Amazon Virtual Private Cloud Connectivity Options
AWS Whitepaper

Network-to-Amazon VPC Connectivity Options

This section provides design patterns for you to connect remote networks with your Amazon VPC environment. These options are useful for integrating AWS resources with your existing on-site services (for example, monitoring, authentication, security, data or other systems) by extending your internal networks into the AWS Cloud. This network extension also allows your internal users to seamlessly connect to resources hosted on AWS just like any other internally facing resource.

VPC connectivity to remote customer networks is best achieved when using non-overlapping IP ranges for each network being connected. For example, if you’d like to connect one or more VPCs to your home network, make sure they are configured with unique Classless Inter-Domain Routing (CIDR) ranges. We advise allocating a single, contiguous, non-overlapping CIDR block to be used by each VPC. For additional information about Amazon VPC routing and constraints, see the Amazon VPC Frequently Asked Questions.

Option Use Case Advantages Limitations
AWS Managed VPN AWS managed IPsec VPN connection over the internet

Reuse existing VPN equipment and processes

Reuse existing internet connections

AWS managed endpoint includes multi-data center redundancy and automated failover

Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies

Network latency, variability, and availability are dependent on internet conditions

Customer managed endpoint is responsible for implementing redundancy and failover (if required)

Customer device must support single-hop BGP (when leveraging BGP for dynamic routing)

AWS Direct Connect Dedicated network connection over private lines

More predictable network performance Reduced bandwidth costs

1 or 10 Gbps provisioned connections

Supports BGP peering and routing policies

May require additional telecom and hosting provider relationships or new network circuits to be provisioned
AWS Direct Connect Plus VPN IPsec VPN connection over private lines Same as the previous option with the addition of a secure IPsec VPN connection Same as the previous option with a little additional VPN complexity
AWS VPN CloudHub Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity

Reuse existing internet connections and AWS VPN connections (for example, use AWS VPN CloudHub as backup connectivity to a third-party MPLS network)

AWS managed virtual private gateway includes multi-data center redundancy and automated failover

Supports BGP for exchanging routes and routing priorities (for example, prefer MPLS connections over backup AWS VPN connections)

Network latency, variability, and availability are dependent on the internet

User managed branch office endpoints are responsible for implementing redundancy and failover (if required)

Software VPN Software appliance-based VPN connection over the internet

Supports a wider array of VPN vendors, products, and protocols

Fully customer-managed solution

Customer is responsible for implementing HA (high availability) solutions for all VPN endpoints (if required)
Transit VPC

Software appliance-based VPN connection with hub VPC

AWS managed IPsec VPN connection for spoke VPC connection

Same as the previous option with the addition of AWS managed VPN connection between hub and spoke VPCs Same as the previous section