This chapter covers hybrid cloud architectures with AWS, a key concept in Domain 1: Cloud Concepts (Objective 1.3, which accounts for approximately 8-10% of the CLF-C02 exam). Hybrid cloud combines on-premises infrastructure with public cloud services, enabling workloads to run in the most appropriate location based on latency, compliance, and cost. For the CLF-C02, you must understand the core AWS services that enable hybrid connectivity, storage, and management, and recognize scenarios where hybrid cloud is preferred over all-cloud or all-on-premises solutions.
Jump to a section
Imagine a commuter who lives in a suburban house (on-premises data center) but also has a compact city apartment (AWS cloud). The suburban house has plenty of space for bulky furniture and long-term storage, but getting downtown every day is slow and costly. The city apartment is fast to access, scalable (you can rent the apartment next door for extra space), and you only pay for the days you use it. However, you cannot move all your heirloom furniture there because of size limits and security concerns. The hybrid commuter builds a dedicated two-lane bridge (AWS Direct Connect) between the house and the apartment, so they can quickly move documents, tools, and even furniture back and forth without traffic jams (internet latency). They also install a secure tunnel (VPN) as a backup route. When the commuter needs to run a large workshop (compute-intensive job), they use the apartment's extra rooms (EC2 instances) and keep the results in the apartment's closet (S3) until needed at home (on-premises storage). The bridge ensures consistent, low-latency connectivity, while the tunnel provides encrypted failover. The commuter manages both locations from a single app (AWS Management Console) and uses a unified inventory system (AWS Systems Manager) to track assets across both sites. This hybrid setup gives the commuter the best of both worlds: the security and control of home (on-premises) with the elasticity and innovation of the city (cloud).
What is Hybrid Cloud and Why Does It Matter?
Hybrid cloud is a computing environment that connects an organization's on-premises data center or private cloud with public cloud infrastructure (like AWS), allowing data and applications to be shared between them. The goal is to create a unified, flexible IT estate. On the CLF-C02, you are expected to know that hybrid cloud is not just a single service but a collection of AWS services working together to bridge environments. The problem it solves is the 'all-or-nothing' dilemma: many organizations cannot migrate everything to the cloud due to data residency laws, latency-sensitive applications, or legacy system dependencies. Hybrid cloud offers a gradual, secure path.
How Hybrid Cloud Works – The Mechanism
At its core, hybrid cloud requires three things: connectivity, identity federation, and consistent management. AWS provides these through: - AWS Direct Connect: A dedicated private network connection from your on-premises data center to AWS. It bypasses the public internet, providing lower latency and higher bandwidth. Speeds range from 50 Mbps to 100 Gbps. You order a cross-connect at a Direct Connect location. - AWS Site-to-Site VPN: Encrypted tunnels over the internet. It uses IPsec to secure traffic. It's slower and less reliable than Direct Connect but quick to set up. - AWS Transit Gateway: A hub that connects VPCs and on-premises networks through a single gateway. It simplifies network architecture. - AWS Storage Gateway: A hybrid storage service that gives you on-premises access to virtually unlimited cloud storage. It offers three types: File Gateway (NFS/SMB), Volume Gateway (iSCSI), and Tape Gateway (VTL). - AWS Outposts: Fully managed AWS infrastructure and services delivered to your on-premises facility. It's essentially a mini AWS region in your data center. - AWS Identity and Access Management (IAM): For federated access, you can integrate with your existing Active Directory using IAM Identity Center (formerly AWS SSO) or AD Connector.
Key Configurations and Pricing Models
Direct Connect Pricing: You pay per port hour (for the dedicated port) and for data transfer out. There are no data transfer charges for data transferred into AWS. For example, a 1 Gbps port costs around $0.30/hour plus egress charges. Site-to-Site VPN: No per-connection fee, only standard data transfer charges and hourly VPN connection charges (~$0.05/hour). Storage Gateway: You pay for the gateway itself (hourly) and the storage used in AWS (S3, EBS snapshots). Outposts: You pay a monthly service fee for the hardware and software, plus usage of EC2, EBS, etc., on the Outpost.
