Study SAP-C02 Network Connectivity Strategies: key concepts, common traps, and exam decision cues.
SAP-C02 network questions are rarely about one product name in isolation. They are about whether you understand the shape of the traffic path: VPC-to-VPC, cross-account service exposure, on-premises connectivity, hybrid DNS, or segmented enterprise routing.
| Need | Strongest first fit | Why |
|---|---|---|
| a small number of VPCs with simple direct connectivity | VPC peering | simple point-to-point path |
| many VPCs, many accounts, and transitive routing | Transit Gateway | scalable hub-and-spoke routing |
| global policy-driven connectivity across regions | Cloud WAN | centralized global network segmentation |
| private cross-account service consumption without broad routing | PrivateLink | service exposure without full network sharing |
| dedicated private hybrid link | Direct Connect | predictable private connectivity |
| encrypted hybrid path over internet | Site-to-Site VPN | faster and cheaper hybrid connectivity |
| hybrid name resolution | Route 53 Resolver endpoints and rules | DNS is part of the architecture, not cleanup |
The exam usually rewards the option that satisfies the required path with the least routing sprawl and least operational mess.
| Pair | Exam-safe difference |
|---|---|
| VPC peering vs Transit Gateway | peering is direct and non-transitive; TGW is central and transitive |
| Transit Gateway vs Cloud WAN | TGW is the core hub pattern; Cloud WAN adds global policy and segmentation management |
| PrivateLink vs full network connectivity | PrivateLink exposes a service, not a whole routable network |
| Direct Connect vs VPN | DX is dedicated private connectivity; VPN is encrypted internet-based connectivity |
| Trap | Better rule |
|---|---|
| using VPC peering at enterprise scale because it is familiar | many-VPC designs usually point to TGW or Cloud WAN |
| treating PrivateLink like a general routing answer | PrivateLink is for private service consumption, not broad network reachability |
| forgetting DNS in hybrid designs | Route 53 Resolver design often decides whether the connectivity actually works |
| choosing DX for every hybrid scenario | use DX only when dedicated private performance and predictability are required |
Enterprise networking questions usually start with the scope of connectivity. If the requirement is transitive routing across many VPCs and accounts, think Transit Gateway. If the requirement is private access to one service without broad network sharing, think PrivateLink. If the requirement is hybrid DNS, think Route 53 Resolver. The exam usually rewards the service that matches the exact connectivity boundary instead of the biggest-sounding network option.