- Amazon Virtual Private Cloud Connectivity Options
- Sections
- Overview
- Network-to-Amazon VPC Connectivity Options
- Amazon VPC-to-Amazon VPC Connectivity Options
- Conclusion
- References
This summary is based off of the January 2018 revision of the Amazon Virtual Private Cloud Connectivity Options whitepaper. This whitepaper describes network connectivity options for Amazon Virtual Private Cloud (VPC) available on AWS. These options include integrating remote customer networks with VPCs and joining multiple VPCs into a connected virtual network.
An important theme to remember for all of the options mentioned in this whitepaper is that for either remote-to-remote, remote-to-VPC, or VPC-to-VPC connections, they should not have overlapping IP ranges. Some of the options will outright fail if the two networks being connected have overlapping IP ranges.
These options are useful for integrating AWS resources with existing on-premises services, applications and servers. It also allows internal users to interact and connect with the AWS-hosted resources just like any other on-premises resource.
Below is a comparison chart summarizing each option, including their advantages and disadvantages. Each option is explained in greater detail in subsequent sections.
| Option | Description | Advantages | Disadvantages |
|---|---|---|---|
| AWS Managed VPN | AWS Managed IPsec VPN connection over the Internet | Easy to set up; Reuse existing VPN equipment Multi-site redundancy and failover (AWS side) |
Latency and availability depends on Internet conditions |
| AWS Direct Connect | Dedicated, private connection to AWS | Consistent network experience of up to 10 Gbps | Complicated, lengthy process to set up |
| Direct Connect + VPN | Dedicated, private, IPSec VPN connection to AWS | Same as above + secure IPsec VPN connection | Same as above + VPN setup complexity |
| AWS VPN CloudHub | Connect remote networks in hub-and-spoke model | Same as AWS Managed VPN | Same as AWS Managed VPN |
| Software VPN | Software appliance-based VPN connection over the Internet | Customer has full control of managing both sides of the VPN connection Wide selection of VPN vendors, products, and protocols |
Customer has full responsibility of managing VPN connection: - Implement high availability - Appliance setup and configuration - EC2 instance patches and security |
| Transit VPC | Software appliance-based VPN connection with hub VPC | Same as above Simplified network management of multiple VPCs and remote networks |
Same as above |
This option is used to establish an IPsec VPN connection between on-premises networks and a VPC over the Internet. The diagram below shows what this architecture looks like.
1. Virtual Private Gateway
- The virtual private gateway is the VPN concentrator on the AWS side of the VPN connection and is created by the customer
- It is attached to the VPC that is to be connected to by on-premises networks
2. Customer Gateway
- The customer gateway is an AWS resource representing the VPN device on the on-premises side of the VPN connection
- When being created, the customer provides information about their device to AWS
3. Start Connection
- To bring up the tunnel for the VPN connection, the customer needs to generate some traffic and initiate the Internet Key Exchange (IKE) negotiation process
- By default, the customer starts the IKE negotiation process, but this setting can be changed to allow AWS to initiate it instead
There is built-in multi-data center redundancy and failover for the virtual private gateway to ensure availability of the VPN connection. It is recommended that the customer creates multiple customer gateway connections to ensure availability on their side of the VPN connection.
Both dynamic (BGP peering), and static routing options are provided to give the customer flexibility on their routing configuration.
- To read more about configuring a VPN connection to VPCs from on-premises networks, read How AWS Site-to-Site VPN works in the AWS VPN user guide
- To read about the customer gateway device minimum requirements to work with VPCs and some examples, read the Your customer gateway device section
- To read more about tunnel initiation options, read the Site-to-Site VPN tunnel initiation options section
Direct Connect establishes a dedicated, private connection from an on-premises network to a VPC (and other AWS services) with speeds of up to 10 Gbps. This connection can reduce network costs, increase bandwidth throughput, and provide an overall more consistent network experience than Internet-based connections. The diagram below shows what this architecture can look like.
The customer chooses from a selection of Direct Connect locations that will integrate the Direct Connect endpoint to the customer's on-premises network. This process can either be done by the customer directly at a Direct Connect location, or they can partner with a WAN service provider to help route the connection from on-premises to the Direct Connect location.
1. Connections
- A connection is created at a Direct Connect location to establish a network connection from on-premises to an AWS region
2. Virtual Interfaces
- Virtual interfaces are created between Direct Connect and AWS services to enable access from on-premises networks
3 Private Virtual Interfaces
- Access an Amazon VPC using private IP addresses
4. Public Virtual Interfaces
- Access AWS services from on-premises networks, without traversing the public Internet
A Direct Connect Gateway can be used to enable an on-premises network to connect to multiple VPCs across different regions through Direct Connect. The image below displays an example of what that looks like.
This option is the combination of the former two options, wherein Direct Connect dedicated connections can be encrypted end-to-end from the on-premises network to AWS.
VPN CloudHub is used for secure, VPN connections between different on-premises sites in a hub-and-spoke model. It leverages a virtual private gateway with multiple customer gateways, with at least one gateway per site. The diagram below displays a CloudHub architecture.
