PERF04-BP03 Choose appropriate dedicated connectivity or VPN for your workload

When hybrid connectivity is required to connect on-premises and cloud resources, provision adequate bandwidth to meet your performance requirements. Estimate the bandwidth and latency requirements for your hybrid workload. These numbers will drive your sizing requirements.

Common anti-patterns:

• You only evaluate VPN solutions for your network encryption requirements.

• You do not evaluate backup or redundant connectivity options.

• You do not identify all workload requirements (encryption, protocol, bandwidth, and traffic needs).

Benefits of establishing this best practice: Selecting and configuring appropriate connectivity solutions will increase the reliability of your workload and maximize performance. By identifying workload requirements, planning ahead, and evaluating hybrid solutions, you can minimize expensive physical network changes and operational overhead while increasing your time-to-value.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Develop a hybrid networking architecture based on your bandwidth requirements. AWS Direct Connect allows you to connect your on-premises network privately with AWS. It is suitable when you need high-bandwidth and low-latency while achieving consistent performance. A VPN connection establishes secure connection over the internet. It is used when only a temporary connection is required, when cost is a factor, or as a contingency while waiting for resilient physical network connectivity to be established when using AWS Direct Connect.

If your bandwidth requirements are high, you might consider multiple AWS Direct Connect or VPN services. Traffic can be load balanced across services, although we don't recommend load balancing between AWS Direct Connect and VPN because of the latency and bandwidth differences.

Implementation steps

1. Estimate the bandwidth and latency requirements of your existing applications.

   1. For existing workloads that are moving to AWS, leverage the data from your internal network monitoring systems.

   2. For new or existing workloads for which you don’t have monitoring data, consult with the product owners to determine adequate performance metrics and provide a good user experience.

2. Select dedicated connection or VPN as your connectivity option. Based on all workload requirements (encryption, bandwidth, and traffic needs), you can either choose AWS Direct Connect or AWS VPN (or both). The following diagram can help you choose the appropriate connection type.

   1. AWS Direct Connect provides dedicated connectivity to the AWS environment, from 50 Mbps up to 100 Gbps, using either dedicated connections or hosted connections. This gives you managed and controlled latency and provisioned bandwidth so your workload can connect efficiently to other environments. Using AWS Direct Connect partners, you can have end-to-end connectivity from multiple environments, providing an extended network with consistent performance. AWS offers scaling direct connect connection bandwidth using either native 100 Gbps, link aggregation group (LAG), or BGP equal-cost multipath (ECMP).

   2. The AWS Site-to-Site VPN provides a managed VPN service supporting internet protocol security (IPsec). When a VPN connection is created, each VPN connection includes two tunnels for high availability.

3. Follow AWS documentation to choose an appropriate connectivity option:

   1. If you decide to use AWS Direct Connect, select the appropriate bandwidth for your connectivity.

   2. If you are using an AWS Site-to-Site VPN across multiple locations to connect to an AWS Region, use an accelerated Site-to-Site VPN connection for the opportunity to improve network performance.

   3. If your network design consists of IPSec VPN connection over AWS Direct Connect, consider using Private IP VPN to improve security and achieve segmentation. AWS Site-to-Site Private IP VPN is deployed on top of transit virtual interface (VIF).

   4. AWS Direct Connect SiteLink allows creating low-latency and redundant connections between your data centers worldwide by sending data over the fastest path between AWS Direct Connect locations, bypassing AWS Regions.

4. Validate your connectivity setup before deploying to production. Perform security and performance testing to assure it meets your bandwidth, reliability, latency, and compliance requirements.

5. Regularly monitor your connectivity performance and usage and optimize if required.

Deterministic performance flowchart

Resources

Related documents:

• Network Load Balancer

• Networking Products with AWS

• AWS Transit Gateway

• Transitioning to latency-based Routing in Amazon Route 53

• VPC Endpoints

• Site-to-Site VPN

• Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

• AWS Direct Connect

• Client VPN

Related videos:

• Connectivity to AWS and hybrid AWS network architectures

• Optimizing Network Performance for Amazon EC2 Instances

• AWS Global Accelerator

• AWS Direct Connect

• AWS Transit Gateway Connect

• VPN Solutions

• Security with VPN Solutions

Related examples:

• AWS Transit Gateway and Scalable Security Solutions

• AWS Networking Workshops