to a network that spans AWS and an on-premises data center. Hybrid networking architectures help organizations integrate their on-premises data center and AWS operations to support a broad spectrum of use cases, by using a common set of cloud services, tools, and APIs across on-premises and cloud environments.

  • To establish a hybrid networking environment, there are specific services that connect your on-premises and AWS resources through a common network. For example, you can use Amazon Virtual Private Cloud (Amazon VPC) to gain control over your virtual networking environment in AWS, AWS Site-to-Site VPN to provide secure encrypted remote office to AWS connectivity over the internet in minutes, and AWS Direct Connect to establish a dedicated private network connection between AWS and your on-premises environment.

  • The AWS Well-Architected Framework is based on five pillars—operational excellence, security, reliability, performance efficiency, and cost optimization.

  • When architecting technology solutions, you must make informed tradeoffs between pillars based upon your business context.

  • AWS provides multiple core components that enable you to design robust architectures for your hybrid networking workload applications.

  • This article presents an overview of the AWS components that are used throughout this document to architect hybrid networking workloads. There are three specific areas to consider when designing hybrid network connectivity for your workload:

  • Data layer

  • Monitoring and config management

  • Security

Data layer

  • The data layer of your hybrid networking environment is important because it provides a data path for network traffic between applications hosted on AWS and an on-premises data center.

  • As part of your hybrid deployment, it’s important to carefully consider the hybrid connectivity options between AWS and an on-premises data for the forwarding of your network traffic.

  • The Hybrid Networking Lens recommends using AWS Virtual Private Network (AWS VPN), AWS Direct Connect, and Amazon VPC to support your application team’s agility and speed to market by using AWS as a data center extension. AWS VPN and Direct Connect are used as network paths for providing connectivity for these hybrid networking workloads.

  • AWS Virtual Private Network (AWS VPN) establishes a secure and private tunnel from your network or device to the AWS Cloud. AWS Site-to-Site VPN allows you to securely connect your on-premises network or branch office site to your Amazon VPC.

  • AWS Direct Connect (DX) makes it easy to establish a dedicated network connection from your on-premises environment to AWS. Using Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment. In many cases, this can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

  • A virtual private gateway (VGW) is part of a VPC that provides edge routing for AWS managed VPN connections and Direct Connect connections. You associate a Direct Connect gateway with the virtual private gateway for the VPC.

  • AWS Transit Gateway (TGW) connects VPCs and on-premises networks through a central hub. It is a fully managed AWS gateway that acts as a cloud router and enables rich routing scenarios. With AWS Transit Gateway, you can quickly add Amazon VPCs, AWS accounts, VPN capacity, or AWS Direct Connect gateways to meet unexpected demand, without having to wrestle with complex connections or massive routing tables.

Monitoring and config management

  • Monitoring and config management is an important way to gain insights and improve the performance of your hybrid networking environment. AWS provides the following monitoring and config management services that enable you to monitor your AWS services and resolve the root causes of performance issues based on your business needs.

  • Amazon CloudWatch enables you to access system metrics on the AWS services that are being used, consolidate system and application level logs, and create business KPIs as custom metrics for your specific needs. CloudWatch provides dashboards and alerts that can trigger automated actions on the platform.

  • AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you and The Service Health Dashboard provides public information about the regional availability of a service. While the Service Health Dashboard displays the general status of AWS services, AWS Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.

  • VPC Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). When the destination is reachable, reachability analyzer produces hop-by-hop details of the virtual network path between the source and the destination. When the destination is not reachable, reachability analyzer identifies the blocking component. While VPC reachability analyzer doesn’t test end to end hybrid connectivity, it can analyze connectivity between VPN gateways (VGW or TGW) and a target within a VPC.

  • Transit Gateway Network Manager (Network Manager) enables you to centrally manage your networks that are built around transit gateways. You can visualize and monitor your global network across AWS Regions and on-premises locations.

  • Route Analyzer is a part of Transit Gateway Network Manager that allows you to perform an analysis of the routes in your transit gateway route tables. The Route Analyzer analyzes the routing path between a specified source and destination, and returns information about the connectivity between components. You can use the Route Analyzer to perform the following actions:

  • Verify that the transit gateway route table configuration will work as expected before you start sending traffic

  • Validate your existing route configuration

  • Diagnose route-related issues that are causing traffic disruption in your global network

  • AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

  • With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.


  • The security of your hybrid networking environment is crucial and should span protection across your on-premises and cloud environments. It is recommended to implement security controls for traffic within your cloud environment, and particularly, traffic flowing from the Internet and from your on-premises network to AWS. The following services can help secure your hybrid networking environment on AWS.

  • A security group (SG) acts as a virtual firewall for your network interfaces in a VPC and allows you to control inbound and outbound traffic including hybrid traffic.

  • A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

  • AWS Network Firewall is a managed service that makes it easy to deploy essential network protections such as URL and domain names, IP addresses, and content-based traffic filtering to secure traffic traversing to and from your VPCs.

  • AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities also help simplify operational analysis and troubleshooting.

  • Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in AWS. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

Hope this guide gives you an Introduction to Hybrid Networking.

Let me know your thoughts in the comment section 👇 And if you haven't yet, make sure to follow me on below handles:

👋 connect with me on LinkedIn 🤓 connect with me on Twitter 🐱‍💻 follow me on github ✍️ Do Checkout my blogs

Like, share and follow me 🚀 for more content.