> For the complete documentation index, see [llms.txt](https://awsinpractice.itassist.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/use-cases/increasing-fault-tolerance-for-aws-direct-connect-in-securecarts-multi-vpc-network.md). # Increasing Fault Tolerance for AWS Direct Connect in SecureCart’s Multi-VPC Network 🔹 **Company Setup:**\ SecureCart operates **two VPCs** connected via **VPC Peering**: ✔ **VPC-1 (Private Subnets)** – Contains databases and internal services.\ ✔ **VPC-2 (Public Subnets)** – Hosts internet-facing applications. 🔹 **Current AWS Networking Setup:**\ ✔ SecureCart has a **Direct Connect (DX) connection** with a **private virtual interface** linking the on-premises data center to **VPC-1**.\ ✔ All **on-premises traffic routes through Direct Connect** to reach AWS resources. 🔹 **Business Requirement:**\ SecureCart wants to **increase the fault tolerance** of its **Direct Connect link to AWS**. *** ### **📌 Recommended Fault Tolerance Solutions** To ensure **high availability and redundancy**, SecureCart should implement **two strategies**: #### ✅ **Solution 1: Add Another Direct Connect Connection (Option A)** ✔ **Why?**\ ✔ **Multiple DX connections in the same AWS region provide redundancy** in case the primary connection fails.\ ✔ AWS **Direct Connect Resiliency Recommendations** suggest **at least two connections** for fault tolerance. ✔ **Implementation Steps:** 1️⃣ **Order a second Direct Connect connection** in the **same region as VPC-1**.\ 2️⃣ **Create a new private virtual interface** linked to SecureCart’s AWS account.\ 3️⃣ **Configure BGP routing with Active/Passive or Active/Active failover.** *** #### ✅ **Solution 2: Establish a Backup VPN (Option B)** ✔ **Why?**\ ✔ A **site-to-site VPN** over the internet acts as a **backup path** if Direct Connect **fails**.\ ✔ AWS **recommends using VPN tunnels as backup links** for Direct Connect failures. ✔ **Implementation Steps:** 1️⃣ **Create a VPN connection** between SecureCart’s **on-premises network** and **VPC-1**.\ 2️⃣ **Attach the VPN to the Virtual Private Gateway (VGW)** in VPC-1.\ 3️⃣ **Update routing tables** to prefer **Direct Connect but fail over to VPN** in case of failure. *** ### **📌 Why Are Other Options Incorrect?** | **Option** | **Explanation** | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | ❌ **Option C** (DX to VPC-2) | Direct Connect should be connected to **VPC-1** where private workloads exist, not to VPC-2, which only has **public subnets**. | | ❌ **Option D** (VPN to VPC-2) | **VPN traffic would need to traverse VPC Peering** to reach VPC-1, introducing latency and **potential routing issues**. | | ❌ **Option E** (VPN CloudHub) | AWS VPN CloudHub is for **multiple remote sites** connecting to AWS, **not a backup strategy for a single VPC**. | *** ### **📌 Updated SecureCart Architecture for Fault Tolerance** ✅ **Primary Path**: **Direct Connect (DX) - Primary private interface to VPC-1**\ ✅ **Secondary Path**: **Backup Site-to-Site VPN over the Internet to VPC-1** *** ### **📌 Best Practices for SecureCart’s Network Resiliency** ✔ Deploy **multiple Direct Connect connections** in different AWS Direct Connect locations.\ ✔ Configure **Active/Passive failover** using BGP between DX and VPN.\ ✔ Enable **CloudWatch monitoring** for Direct Connect link failures.\ ✔ Use **AWS Transit Gateway** for scalable connectivity between VPCs and on-prem. *** ### **📌 Summary** **🚀 SecureCart’s improved fault-tolerant network includes:**\ ✔ **Two Direct Connect links** for redundancy.\ ✔ **A site-to-site VPN backup** for automatic failover.\ ✔ **Optimized BGP routing for automatic failover between DX & VPN.** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/use-cases/increasing-fault-tolerance-for-aws-direct-connect-in-securecarts-multi-vpc-network.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.