Hybrid_cloud
Chapter 94: Hybrid Cloud Setup
Section titled “Chapter 94: Hybrid Cloud Setup”Overview
Section titled “Overview”Hybrid cloud combines on-premises infrastructure with public cloud services, allowing organizations to leverage existing investments while taking advantage of cloud scalability. This chapter covers hybrid cloud architectures, connectivity options, AWS/Azure/GCP implementations, DNS integration, and best practices for designing and managing hybrid environments.
94.1 Cloud Connectivity Options
Section titled “94.1 Cloud Connectivity Options”Connectivity Types Comparison
Section titled “Connectivity Types Comparison”┌─────────────────────────────────────────────────────────────────────────┐│ CLOUD CONNECTIVITY OPTIONS │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ VPN (IPSec) │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Quick deployment (hours) │ │ ││ │ │ • Runs over public internet │ │ ││ │ │ • Bandwidth: Up to 1.25 Gbps │ │ ││ │ │ • Encryption: IPSec │ │ ││ │ │ • Latency: Variable (internet-dependent) │ │ ││ │ │ • Cost: Hourly + data transfer │ │ ││ │ │ • Best for: Dev/test, low-traffic connections │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ Direct Connect │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Dedicated connection (1G/10G/100G) │ │ ││ │ │ • AWS locations, colocation partners │ │ ││ │ │ • Bandwidth: Up to 100Gbps │ │ ││ │ │ • Latency: Consistent, ~1-2ms │ │ ││ │ │ • Cost: Monthly port fee + data transfer │ │ ││ │ │ • Best for: Production, high-volume workloads │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ Transit Gateway │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Central hub for VPC and VPN connections │ │ ││ │ │ • Scalable, regional │ │ ││ │ │ • Supports routing between VPCs │ │ ││ │ │ • Simplifies network architecture │ │ ││ │ │ • Best for: Multiple VPCs, hub-and-spoke │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘Hybrid Architecture Patterns
Section titled “Hybrid Architecture Patterns”┌─────────────────────────────────────────────────────────────────────────┐│ HYBRID CLOUD PATTERNS │├─────────────────────────────────────────────────────────────────────────┤│ ││ Classic Hybrid: ││ ┌─────────────┐ ┌─────────────┐ ││ │ On-Prem │◄──────►│ Cloud │ ││ │ Data Center│ VPN │ VPC │ ││ └─────────────┘ └─────────────┘ ││ ││ Extended VPC: ││ ┌─────────────┐ ┌─────────────┐ ││ │ On-Prem │◄──────►│ Cloud │ ││ │ DB Server │ Direct │ App Tier │ ││ └─────────────┘ Connect └─────────────┘ ││ ││ Multi-Cloud + On-Prem: ││ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ││ │ On-Prem │◄──────►│ AWS │◄──────►│ Azure │ ││ └─────────────┘ └─────────────┘ └─────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘94.2 AWS VPN Configuration
Section titled “94.2 AWS VPN Configuration”Site-to-Site VPN Setup
Section titled “Site-to-Site VPN Setup”# ============================================================# AWS SITE-TO-SITE VPN CONFIGURATION# ============================================================
# 1. Create Customer Gatewayaws ec2 create-customer-gateway \ --bgp-asn 65000 \ --ip-address 203.0.113.1 \ --type ipsec.1
# 2. Create VPN Gatewayaws ec2 create-vpn-gateway --type ipsec.1
# 3. Attach to VPCaws ec2 attach-vpn-gateway \ --vpn-gateway-id vgw-12345678 \ --vpc-id vpc-12345678
# 4. Create Site-to-Site VPN Connectionaws ec2 create-vpn-connection \ --customer-gateway-id cgw-12345678 \ --vpn-gateway-id vgw-12345678 \ --type ipsec.1 \ --static-routes-only
# 5. Download Configurationaws ec2 describe-vpn-connections \ --vpn-connection-ids vpn-12345678
# 6. Configure Routes# On customer gateway, configure:# - IKE version: v1# - Encryption: aes-128# - Hash: sha1# - DH group: 2# - Lifetime: 28800 seconds
# 7. Configure BGP (if using dynamic routing)aws ec2 create-vpn-connection \ --customer-gateway-id cgw-12345678 \ --vpn-gateway-id vgw-12345678 \ --type ipsec.1 \ --options "TunnelOptions=[{TunnelInsideCidr=169.254.0.0/30}]"Transit Gateway Configuration
Section titled “Transit Gateway Configuration”# ============================================================# AWS TRANSIT GATEWAY# ============================================================
