Hybrid Connectivity Strategies: On-Premises to AWS Integration

Learning Objectives

After studying this guide, you should be able to:

• Compare and Contrast AWS Site-to-Site VPN and AWS Direct Connect (DX) based on cost, performance, and reliability.
• Design Architectures for maximum resiliency using multiple DX locations and redundant regions.
• Evaluate Routing Strategies including BGP propagation and static routing through Transit Gateway (TGW).
• Analyze Cost Factors including port hours, connection hours, and Data Transfer Out (DTO) variables.
• Implement Private Access to AWS services from on-premises using VPC Interface Endpoints.

Key Terms & Glossary

• CGW (Customer Gateway): A physical or software appliance on the customer side of a VPN connection.
• VGW (Virtual Private Gateway): The VPN concentrator on the AWS side of a Site-to-Site VPN connection.
• DX (Direct Connect): A dedicated network connection from on-premises to AWS that bypasses the public internet.
• TGW (Transit Gateway): A network transit hub used to interconnect VPCs and on-premises networks.
• BGP (Border Gateway Protocol): The standard routing protocol used to exchange routing information over the internet and hybrid connections.
• DTO (Data Transfer Out): Charges for data moving from AWS to the internet or on-premises environments.

The "Big Idea"

Connecting an on-premises data center to the cloud is not a "one size fits all" task. It requires a strategic balance between speed of implementation (VPN), consistent performance (Direct Connect), and business continuity (Redundancy). The ultimate goal for a Solutions Architect is to minimize latency and cost while maximizing the resilience of the data path against physical and logical failures.

Formula / Concept Box

[!NOTE] DTO Cost Advantage: Data Transfer Out (DTO) over Direct Connect is significantly cheaper than over VPN/Internet, making DX the preferred choice for high-volume data migrations.

Hierarchical Outline

• I. Connectivity Modalities
  • A. AWS Managed VPN
    • Quickest to deploy over existing internet.
    • Supports IPsec tunnels.
    • Recommended: 2 CGWs for redundancy on-premises.
  • B. AWS Direct Connect (DX)
    • Dedicated Connections: Physical 1Gbps, 10Gbps, or 100Gbps ports.
    • Hosted Connections: Sub-1Gbps speeds provided by AWS Partners.
• II. High Availability & Resiliency
  • A. Resilience Levels
    • Standard: One DX connection, VPN backup.
    • High: Two DX connections in two different locations.
    • Maximum: Four connections (2 per region, 2 regions, distinct devices).
• III. Routing & Traffic Flow
  • A. BGP Propagation
    • Dynamic routing between TGW/VGW and on-premises.
  • B. Static Routing
    • Manual entries in VPC route tables; often required for VPC-to-TGW traffic.
  • C. VPC Endpoints
    • Interface Endpoints (ENIs): Privately access services (S3, DynamoDB) from on-prem without a NAT gateway.

Visual Anchors

Connectivity Decision Flow

Maximum Resiliency Architecture

Definition-Example Pairs

• Transitive Routing: The ability for traffic to pass through one network to get to another.
  • Example: Using a Transit Gateway so that an on-premises network can reach VPC B by passing through the connection to VPC A.
• Hybrid DNS Resolver: A service that allows on-premises systems to resolve AWS resource names and vice versa.
  • Example: An on-prem server querying database.aws.internal via Route 53 Resolver Endpoints.
• LAG (Link Aggregation Group): Treating multiple physical DX connections as a single logical connection.
  • Example: Bundling two 10Gbps DX ports to achieve 20Gbps of aggregate bandwidth.

Worked Examples

Example 1: The Cost-Conscious Startup

• Scenario: A startup needs to sync 50GB of logs weekly to S3 from their office. Setup speed is critical.
• Solution: Implement AWS Managed Site-to-Site VPN.
• Reasoning: Since the volume is low (50GB), the higher DTO cost of VPN is offset by the lack of a DX port fee. The public internet provides sufficient performance for non-real-time log syncing.

Example 2: The High-Compliance Financial Firm

• Scenario: A bank requires a sub-10ms latency for database replication between their co-location facility and AWS US-East-1.
• Solution: AWS Direct Connect with a dedicated 10Gbps port and a VPN backup.
• Reasoning: DX provides the sub-10ms consistency required for synchronous replication. The VPN acts as a cost-effective failover if the DX fiber is cut.

Checkpoint Questions

1. What is the primary cost benefit of using Direct Connect over a VPN for large-scale data transfers?
2. In a maximum resiliency setup, how many DX locations and regions should be used?
3. Why would a company use VPC Interface Endpoints for on-premises connectivity?
4. Does AWS charge for data sent into AWS from on-premises over Direct Connect?
5. What protocol is used to automatically advertise routes between a Transit Gateway and an on-premises router?

Muddy Points & Cross-Refs

• Overlapping IPs: Transit Gateway cannot route between VPCs with overlapping CIDR blocks.
  • Study Pointer: Look up Private NAT Gateway or IPv6 transition strategies to solve this.
• Bilateral Propagation: Remember that while routes propagate from VPCs to the TGW automatically, you must manually add a static route in your VPC route table to point return traffic to the TGW.
• DX Location vs. AWS Region: A DX location is a third-party data center (like Equinix). It is physical infrastructure outside of the AWS Region itself.

Comparison Tables

Resiliency Tiers for Direct Connect