Mastering Network Bandwidth Allocation: VPN vs. Direct Connect

Determining the right bandwidth for cloud-to-on-premises connectivity is a critical task for a Solutions Architect. This guide covers the selection criteria for AWS VPN and AWS Direct Connect (DX), focusing on throughput limits, scaling strategies, and performance characteristics.

Learning Objectives

After studying this guide, you should be able to:

Identify the maximum throughput limits for a single Site-to-Site VPN tunnel.
Differentiate between dedicated and hosted Direct Connect connections.
Explain how to scale bandwidth using multiple VPN connections (ECMP).
Select the appropriate connectivity method based on data volume, latency requirements, and cost.

Key Terms & Glossary

Virtual Private Gateway (VPG): The VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
Customer Gateway (CGW): A physical device or software application on your side of the Site-to-Site VPN connection.
Direct Connect (DX): A cloud service solution that establishes a dedicated network connection from your premises to AWS, bypassing the public internet.
LOA-CFA: Letter of Authorization - Connecting Facility Assignment; the document required to establish a physical cross-connect in a DX location.
BGP (Border Gateway Protocol): The routing protocol used to exchange routing information between your network and AWS.

The "Big Idea"

Network connectivity is a trade-off between Consistency and Cost. While a VPN is quick to deploy and utilizes the existing internet, its performance is subject to the "weather" of the public web. Direct Connect provides a "private lane" on the highway, ensuring that latency stays low and throughput stays high, which is essential for heavy data migrations or real-time application synchronization.

Formula / Concept Box

Connection Type	Bandwidth / Throughput	Typical Use Case
Single VPN Tunnel	Up to 1.25 Gbps	Small workloads, encryption-heavy requirements, backup paths.
Multiple VPNs (ECMP)	$n \times 1.25$ Gbps	Aggregating bandwidth across multiple tunnels using Transit Gateway.
Hosted DX	50 Mbps to 10 Gbps	Sub-1 Gbps requirements or rapid provisioning through partners.
Dedicated DX	1 Gbps, 10 Gbps, 100 Gbps	Enterprise-grade, massive data transfers, high-frequency trading.

Hierarchical Outline

AWS Site-to-Site VPN
- Architecture: Connects VPC to On-premises via IPsec tunnels.
- Bandwidth: Each tunnel supports 1.25 Gbps maximum.
- AWS VPN CloudHub: Hub-and-spoke model for connecting multiple sites to one VPC.
AWS Direct Connect (DX)
- Dedicated Connections: Physical 1, 10, or 100 Gbps ports associated with a single customer.
- Hosted Connections: Provisioned by an AWS Direct Connect Partner; available in sub-1 Gbps increments.
- Direct Connect Gateway: Allows a single DX connection to access multiple VPCs across different Regions.
Selection Criteria
- Latency: DX offers consistent, low latency; VPN latency fluctuates with internet traffic.
- Security: Both offer security, but VPN provides IPsec encryption by default; DX is a private circuit (encryption must be added at the application layer or via VPN-over-DX).

Visual Anchors

Network Path Comparison

Loading Diagram...

Direct Connect Provisioning Workflow

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=blue!10, text width=3cm, align=center, rounded corners}] \node (step1) {1. Request Connection (Port Speed/Loc)}; \node (step2) [below of=step1] {2. Download LOA-CFA Document}; \node (step3) [below of=step2] {3. Create Virtual Interfaces (VIF)}; \node (step4) [below of=step3] {4. Download Router Config};

code

\draw [->, thick] (step1) -- (step2);
\draw [->, thick] (step2) -- (step3);
\draw [->, thick] (step3) -- (step4);

\end{tikzpicture}

Definition-Example Pairs

Transit Gateway (TGW) with ECMP: Using Equal-Cost Multi-Path routing to load balance traffic across multiple VPN tunnels.
- Example: A company needs 4 Gbps of throughput but cannot wait for a Direct Connect installation. They set up 4 VPN tunnels to a Transit Gateway, achieving aggregate bandwidth exceeding the single-tunnel 1.25 Gbps limit.
Hosted Connection: A Direct Connect connection where a partner allocates a portion of their capacity to you.
- Example: A startup only needs 200 Mbps for their database sync. They contact an APN Partner to provision a 200 Mbps hosted connection rather than paying for a full 1 Gbps dedicated port.

Worked Examples

Scenario: Large-Scale Migration

The Problem: A corporation needs to migrate 500 TB of data to AWS within 30 days. Their current internet connection is 1 Gbps, but it is heavily used for office traffic.

The Calculation:

VPN Approach: $1.25 Gbps $(max)$ \approx 13.5 TB/day$ (theoretical max). $500 / 13.5 = 37\text{ days}. This is too slow and will fluctuate based on internet usage.
Direct Connect Approach: A 10 Gbps DX connection \approx 108\text{ TB/day} $. $500 / 108 \approx 4.6 days$ .

The Solution: Recommend AWS Direct Connect (10 Gbps) to ensure the migration finishes well within the 30-day window with consistent performance.

Checkpoint Questions

What is the maximum throughput of a single AWS Site-to-Site VPN tunnel?
If you require a Direct Connect speed of 500 Mbps, how must you order it?
Which document must you provide to your data center provider to authorize the physical cross-connect for Direct Connect?
True or False: Direct Connect inherently provides IPsec encryption for data in transit.

▶Click to reveal answers

1.25 Gbps.
Through a registered AWS Direct Connect Partner (Hosted Connection).
The Letter of Authorization - Connecting Facility Assignment (LOA-CFA).
False. Direct Connect is a private connection, but it is not encrypted by default. You must use VPN-over-DX or application-level encryption for IPsec.

Muddy Points & Cross-Refs

VPN over Direct Connect: A common source of confusion. This is used when you want the consistency of DX but the encryption of VPN. Note that the throughput will be limited by the VPN overhead (1.25 Gbps per tunnel).
BGP ASN: Ensure your on-premises ASN does not conflict with the AWS side. For CloudHub, each site needs a unique BGP ASN.