AWS Network Connectivity: VPN, Direct Connect, and Hybrid Architectures

This study guide covers the fundamental methods for connecting on-premises data centers and remote offices to the AWS Cloud. It focuses on the technical trade-offs between speed, security, and cost-effectiveness for Site-to-Site VPNs and AWS Direct Connect.

Learning Objectives

By the end of this guide, you should be able to:

• Distinguish between AWS Site-to-Site VPN and AWS Direct Connect based on performance and cost.
• Design a hub-and-spoke network architecture using AWS Transit Gateway.
• Configure the essential components for a VPN (Virtual Private Gateway and Customer Gateway).
• Evaluate the differences between Dedicated and Hosted Direct Connect connections.
• Implement VPC Peering while avoiding common pitfalls like overlapping CIDR blocks.

Key Terms & Glossary

• VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources.
• VGW (Virtual Private Gateway): The VPN endpoint on the AWS side of a Site-to-Site VPN connection.
• CGW (Customer Gateway): A physical appliance or software application on your side (on-premises) of the VPN connection.
• Transit Gateway: A network transit hub that can be used to interconnect VPCs and on-premises networks.
• Direct Connect (DX): A cloud service solution that establishes a dedicated network connection from your premises to AWS.
• Transitive Routing: The ability to route traffic from one network to another through an intermediate network (e.g., A to C via B). Note: VPC Peering does not support this.

The "Big Idea"

Network connectivity is the "nervous system" of a hybrid cloud strategy. Organizations must choose between the Public Internet (using encrypted VPNs for speed of setup and low entry cost) and Private Lines (using Direct Connect for consistent performance and high throughput). The "Big Idea" is to treat the AWS VPC not as a separate island, but as a seamless, secure extension of the corporate data center.

Formula / Concept Box

Hierarchical Outline

• I. AWS Site-to-Site VPN
  • Components: Virtual Private Gateway (VGW) and Customer Gateway (CGW).
  • Performance: Encrypted via IPsec; performance depends on internet stability.
  • Acceleration: Use AWS Global Accelerator to route traffic through the AWS global network for better performance.
• II. AWS Direct Connect (DX)
  • Dedicated Connections: Single-tenant, physical 1/10/100 Gbps ports.
  • Hosted Connections: Multi-tenant, capacity (50Mbps - 10Gbps) provided by a partner.
  • Virtual Interfaces (VIFs): Private VIF (VPC access) vs. Public VIF (AWS public endpoints like S3/DynamoDB).
• III. Inter-VPC Connectivity
  • VPC Peering: Point-to-point; no overlapping CIDRs; no transitive routing.
  • Transit Gateway (TGW): Hub-and-spoke; simplifies management for 100s of VPCs; supports transitive routing.

Visual Anchors

Site-to-Site VPN Architecture

Network Topology Comparison

\begin{tikzpicture}[scale=0.8] % Draw Hub \draw[thick, fill=blue!20] (0,0) circle (0.6cm) node (hub) {TGW}; % Draw VPCs \foreach \a in {0,72,144,216,288} { \draw[thick, fill=green!10] (\a:2.5) circle (0.5cm) node (vpc\a) {VPC}; \draw[->, thick] (vpc\a) -- (hub); } \node at (0,-3.5) {\textbf{Hub-and-Spoke (Transit Gateway)}}; \end{tikzpicture}

Definition-Example Pairs

• Term: VPC Peering

  • Definition: A networking connection between two VPCs that enables you to route traffic between them using private IPv4/IPv6 addresses.
  • Example: A company has a "Shared Services" VPC containing monitoring tools. They peer it with a "Production" VPC so the monitoring tools can access production servers privately.

• Term: AWS Direct Connect Hosted Connection

  • Definition: A connection where a network partner carves out a portion of their own Direct Connect capacity for a customer.
  • Example: A small startup needs 200 Mbps of dedicated speed but doesn't want to pay for a full 1 Gbps physical line. They order a hosted connection from a provider like Equinix.

• Term: Customer Gateway (CGW)

  • Definition: An AWS resource which provides information to AWS about your customer gateway device.
  • Example: When setting up a VPN, you create a CGW in the AWS Console and provide the Public IP address of your physical Cisco or Juniper office router.

Worked Examples

Scenario 1: High Latency Sensitivity

Problem: A financial services firm needs to migrate large datasets between on-premises and AWS daily. They find that VPN speeds are inconsistent during business hours. Solution:

1. Analyze requirements: High throughput and consistent latency are key.
2. Recommendation: AWS Direct Connect (Dedicated).
3. Implementation: Order a 10 Gbps line. Create a Private Virtual Interface (VIF) to connect directly to the target VPC. This avoids the public internet and provides a stable 10 Gbps pipe.

Scenario 2: Rapid Disaster Recovery Setup

Problem: An application needs a backup connection to AWS within 24 hours in case their primary circuit fails. Solution:

1. Analyze requirements: Speed of deployment is more critical than high bandwidth.
2. Recommendation: AWS Site-to-Site VPN.
3. Implementation: Create a VGW, attach it to the VPC, and define the CGW with the office IP. Download the configuration file for the on-prem router. Establish the tunnel over the existing internet connection.

Checkpoint Questions

1. Can you peer two VPCs that have the CIDR block 10.0.0.0/16? (Answer: No, CIDR blocks must not overlap).
2. Which service should you use to connect 50 different VPCs to a single on-premises data center without creating 50 individual VPN tunnels? (Answer: AWS Transit Gateway).
3. True or False: A Direct Connect Hosted Connection can provide speeds of up to 100 Gbps. (Answer: False; 100 Gbps is typically reserved for Dedicated connections).
4. What is the main advantage of using AWS Global Accelerator with a Site-to-Site VPN? (Answer: It reduces latency and jitter by routing traffic over the AWS global network rather than the congested public internet).