hardSAPANSNetwork

Hybrid — Connect On-Prem DC to AWS

A bank needs to connect its on-prem datacenter (Mumbai) to AWS ap-south-1 with dedicated bandwidth, low predictable latency, encrypted traffic, and HA across two physical paths. They have multiple VPCs that need to reach on-prem.

Key Constraints

Dedicated bandwidth (1 Gbps minimum)

Low, predictable latency

HA — no single point of failure

Encryption in transit

Multiple VPCs need on-prem reachability

Reference Architecture (interactive 3D)

🖱️ Drag to rotate · 📜 Scroll to zoom

Loading diagram...

Dual Direct Connect + VPN Backup via Transit Gateway

1Two Direct Connect 1 Gbps dedicated circuits at different DX locations (no single point of failure).
2Site-to-Site VPN as a tertiary backup over the public internet — auto-failover via BGP.
3Transit Gateway as the hub: attaches to both DX circuits, the VPN, and all VPCs.
4Multiple VPCs (App, Data, Shared) attach to the TGW once — full mesh without VPC peering sprawl.
5BGP for dynamic routing — failover between paths is automatic and sub-second.
6MACsec or IPsec over Direct Connect for in-transit encryption (banks require this).
7Direct Connect Gateway in front of TGW if multiple AWS regions need access via the same DX.

Heuristics Applied

✓ Encrypt at rest and in transit ✓ Use health checks for routing

Common Traps (Wrong Answers)

Single DX circuit (not HA — circuit cut = full outage)
Only VPN, no DX (bandwidth/latency unreliable for a bank's clearing systems)
DX without Transit Gateway (VPC-to-VPC peering doesn't scale past ~5 VPCs)
Forgetting MACsec/IPsec (DX is private but not encrypted by default)
Misaligned BGP weights — failover doesn't trigger because the secondary is preferred

Try the simulator

Build this architecture yourself in the drag-and-drop simulator.

Open Simulator →More Scenarios