Options
| Option | Use Case | Advantages | Limitations |
|---|---|---|---|
| AWS Site-to-Site VPN | AWS managed IPsec VPN connection over the internet to individual VPC | Reuse existing VPN equipment and processesReuse existing internet connectionsAWS managed high availability VPN serviceSupports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies | Network latency, variability, and availability are dependent on internet conditionsYou are responsible for implementing redundancy and failover (if required)Remote device must support single-hop BGP (when leveraging BGP for dynamic routing) |
| AWS Transit Gateway + AWS Site-to-Site VPN | AWS managed IPsec VPN connection over the internet to regional router for multiple VPCs | Same as the previous optionAWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as the previous option |
| AWS Direct Connect | Dedicated network connection over private lines | More predictable network performanceReduced bandwidth costsSupports BGP peering and routing policies | Might require additional telecom and hosting provider relationships or new network circuits to be provisioned |
| AWS Direct Connect + AWS Transit Gateway | Dedicated network connection over private lines to regional router for multiple VPCs | Same as the previous optionAWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as previous option |
| AWS Direct Connect + AWS Site-to-Site VPN | IPsec VPN connection over private lines | More predictable network performanceReduced bandwidth costsSupports BGP peering and routing policies on AWS Direct ConnectReuse existing VPN equipment and processesAWS managed high availability VPN serviceSupports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies on VPN connection | May require additional telecom and hosting provider relationships or new network circuits to be provisionedYou are responsible for implementing redundancy and failover (if required)Remote device must support single-hop BGP (when leveraging BGP for dynamic routing) |
| AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN | IPsec VPN connection over private lines to regional router for multiple VPCs | Same as previous optionAWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as previous option |
| AWS VPN CloudHub | Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity | Reuse existing internet connections and AWS VPN connectionsAWS managed high availability VPN serviceSupports BGP for exchanging routes and routing priorities | Network latency, variability, and availability are dependent on the internetUser managed branch office endpoints are responsible for implementing redundancy and failover (if required) |
| AWS Transit Gateway + SD-WAN solutions | Connect remote branches and offices with a software-defined wide area network by using the AWS backbone or the internet as a transit network. | Supports a wider array of SD-WAN vendors, products, and protocolsSome vendor solutions have integration with AWS native services. | You are responsible for implementing HA (high availability) of the SD-WAN appliances if they are placed in an Amazon VPC. |
| Software VPN | Software appliance-based VPN connection over the internet | Supports a wider array of VPN vendors, products, and protocolsFully customer-managed solution | You are responsible for implementing HA (high availability) solutions for all VPN endpoints (if required) |
AWS Site-to-Site VPN
Amazon VPC provides the option of creating an IPsec VPN connection between your remote networks and Amazon VPC over the internet, as shown in the following figure.
Consider taking this approach when you want to take advantage of an AWS-managed VPN endpoint that includes automated redundancy and failover built into the AWS side of the VPN connection.
The virtual private gateway also supports and encourages multiple user gateway connections so that you can implement redundancy and failover on your side of the VPN connection, as shown in the following figure.
AWS Transit Gateway + AWS Site-to-Site VPN
AWS Transit Gateway is an AWS managed high availability and scalability regional network transit hub used to interconnect VPCs and customer networks. AWS Transit Gateway + VPN, using the Transit Gateway VPN attachment, provides the option of creating an IPsec VPN connection between your remote network and the Transit Gateway over the internet.
Consider using this approach when you want to take advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPsec VPN connections to multiple Amazon VPCs.
AWS Transit Gateway also supports and encourages multiple user gateway connections so that you can implement redundancy and failover on your side of the VPN connection as shown in the following figure.
AWS Direct Connect
AWS Direct Connect makes it easy to establish a dedicated connection from an on-premises network to one or more VPCs. AWS Direct Connect can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
- Public virtual interface – Establish connectivity between AWS public endpoints and your data center, office, or colocation environment.
- Transit virtual interface – Establish private connectivity between AWS Transit Gateway and your data center, office, or colocation environment. This connectivity option is covered in the section AWS Direct Connect + AWS Transit Gateway.
- Private virtual interface – Establish private connectivity between Amazon VPC resources and your data center, office, or colocation environment. The use of private VIFs is shown in the following figure.
With AWS Direct Connect, you have two types of connection:
- Dedicated connections, where a physical ethernet connection is associated with a single customer. You can order port speeds of 1, 10, or 100 Gbps. You might need to work with a partner in the AWS Direct Connect Partner Program to help you establish network circuits between an AWS Direct Connect connection and your data center, office, or colocation environment.
- Hosted connections, where a physical ethernet connection is provisioned by an AWS Direct Connect Partner and shared with you. You can order port speeds between 50 Mbps and 10 Gbps. Your work with the Partner in both the AWS Direct Connect connection they established and the network circuits between an AWS Direct Connect connection and your data center, office, or colocation environment.
AWS Direct Connect + AWS Transit Gateway
AWS Direct Connect + AWS Transit Gateway, using transit VIF attachment to Direct Connect gateway, enables your network to connect several regional centralized routers over a private dedicated connection. The following diagram shows connecting to two routers.
AWS Direct Connect + AWS Site-to-Site VPN
With AWS Direct Connect + AWS Site-to-Site VPN, you can combine AWS Direct Connect connections with an AWS-managed VPN solution. AWS Direct Connect public VIFs establish a dedicated network connection between your network and public AWS resources such as an AWS Site-to-Site VPN endpoint. Once you establish the connection to the service, you can create IPsec connections to the corresponding Amazon VPC virtual private gateways.
AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN
With AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN, you can enable end-to-end IPsec-encrypted connections between your networks and a regional centralized router for Amazon VPCs over a private dedicated connection.
You can use AWS Direct Connect public VIFs to first establish a dedicated network connection between your network to public AWS resources, such as AWS Site-to-Site VPN endpoints. Once this connection is established, you can create an IPsec connection to AWS Transit Gateway.
Consider taking this approach when you want to simplify management and minimize the cost of IPsec VPN connections to multiple Amazon VPCs in the same region, with the low latency and consistent network experience benefits of a private dedicated connection over an internet-based VPN. A BGP session is established between AWS Direct Connect and your router using either the public or the transit VIF. Another BGP session or a static route will be established between AWS Transit Gateway and your router on the IPsec VPN tunnel.
AWS VPN CloudHub
The AWS VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. Use this approach if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.
AWS VPN CloudHub uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs). The remote sites must not have overlapping IP ranges. Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing advertisements are received and re-advertised to each BGP peer so that each site can send data to and receive data from the other sites