# Hybrid connectivity checklist (DX + VPN + Transit Gateway)

Use when workloads span **on-premises / Outposts / Local Zone / Region**. Assumes
a multi-account landing zone with a dedicated networking account.

## Design

- [ ] **Primary path:** AWS Direct Connect (DX) to networking account Transit Gateway
- [ ] **Backup path:** Site-to-Site VPN on separate virtual private gateway or TGW
      attachment — not the same physical circuit
- [ ] **Bandwidth:** Outposts service link recommends **≥500 Mbps–1 Gbps** redundant
      to parent Region — model in worksheet before rack order
- [ ] **DNS:** split-horizon Route 53 Resolver rules for internal API names
- [ ] **Routing:** no overlapping CIDR between on-prem, Outposts VPC, and Regional VPC

## Outposts-specific

- [ ] **Service link** subnets sized for management + workload traffic
- [ ] **Local gateway** routes advertised to on-prem for Outposts subnet CIDRs
- [ ] Failover runbook when DX circuit drops — VPN must carry service link traffic

## Local Zone-specific

- [ ] Workloads in Local Zone subnet use **parent Region** for services not available
      in the Local Zone (accept cross-AZ latency for control-plane calls)
- [ ] **Internet egress** from Local Zone — confirm whether traffic hairpins through
      Region or exits locally (affects latency and cost)

## Wavelength-specific

- [ ] **Carrier partnership** signed — Wavelength without 5G core integration is idle metal
- [ ] Handset routing validated end-to-end with carrier NOC contact on speed dial

## Validation commands

Context: AWS CLI 2.x, networking account profile.

```bash
aws directconnect describe-virtual-interfaces --query 'virtualInterfaces[*].[virtualInterfaceState,bgpStatus]'
aws ec2 describe-transit-gateway-attachments --filters Name=state,Values=available
aws route53resolver list-resolver-rules
```

## Related

- [Placement decision matrix](./placement-decision-matrix.md)
- [Cross-account patterns](/blog/aws-cross-account-patterns-beyond-landing-zone-2026/)