Network-to-Amazon VPC connectivity options
This section provides design patterns for connecting remote networks with your Amazon VPC environment. These options are useful for integrating AWS resources with your existing on-site services (for example, monitoring, authentication, security, data or other systems) by extending your internal networks into the AWS Cloud. This network extension also allows your internal users to seamlessly connect to resources hosted on AWS just like any other internally facing resource.
VPC connectivity to remote customer networks is best achieved when
using non-overlapping IP ranges for each network being connected.
For example, if you’d like to connect one or more VPCs to your home
network, make sure they are configured with unique Classless
Inter-Domain Routing (CIDR) ranges. We recommend allocating a
single, contiguous, non-overlapping CIDR block to be used by each
VPC. For additional information about Amazon VPC routing and
constraints, see the
Amazon VPC
Frequently Asked Questions
| Option | Use Case | Advantages | Limitations |
|---|---|---|---|
| AWS managed IPsec VPN connection over the internet to individual VPC |
Reuse existing VPN equipment and processes Reuse existing internet connections AWS managed high availability VPN service Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies |
Network latency, variability, and availability are dependent on internet conditions Customer managed endpoint is responsible for implementing redundancy and failover (if required) Customer device must support single-hop BGP (when leveraging BGP for dynamic routing) |
|
|
AWS managed IPsec VPN connection over the internet to regional router for multiple VPCs |
Same as the previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments |
Same as the previous option |
|
|
Dedicated network connection over private lines |
More predictable network performance Reduced bandwidth costs Supports BGP peering and routing policies |
May require additional telecom and hosting provider relationships or new network circuits to be provisioned |
|
|
Dedicated network connection over private lines to regional router for multiple VPCs |
Same as the previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments |
Same as previous option |
|
|
IPsec VPN connection over private lines |
More predictable network performance Reduced bandwidth costs Supports BGP peering and routing policies on AWS Direct Connect Reuse existing VPN equipment and processes AWS managed high availability VPN service Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies on VPN connection |
May require additional telecom and hosting provider relationships or new network circuits to be provisioned Customer managed endpoint is responsible for implementing redundancy and failover (if required) Customer device must support single-hop BGP (when leveraging BGP for dynamic routing) |
|
| AWS Direct Connect + AWS Transit Gateway + VPN |
IPSec VPN connection over private lines to regional router for multiple VPCs |
Same as previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments |
Same as previous option |
|
Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity |
Reuse existing internet connections and AWS VPN connections AWS managed high availability VPN service Supports BGP for exchanging routes and routing priorities |
Network latency, variability, and availability are dependent on the internet User managed branch office endpoints are responsible for implementing redundancy and failover (if required) |
|
|
Software appliance-based VPN connection over the internet |
Supports a wider array of VPN vendors, products, and protocols Fully customer-managed solution |
Customer is responsible for implementing HA (high availability) solutions for all VPN endpoints (if required) |
