AWS Network Connectivity: Direct Connect, VPN, and Internet
Configuring appropriate network connections (for example, AWS Direct Connect compared with VPN compared with internet)
AWS Network Connectivity: Direct Connect, VPN, and Internet
This study guide explores the various methods of connecting on-premises data centers to the AWS Cloud, focusing on the trade-offs between speed, security, cost, and implementation time.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between AWS Site-to-Site VPN and AWS Direct Connect.
- Select the appropriate connection type based on bandwidth, latency, and security requirements.
- Understand the components of hybrid connectivity, including Virtual Private Gateways and Customer Gateways.
- Identify use cases for Dedicated vs. Hosted Direct Connect connections.
- Prevent common configuration errors, such as IP address overlap.
Key Terms & Glossary
- Virtual Private Gateway (VGW): The VPN endpoint on the AWS side of a Site-to-Site VPN connection.
- Customer Gateway (CGW): A physical device or software application on the on-premises side of a VPN connection.
- Direct Connect (DX): A cloud service solution that establishes a dedicated network connection from on-premises to AWS, bypassing the public internet.
- Virtual Interface (VIF): A configuration that allows access to AWS services. Private VIFs connect to a VPC; Public VIFs connect to public AWS services (like S3).
- Transit Gateway: A network transit hub used to interconnect VPCs and on-premises networks at scale.
The "Big Idea"
In a hybrid cloud strategy, the network is the "circulatory system" of the architecture. If the connection is slow or unreliable, the entire application is effectively unavailable. Choosing between the public internet (unpredictable), VPN (secure but variable), and Direct Connect (private and consistent) is a fundamental decision that balances performance requirements against cost and setup complexity.
Formula / Concept Box
| Feature | Site-to-Site VPN | Direct Connect (DX) | Internet (HTTPS) |
|---|---|---|---|
| Transport | Public Internet | Private Fiber | Public Internet |
| Encryption | IPsec (Encrypted) | No (Add VPN on top for encryption) | TLS/SSL |
| Speed | Up to 1.25 Gbps per tunnel | 1, 10, or 100 Gbps | Variable |
| Latency | Inconsistent | Consistent / Low | Inconsistent |
| Setup Time | Minutes/Hours | Weeks/Months | Instant |
| Primary Use | Quick setup, low volume | High volume, mission-critical | Public web apps |
Hierarchical Outline
- I. AWS Site-to-Site VPN
- Encryption: Uses IPsec to secure data over the public internet.
- Components: Requires a Virtual Private Gateway (VGW) on AWS and a Customer Gateway (CGW) on-premises.
- Limitations: Bandwidth is limited and performance depends on internet congestion.
- II. AWS Direct Connect (DX)
- Physical Link: A dedicated physical connection between a data center and an AWS Direct Connect location.
- Connection Types:
- Dedicated: Physical port (1/10/100 Gbps).
- Hosted: Provided by partners (50 Mbps up to 10 Gbps).
- Virtual Interfaces: Private VIF (for VPC), Public VIF (for S3/DynamoDB), Transit VIF (for Transit Gateway).
- III. Hybrid Design Considerations
- IP Overlap: VPC CIDR blocks must not overlap with on-premises address ranges.
- Redundancy: Using VPN as a low-cost backup for a Direct Connect primary link.
- Transit Gateway: Simplifies the hub-and-spoke connectivity for multiple VPCs and on-prem sites.
Visual Anchors
Connection Decision Flow
Hybrid Architecture Overview
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, align=center, minimum height=1cm}] \node (onprem) [fill=gray!20] {On-Premises\Data Center$Customer Gateway)}; \node (aws) [right=4cm of onprem, fill=blue!10] {AWS Cloud$VPC / VGW)};
% Connections
\draw [<->, thick, dashed] (onprem) -- node[above, font=\scriptsize] {IPsec VPN (Public Internet)} (aws);
\draw [<->, ultra thick] (onprem) [below] ++(0,-1) -- ++(4,0) node[midway, below, font=\scriptsize] {Direct Connect (Private Fiber)} ++(0,1);
% Markers
\node at (2, 0.5) [draw=none] {\tiny Over Internet};
\node at (2, -1.5) [draw=none] {\tiny Bypasses Internet};\end{tikzpicture}
Definition-Example Pairs
- Dedicated Connection
- Definition: A physical Ethernet port dedicated to a single customer.
- Example: A financial institution moving petabytes of sensitive trading data daily requires a dedicated 10 Gbps port to ensure the line is never shared with other tenants.
- Hosted Connection
- Definition: A connection provided by an AWS Direct Connect Partner where the physical link is shared but your traffic is logically separated.
- Example: A small software company needs 200 Mbps of consistent speed for their dev environment but cannot justify the cost of a full physical fiber installation.
- Non-Overlapping IP Space
- Definition: The requirement that network addresses in two connected networks remain unique to allow routing.
- Example: If On-Prem uses
10.0.0.0/16, the AWS VPC should use172.16.0.0/16to avoid routing conflicts.
Worked Examples
Scenario 1: The Urgent Migration
Problem: A company needs to migrate 500GB of data to AWS within 48 hours to meet a contract deadline. They currently have no hybrid connectivity. Solution: Configure an AWS Site-to-Site VPN.
- Why: While Direct Connect offers better speeds, it takes weeks to provision. A VPN can be established in minutes over existing internet connections, making it the only viable choice for an immediate deadline.
Scenario 2: High Volume Consistency
Problem: A media company streams live video and needs to upload raw 4K footage from their studio to AWS. They find that internet-based uploads are "jittery" and often fail during peak hours. Solution: Provision AWS Direct Connect.
- Why: The issue is "jitter" (variable latency) and congestion on the public internet. Direct Connect provides a private path with consistent latency and guaranteed bandwidth, ensuring high-quality video ingestion.
Checkpoint Questions
- Which connectivity option provides the fastest setup time but is subject to internet weather?
- True or False: Direct Connect traffic is automatically encrypted by default.
- What component must be configured on the on-premises side of a VPN tunnel?
- If you have 20 VPCs and want to connect them all to one on-premises location, what service should you use to simplify management?
- Why is it important to check CIDR blocks before establishing a VPN or DX connection?
▶Click to see answers
- AWS Site-to-Site VPN.
- False. DX provides a private link, but not encryption. To encrypt DX, you must run a VPN over it or use MACsec (on supported ports).
- Customer Gateway (CGW).
- AWS Transit Gateway.
- To avoid IP Address Overlap, which prevents traffic from being routed correctly between the two networks.