# Create Transit Gatewayaws ec2 create-transit-gateway \ --description "Hybrid Cloud TGW" \ --amazon-asn 64512 \ --options "AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable"
# Attach VPCaws ec2 create-transit-gateway-vpc-attachment \ --transit-gateway-id tgw-12345678 \ --vpc-id vpc-12345678 \ --subnet-ids subnet-12345678 subnet-23456789
# Attach VPNaws ec2 create-transit-gateway-attachment \ --transit-gateway-id tgw-12345678 \ --vpn-attachment \ --customer-gateway-id cgw-12345678 \ --vpn-connection-id vpn-12345678
# Create Route Tableaws ec2 create-transit-gateway-route-table \ --transit-gateway-id tgw-12345678
# Add Routeaws ec2 create-transit-gateway-route \ --transit-gateway-route-table-id tgw-rtb-12345678 \ --destination-cidr-block 10.0.0.0/16 \ --transit-gateway-attachment-id tgw-attach-1234567894.3 Direct Connect Configuration
Section titled “94.3 Direct Connect Configuration”Direct Connect Setup
Section titled “Direct Connect Setup”┌─────────────────────────────────────────────────────────────────────────┐│ AWS DIRECT CONNECT WORKFLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Step 1: Request Connection │ ││ │ • Choose location (AWS Direct Connect location) │ ││ │ • Select port speed (1G, 10G, 100G) │ ││ │ • Choose partner or dedicated │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Step 2: Create Virtual Interface │ ││ │ • Private VIF: Connect to VPC │ ││ │ • Public VIF: Connect to AWS services (S3, etc.) │ ││ │ • Transit VIF: Connect to Transit Gateway │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Step 3: Configure Router │ ││ │ • BGP peering (ASN, IP addresses) │ ││ │ • BGP authentication │ ││ │ • Advertise prefixes │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Step 4: Verify Connection │ ││ │ • AWS console shows "Available" │ ││ │ • Test connectivity │ ││ │ • Confirm BGP is up │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘# ============================================================# DIRECT CONNECT CONFIGURATION# ============================================================
# Create Private VIFaws directconnect create-private-virtual-interface \ --connection-id dxcon-fh1xoj2p \ --owner-account 123456789012 \ --new-private-virtual-interface virtualInterfaceName="Private" \ vlan=100 \ asn=65001 \ amazon-address=169.254.0.1/30 \ customer-address=169.254.0.2/30 \ --bgp-peers=""
# Create Public VIFaws directconnect create-public-virtual-interface \ --connection-id dxcon-fh1xoj2p \ --owner-account 123456789012 \ --new-public-virtual-interface virtualInterfaceName="Public" \ vlan=200 \ asn=65001 \ amazon-address=169.254.1.1/30 \ customer-address=169.254.1.2/30 \ --bgp-peers=""
# Router Configuration (Cisco)interface TenGigabitEthernet0/0 description AWS Direct Connect no switchport ip address 169.254.0.2 255.255.255.252!router bgp 65001 neighbor 169.254.0.1 remote-as 7224 neighbor 169.254.0.1 description AWS Direct Connect network 10.0.0.0 mask 255.255.0.094.4 Hybrid DNS Architecture
Section titled “94.4 Hybrid DNS Architecture”DNS Resolution Patterns
Section titled “DNS Resolution Patterns”# ============================================================# HYBRID DNS CONFIGURATION# ============================================================
# AWS Route 53 Inbound Resolver# - Forwards on-prem queries to Route 53# - Resolves cloud-hosted DNS zones
# 1. Create Inbound Endpointaws route53 create-resolver-endpoint \ --name "Hybrid-Inbound" \ --direction INBOUND \ --security-group-ids sg-12345678 \ --ip-addresses SubnetId=subnet-12345678,Ip=10.0.1.10 \ SubnetId=subnet-23456789,Ip=10.0.2.10
# 2. Create Outbound Endpointaws route53 create-resolver-endpoint \ --name "Hybrid-Outbound" \ --direction OUTBOUND \ --security-group-ids sg-12345678 \ --ip-addresses SubnetId=subnet-12345678,Ip=10.0.1.20
# 3. Create Forwarding Rulesaws route53 create-resolver-rule \ --name "OnPrem-Forward" \ --rule-type FORWARD \ --domain-name "internal.company.com" \ --target-ips "Ip=10.0.0.2,Port=53" \ --resolver-endpoint-id rslvr-in-12345678
# VPC DNS Settings# Enable DNS hostnames and supportaws ec2 modify-vpc-attribute \ --vpc-id vpc-12345678 \ --enable-dns-hostnames "{\"Value\":true}"aws ec2 modify-vpc-attribute \ --vpc-id vpc-12345678 \ --enable-dns-support "{\"Value\":true}"94.5 Interview Questions
Section titled “94.5 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ HYBRID CLOUD INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What are the benefits of hybrid cloud? │ │A1: │- Leverage existing on-premises investments │- Scalability for burst workloads │- Data sovereignty (keep sensitive data on-prem) │- Regulatory compliance │- Disaster recovery capabilities │- Gradual migration to cloud │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: Compare VPN vs Direct Connect. │ │A2: │VPN: Quick setup, lower cost, internet-dependent, lower bandwidth │Direct Connect: Dedicated, higher bandwidth, consistent latency, │ higher cost, requires physical connection │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: How do you connect on-premises DNS to cloud? │ │A3: │- Route 53 Resolver endpoints │- Conditional forwarders for internal domains │- Inbound endpoint: on-prem queries resolve cloud domains │- Outbound endpoint: cloud queries forward to on-prem DNS │- VPC DNS settings must be enabled │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: What is Transit Gateway and when would you use it? │ │A4: │- Central hub for connecting VPCs and VPN connections │- Simplifies network architecture │- Scalable: supports thousands of attachments │- Use for: multiple VPCs, hub-and-spoke topology, │ connecting to on-premises │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: How do you secure hybrid cloud connectivity? │ │A5: │- Use IPSec VPN with strong encryption │- Implement network ACLs and security groups │- Enable VPC Flow Logs │- Use private subnets for sensitive workloads │- Implement proper IAM roles and policies │- Enable CloudTrail for audit logging │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: What are the challenges of hybrid cloud? │ │A6: │- Network latency between cloud and on-prem │- Data transfer costs │- Complex networking configuration │- Security and compliance management │- Data synchronization challenges │- Skill requirements for both environments │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: How does BGP work with Direct Connect? │ │A7: │- BGP (Border Gateway Protocol) establishes peering relationship │- AWS side uses ASN 7224 (public) or 7224 (private) │- Customer advertises on-premises prefixes │- AWS advertises VPC prefixes │- Provides dynamic routing with automatic failover │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: What is a Virtual Interface in Direct Connect? │ │A8: │- Private VIF: Connects to VPC, for private IP communication │- Public VIF: Connects to AWS public services (S3, DynamoDB, etc.) │- Transit VIF: Connects to Transit Gateway │ │─────────────────────────────────────────────────────────────────────────┤ │Q9: How do you troubleshoot hybrid connectivity issues? │ │A9: │- Check VPN status: AWS console, customer gateway │- Verify BGP status and prefixes advertised │- Check routing tables and security groups │- Test DNS resolution both directions │- Verify IPsec tunnel status │- Check network ACLs and firewall rules │ │─────────────────────────────────────────────────────────────────────────┤ │Q10: When would you use AWS Outposts? │ │A10: │- Run AWS services on-premises │- Low-latency requirements │- Data residency needs │- Same API/management as AWS cloud │- Ideal for edge locations, factories, remote sites │ │└─────────────────────────────────────────────────────────────────────────┘Quick Reference
Section titled “Quick Reference”# VPNaws ec2 create-vpn-connection --customer-gateway-id X --vpn-gateway-id Y
# Direct Connectaws directconnect create-private-virtual-interface
# Transit Gatewayaws ec2 create-transit-gateway
# DNSaws route53 create-resolver-endpoint --direction INBOUNDSummary
Section titled “Summary”- VPN: Quick setup, lower bandwidth, over internet
- Direct Connect: Dedicated, high bandwidth, consistent latency
- Transit Gateway: Central hub for multiple VPCs/VPNs
- DNS: Route 53 Resolver for hybrid resolution
Next Chapter
Section titled “Next Chapter”Last Updated: February 2026