Network-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud Connectivity Options

Network-to-Amazon VPC connectivity options

This section provides design patterns for connecting remote networks with your Amazon VPC environment. These options are useful for integrating AWS resources with your existing on-site services (for example, monitoring, authentication, security, data or other systems) by extending your internal networks into the AWS Cloud. This network extension also allows your internal users to seamlessly connect to resources hosted on AWS just like any other internally facing resource.

VPC connectivity to remote customer networks is best achieved when using non-overlapping IP ranges for each network being connected. For example, if you’d like to connect one or more VPCs to your home network, make sure they are configured with unique Classless Inter-Domain Routing (CIDR) ranges. We recommend allocating a single, contiguous, non-overlapping CIDR block to be used by each VPC. For additional information about Amazon VPC routing and constraints, see the Amazon VPC Frequently Asked Questions.

Option Use Case Advantages Limitations

AWS Managed VPN

AWS managed IPsec VPN connection over the internet to individual VPC

Reuse existing VPN equipment and processes

Reuse existing internet connections

AWS managed high availability VPN service

Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies

Network latency, variability, and availability are dependent on internet conditions

Customer managed endpoint is responsible for implementing redundancy and failover (if required)

Customer device must support single-hop BGP (when leveraging BGP for dynamic routing)

AWS Transit Gateway + VPN

AWS managed IPsec VPN connection over the internet to regional router for multiple VPCs

Same as the previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as the previous option

AWS Direct Connect

Dedicated network connection over private lines

More predictable network performance

Reduced bandwidth costs

Supports BGP peering and routing policies

May require additional telecom and hosting provider relationships or new network circuits to be provisioned

AWS Direct Connect + AWS Transit Gateway

Dedicated network connection over private lines to regional router for multiple VPCs

Same as the previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as previous option

AWS Direct Connect + VPN

IPsec VPN connection over private lines

More predictable network performance

Reduced bandwidth costs

Supports BGP peering and routing policies on AWS Direct Connect

Reuse existing VPN equipment and processes

AWS managed high availability VPN service

Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies on VPN connection

May require additional telecom and hosting provider relationships or new network circuits to be provisioned

Customer managed endpoint is responsible for implementing redundancy and failover (if required)

Customer device must support single-hop BGP (when leveraging BGP for dynamic routing)

AWS Direct Connect + AWS Transit Gateway + VPN

IPSec VPN connection over private lines to regional router for multiple VPCs

Same as previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as previous option

AWS VPN CloudHub

Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity

Reuse existing internet connections and AWS VPN connections

AWS managed high availability VPN service

Supports BGP for exchanging routes and routing priorities

Network latency, variability, and availability are dependent on the internet

User managed branch office endpoints are responsible for implementing redundancy and failover (if required)

Software Site-to-Site VPN

Software appliance-based VPN connection over the internet

Supports a wider array of VPN vendors, products, and protocols

Fully customer-managed solution

Customer is responsible for implementing HA (high availability) solutions for all VPN endpoints (if required)