Each gateway uses unique BGP ASNs, and they advertise their BGP prefixes over their VPN connections to allow each site to send and receive data from other sites. This option can be combined with Direct Connect and other VPN options (such as multiple gateways per site for redundancy).
This option allows the customer to fully manage both sides of VPC connectivity by creating a VPN connection between the on-premises network and a software VPN appliance running in the customer's VPC network. The image below shows this architecture.
There are AWS partners, the AWS Marketplace, and open source communities that have produced software VPN appliances that run on EC2. Note that along with this choice comes the most responsibility of all the options, including configuring, patching, and upgrading the EC2 instance. There is also a single point of failure for the network design, which is the EC2 instance.
A transit VPC is a global network transit center on AWS, allowing the customer to connect multiple, geographically disperse VPCs and remote networks together. It builds off of the Software VPN The image below shows an example of this architecture.
This option greatly simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks.
These options are for integrating multiple VPCs into a larger network. This is useful for connecting AWS resources between VPCs or consolidating a global network of VPCs. These can be combined with the Network-to-Amazon VPC Connectivity Options to integrate remote networks with multiple VPCs.
Below is a comparison chart summarizing each option, including their advantages and disadvantages. Each option is explained in greater detail in subsequent sections.
| Option | Description | Advantages | Disadvantages |
|---|---|---|---|
| VPC Peering | AWS-provided connectivity between two VPCs | Leverages AWS networking infrastructure Easy to set up; No reliance on VPN configuration or separate pieces of hardware |
Does not support transitive peering |
| Software VPN | Software appliance-based VPN connections between VPCs | Same as it's Network-to-VPC variant Leverages AWS networking equipment in-region and Internet pipes between regions |
Same as in it's Network-to-VPC variant |
| Software-to-AWS Managed VPN | Same as above | Same as above + AWS managed endpoint benefits | Same as above |
| AWS Managed VPN | VPC-to-VPC routing using the customer's equipment over the Internet | Same as it's Network-to-VPC variant | Same as it's Network-to-VPC variant |
| AWS Direct Connect | VPC-to-VPC routing using the customer's equipment over a dedicated connection to AWS | Same as it's Network-to-VPC variant | Same as it's Network-to-VPC variant |
| AWS PrivateLink | AWS-provided connectivity between VPCs using interface endpoints | Leverages AWS networking infrastructure No single point of failure |
Endpoint services are only available in the region where they are created |
A VPC Peering connection is between two VPCs and routes between each other as if they were in the same network. It is AWS' recommended method to connect VPCs.
AWS uses its existing VPC infrastructure to create connections, meaning it doesn't introduce any new points of failure. Also, routing tables, security groups, and network access control lists can all be leveraged to control which subnets are able to utilize the peering connection.
Similar to its network-to-VPC counterpart mentioned earlier, the customer can fully manage the VPN endpoints between VPCs using a software appliance. The only new addition is an Internet Gateway attached to each VPC to facilitate communication between them.
This option is recommended when a customer wants to connect VPCs across multiple regions and take advantage of the benefits of the AWS managed VPN endpoint. These include multi-data center redundancy and failover into the virtual private gateway side of the connection.
Note that while the virtual private gateway side is highly available, there is still a single point of failure on the software appliance.
It's possible to take advantage of multiple VPN connections to route traffic between multiple VPCs, as the diagram below displays.
This approach may be suboptimal as traffic between VPCs must traverse the Internet, but the customer gets the availability of the AWS Managed VPN on both sides, and they get flexibility in managing routing for their remote networks.
A customer can divide their physical Direct Connect connection into multiple logical connections, one for each VPC. These logical connections can then be used for routing between VPCs, as shown in the diagram below.
This approach is recommended for customers already using Direct Connect, as they can reuse their existing connection to achieve reduced network costs, increased bandwidth throughput, and a consistent network experience across all of their VPCs.
An interface VPC endpoint enables connection to services powered by AWS PrivateLink. These include AWS services, hosted services by other AWS accounts, and AWS Marketplace partner services. All of the traffic through PrivateLink is kept within the AWS network. The diagram below shows an AWS account consuming services provided by another AWS account using a VPC endpoint.
1. VPC Endpoint
- This is the entry point into the consumer's VPC that enables private connectivity to a service.
2. Endpoint Services
- The applications and services in the provider's VPC
- Other AWS principals create a VPC endpoint to connect to the service, but only within the same region
3. Endpoint Interface
- An endpoint network interface is created in the subnets where applications where applications want to connect to endpoint services
- The interface is given a private IP address from the subnet's IP address range
- Can be associated with security groups to control traffic flow to the interfaces
4. Network Load Balancer
- The load balancer receives requests from consumers and routes them to endpoint services
This approach is recommended when a customer wants to securely connect to and use services offered by another VPC. Also, interface endpoints can be accessed from the customer's on-premises network via Direct Connect.
- A list of all AWS services that integrate with PrivateLink is provided in the AWS PrivateLink Documentation
- Note that endpoint services are only available to consumer VPCs if they are in the same region
There are a wide variety of ways to extend on-premises networks into AWS, join multiple VPC networks, or integrate both into a larger hybrid network. The options provided in this whitepaper should help any individual or organization to determine the most appropriate method to run their business regardless of of it's physical location.