Comparison to On-Premises or All-Cloud Approaches
All on-premises: Full control but high capital expenditure, limited scalability, and slow innovation.
All cloud (AWS): Elastic, pay-as-you-go, but may face latency or compliance issues for some workloads.
Hybrid: Best of both worlds – you keep sensitive data on-premises while leveraging cloud for burst capacity, disaster recovery, or dev/test. However, it adds complexity in networking, security, and management.
When to Use Hybrid Cloud vs Alternatives
Use hybrid cloud when:
You have latency-sensitive applications that need to be close to on-premises users.
Data residency regulations require certain data to stay within a geographic boundary.
You have legacy applications that cannot be refactored for the cloud.
You need burst capacity for seasonal peaks (e.g., retail during holidays).
You want disaster recovery in the cloud without a full migration.
Avoid hybrid if:
You can fully migrate to the cloud (simpler and often cheaper).
Your on-premises infrastructure is outdated and costly.
You lack the skilled staff to manage hybrid networking.
Establish Private Network Connectivity
First, you decide on the connectivity method. For a dedicated connection, you request an AWS Direct Connect connection via the AWS Management Console. You specify the location (e.g., Equinix NY5) and bandwidth (e.g., 1 Gbps). AWS provides a Letter of Authorization (LOA) which you give to your network provider to complete the cross-connect. Once the physical link is established, you create a Virtual Interface (VLAN) to connect to your VPC. For a VPN, you create a Customer Gateway (representing your on-premises router) and a Virtual Private Gateway (attached to your VPC), then configure the IPsec tunnel. Behind the scenes, AWS uses BGP for routing over Direct Connect. The default route propagation is automatic.
Integrate Identity and Access Management
To allow on-premises users to access AWS resources, you set up identity federation. You configure IAM Identity Center to connect to your existing Microsoft Active Directory. You create a trust relationship between your corporate IdP (e.g., ADFS) and AWS. Users log in with their corporate credentials, and IAM roles grant them permissions. Alternatively, you can use AD Connector, a directory proxy that forwards authentication requests to your on-premises AD without caching credentials. The exam tests that you understand federation does not create a separate IAM user; it maps existing identities to IAM roles.
Deploy Hybrid Storage with Storage Gateway
You launch a Storage Gateway appliance as a virtual machine in your on-premises hypervisor (VMware, Hyper-V). You activate it in the AWS console. For File Gateway, you configure NFS or SMB shares that sync with S3 buckets. Data is cached locally for low-latency access, while the full dataset resides in S3. Volume Gateway stores data in EBS snapshots. Tape Gateway replaces physical tape libraries with virtual tapes stored in S3 Glacier. Behind the scenes, the gateway uses a cache to store recently accessed data and uploads data asynchronously. The default cache size is 150 GB but can be increased. You are billed for the gateway hours and the S3 storage used.
Use AWS Outposts for Local Compute
You order an Outposts rack (1U or 42U) from AWS. AWS installs the hardware in your data center and connects it to the nearest AWS Region via Direct Connect. You then provision EC2 instances, EBS volumes, and other supported services on the Outpost using the same AWS APIs. The Outpost runs the same AWS software, so you can use CloudFormation, CloudWatch, etc. Behind the scenes, AWS manages the hardware and software updates. You pay a monthly fee for the Outpost plus usage of services. The exam emphasizes that Outposts are ideal for low-latency workloads that must remain on-premises.
Manage Hybrid Environment with AWS Systems Manager
You install the SSM Agent on your on-premises servers (Windows or Linux). You register them as managed instances in AWS Systems Manager. You can then run commands, apply patches, and inventory software across both on-premises and EC2 instances from a single console. Systems Manager uses a service role with permissions to communicate with the instances. It supports Run Command, Patch Manager, and State Manager. The agent communicates over HTTPS to the Systems Manager endpoint. This simplifies hybrid management and is a common exam scenario for 'unified operations'.
