AWS Network Connectivity Options: VPN, Direct Connect, and PrivateLink

Learning Objectives

After studying this guide, you should be able to:

Differentiate between AWS Site-to-Site VPN and AWS Direct Connect based on bandwidth and setup time.
Explain the architecture and benefits of AWS PrivateLink for secure service consumption.
Design a hub-and-spoke network topology using AWS Transit Gateway.
Identify the appropriate use cases for Dedicated vs. Hosted Direct Connect connections.
Configure route propagation for automated network updates.

Key Terms & Glossary

Virtual Private Gateway (VPG): The VPN endpoint on the Amazon side of a Site-to-Site VPN connection.
Customer Gateway (CGW): A physical device or software application on your side (on-premises) of a Site-to-Site VPN connection.
BGP (Border Gateway Protocol): The standard routing protocol used to exchange routing information between your network and AWS.
Interface VPC Endpoint: Powered by AWS PrivateLink, it provides private connectivity to services by using a private IP address from your VPC subnet.
Transitive Routing: The ability for traffic to pass through one VPC to reach another; AWS VPC Peering does not support this, while Transit Gateway does.

The "Big Idea"

Connecting on-premises environments to the AWS Cloud is not a "one size fits all" task. Organizations must balance speed, security, cost, and reliability. While the public internet provides a quick path via VPN, enterprises requiring consistent, high-throughput performance rely on Direct Connect to bypass the internet entirely. Services like PrivateLink and Transit Gateway then refine this connectivity by ensuring traffic remains private and architectures stay scalable.

Formula / Concept Box

Feature	AWS Site-to-Site VPN	AWS Direct Connect	AWS PrivateLink
Transport	Public Internet (Encrypted)	Dedicated Private Fiber	AWS Internal Backbone
Setup Time	Minutes	Weeks/Months	Minutes
Bandwidth	Up to 1.25 Gbps per tunnel	1, 10, or 100 Gbps	Scalable (Gbps)
Cost	Low (Hourly + Data)	High (Port + Data + Circuit)	Low (Per hour + Per GB)
Use Case	Quick setup, low cost	Consistent performance	Secure service sharing

Hierarchical Outline

Hybrid Cloud Connectivity
- AWS Site-to-Site VPN
  - Components: Virtual Private Gateway (AWS side) and Customer Gateway (On-prem side).
  - Reliability: Uses two tunnels for failover.
  - Route Propagation: Automatically updates VPC route tables with on-prem routes.
- AWS Direct Connect (DX)
  - Dedicated Connections: Physical 1/10/100 Gbps ports for single tenants.
  - Hosted Connections: 50 Mbps to 10 Gbps capacity provided by partners.
  - Virtual Interfaces (VIF): Private VIF (for VPC) vs. Public VIF (for S3/DynamoDB).
Scaling and Security
- AWS Transit Gateway
  - Hub-and-Spoke: Connects thousands of VPCs and on-prem networks.
  - Simplification: Replaces complex peering meshes.
- AWS PrivateLink
  - Security: Traffic never leaves the AWS network; no IGW or NAT required.
  - Unidirectionality: Allows service consumers to reach providers without exposing the provider to the consumer's VPC.

Visual Anchors

Connection Decision Tree

Loading Diagram...

Site-to-Site VPN Architecture

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

Dedicated Connection: A physical ethernet port dedicated to a single customer.
- Example: A financial institution needs a 10 Gbps line to sync high-frequency trading data between their data center and AWS without internet jitter.
Hosted Connection: A logical connection over a shared physical link managed by an AWS Partner.
- Example: A small startup needs 200 Mbps of private bandwidth and uses a partner like Equinix to provision the link quickly.
AWS PrivateLink: Securely connects a service provider VPC to a consumer VPC.
- Example: Using an Interface Endpoint to allow an EC2 instance in a private subnet to download files from S3 without using a NAT Gateway or Public IP.

Worked Examples

Scenario 1: The Urgent Data Migration

Problem: A company needs to move 50TB of data to AWS within 48 hours for a critical deadline. They currently have no hybrid connectivity. Solution:

Direct Connect? No. Setup time takes weeks.
VPN? Potentially. 1.25 Gbps = ~13.5 TB per day. With multiple VPN tunnels, they could theoretically meet the goal, but internet congestion is a risk.
Recommendation: Use AWS Site-to-Site VPN for immediate secure access, but supplement with AWS Snowball for the bulk data transfer if the network cannot handle the load.

Scenario 2: Overcoming VPC Peering Limits

Problem: A company has 20 VPCs that all need to share a central security services VPC. They are struggling with the "mesh" of 190 peering connections required. Solution:

Deploy an AWS Transit Gateway.
Attach all 20 VPCs to the Transit Gateway.
Configure the Transit Gateway Route Table to allow all spokes to talk to the central hub.
Benefit: This reduces the management overhead from $N(N-1)/2$ connections to just $N$ attachments.

Checkpoint Questions

What is the main difference between a Private VIF and a Public VIF in Direct Connect?
Why does an AWS Site-to-Site VPN provide two tunnels by default?
If you have a 100 Gbps requirement, which Direct Connect connection type must you use?
True or False: VPC Peering supports transitive routing.
Which service allows you to access AWS services privately without an Internet Gateway?

▶Click to see Answers

Private VIF connects to a VPC (Private IPs); Public VIF connects to public AWS services like S3 or DynamoDB.
For High Availability (failover) on the AWS side.
Dedicated Connection (Hosted connections max out at 10 Gbps).
False. Transit Gateway is required for transitive routing.
AWS PrivateLink (Interface VPC Endpoints).