Scenario 1: Healthcare Data Residency A hospital network must keep patient records on-premises due to HIPAA regulations, but wants to use AWS for analytics. They set up Direct Connect to securely transfer de-identified data to S3 for analysis with Amazon Athena. The on-premises storage uses Storage Gateway File Gateway to cache frequently accessed records locally, while the full archive sits in S3 Glacier. Misconfiguration: If they use VPN instead of Direct Connect, latency spikes during peak hours cause timeouts. Cost: Direct Connect port fees ($300/month for 1 Gbps) plus S3 storage. They save on not having to build a second data center.
Scenario 2: Retail Burst Capacity A retailer runs its e-commerce platform on-premises but needs extra capacity during Black Friday. They use AWS Outposts for consistent low latency, but also provision EC2 instances in the cloud for burst traffic. They use Application Load Balancer to distribute traffic between on-premises and cloud. Problem: If the hybrid network fails, the cloud instances can't reach the on-premises database. Solution: They cache session data in ElastiCache and use read replicas of the on-premises database in RDS. Misconfiguration: Not setting up a VPN backup for Direct Connect leads to single point of failure.
Scenario 3: Disaster Recovery A financial services firm replicates its on-premises VMware environment to AWS using AWS Elastic Disaster Recovery (DRS). They continuously replicate data to staging instances in a different region. During a disaster, they launch full production instances in AWS. They use Storage Gateway Volume Gateway to take EBS snapshots of on-premises volumes. Cost: They pay for the replication infrastructure (staging instances) and storage. Misconfiguration: Not testing failover regularly leads to surprises. The exam tests that DRS supports hybrid DR and that you can failback to on-premises.
The CLF-C02 exam tests hybrid cloud under Domain 1: Cloud Concepts (Objective 1.3). You will see questions asking you to identify the correct AWS service for a given hybrid scenario. The most common wrong answers are: 1. Choosing AWS VPN over Direct Connect when latency and bandwidth are critical – Candidates often pick VPN because it's cheaper and faster to set up, but the question will specify 'consistent low latency' or 'dedicated connection'. Direct Connect is the answer. 2. Confusing Storage Gateway types – File Gateway (files), Volume Gateway (block/iSCSI), Tape Gateway (backup). A question about 'replacing tape backups' should lead to Tape Gateway, not File Gateway. 3. Selecting AWS Snowball for hybrid connectivity – Snowball is for offline data transfer, not ongoing hybrid connectivity. Candidates may think it's a hybrid service because it moves data between on-premises and cloud, but it's a one-time migration tool. 4. Mixing up Outposts and Local Zones – Outposts bring AWS infrastructure to your data center; Local Zones are extensions of AWS regions closer to users but still in AWS facilities. A question about 'running EC2 in your own data center' points to Outposts.
Key terms that appear verbatim: Direct Connect, Site-to-Site VPN, Transit Gateway, Storage Gateway (File, Volume, Tape), Outposts, Systems Manager, IAM Identity Center, AD Connector, Elastic Disaster Recovery. The exam also tests that hybrid cloud is not a service but an architecture.
Decision rule: If the scenario mentions 'dedicated private connection' → Direct Connect. If 'encrypted over internet' → VPN. If 'low latency on-premises compute' → Outposts. If 'hybrid storage with cache' → Storage Gateway. Eliminate answers that are all-cloud or all-on-premises when the question explicitly says 'hybrid'.
Hybrid cloud combines on-premises infrastructure with AWS using services like Direct Connect, VPN, Storage Gateway, and Outposts.
AWS Direct Connect provides a dedicated private network connection with consistent latency, ideal for large data transfers.
AWS Site-to-Site VPN is a quick, encrypted connection over the internet, suitable for smaller or less critical workloads.
AWS Storage Gateway has three types: File Gateway (files to S3), Volume Gateway (block to EBS snapshots), Tape Gateway (backup to S3 Glacier).
AWS Outposts brings native AWS services to your data center for low-latency workloads that must stay on-premises.
Identity federation (via IAM Identity Center or AD Connector) allows on-premises users to access AWS resources without creating IAM users.
AWS Transit Gateway simplifies hybrid networking by acting as a central hub for VPCs and on-premises networks.
AWS Systems Manager provides unified management of on-premises and EC2 instances using the SSM Agent.
Hybrid cloud is an architectural approach, not a single AWS service; the exam tests your ability to choose the right services for a given scenario.
Common exam traps: confusing Storage Gateway types, picking VPN over Direct Connect when low latency is required, and mistaking Snowball for a hybrid connectivity service.
These come up on the exam all the time. Here's how to tell them apart.
AWS Direct Connect
Dedicated private connection via physical cross-connect
Lower latency and higher bandwidth (up to 100 Gbps)
Not encrypted by default (can add MACsec)
Requires weeks to provision
Higher cost (port hours + data transfer)
AWS Site-to-Site VPN
Encrypted tunnel over the public internet
Variable latency; max bandwidth ~1.25 Gbps per tunnel
Encrypted by default (IPsec)
Can be set up in minutes
Lower cost (hourly VPN connection fee + data transfer)
Mistake
Hybrid cloud means you must use AWS Outposts.
Correct
Hybrid cloud is an architecture, not a single service. Outposts is one component; you can achieve hybrid with Direct Connect, VPN, Storage Gateway, and Systems Manager alone.
Mistake
AWS Direct Connect is faster than Site-to-Site VPN because it's encrypted.
Correct
Direct Connect is not encrypted by default; it's a private connection that bypasses the internet. VPN is encrypted but uses the public internet, so Direct Connect typically has lower latency and higher throughput.
Mistake
Storage Gateway Volume Gateway stores data in S3.
Correct
Volume Gateway stores data as EBS snapshots, not as objects in S3. File Gateway stores files in S3. This distinction is frequently tested.
Mistake
You can use AWS Identity and Access Management (IAM) to directly manage on-premises users.
Correct
IAM manages AWS users and permissions. For on-premises users, you use IAM Identity Center or AD Connector for federation. IAM does not directly authenticate on-premises users.
Mistake
AWS Outposts require an internet connection to work.
Correct
Outposts require a connection to an AWS Region (usually via Direct Connect) for management and updates, but they can operate independently for a limited time if the connection is lost.
Direct Connect is a dedicated physical connection that bypasses the internet, offering lower latency and higher bandwidth (up to 100 Gbps). It is not encrypted by default (but can be with MACsec). VPN is an encrypted IPsec tunnel over the internet, quicker to set up but with variable latency and lower throughput (max ~1.25 Gbps per tunnel). For the exam, choose Direct Connect when the question mentions 'consistent low latency' or 'dedicated bandwidth'; choose VPN when 'encrypted' or 'low cost' is emphasized.
Use File Gateway. It provides NFS and SMB access to files stored in S3, with a local cache for low-latency access. Volume Gateway provides block storage via iSCSI and stores data as EBS snapshots. Tape Gateway replaces physical tape libraries with virtual tapes stored in S3 Glacier. The exam often tests these distinctions.
Yes, using AWS Outposts. Outposts are fully managed racks of AWS hardware installed in your data center, allowing you to run EC2, EBS, and other services locally. They connect to an AWS Region for management. This is different from Local Zones, which are AWS-managed facilities closer to users but not on your premises.
Use AWS Systems Manager. Install the SSM Agent on your on-premises servers (Windows or Linux) and register them as managed instances. You can then run commands, apply patches, and inventory software across all instances from the Systems Manager console. This provides unified operations without needing separate tools.
It can be, due to the cost of dedicated connections (Direct Connect), Outposts hardware, and additional management overhead. However, it can save money if you avoid large data transfer costs or if you have existing on-premises investments. The exam expects you to recognize that hybrid cloud is chosen for latency, compliance, or gradual migration, not necessarily for cost savings.
AWS Transit Gateway is a network transit hub that connects VPCs, VPNs, and Direct Connect virtual interfaces. Instead of peering many VPCs together, you attach them to the Transit Gateway. For hybrid cloud, you attach your on-premises network via Direct Connect or VPN, and then route traffic between VPCs and on-premises. It simplifies network management and is a key part of hybrid architectures.
Use identity federation with IAM Identity Center or AD Connector. You integrate your existing Active Directory with AWS. Users authenticate with their corporate credentials, and AWS maps them to IAM roles for permissions. This is a best practice for hybrid environments and avoids managing separate IAM users.
You've just covered Hybrid Cloud with AWS — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?