Network-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud Connectivity Options

Network-to-Amazon VPC connectivity options

This section provides design patterns for connecting remote networks with your Amazon VPC environment. These options are useful for integrating AWS resources with your existing on-site services (for example, monitoring, authentication, security, data or other systems) by extending your internal networks into the AWS Cloud. This network extension also allows your internal users to seamlessly connect to resources hosted on AWS just like any other internally facing resource.

VPC connectivity to remote customer networks is best achieved when using non-overlapping IP ranges for each network being connected. For example, if you’d like to connect one or more VPCs to your corporate network, make sure they are configured with unique Classless Inter-Domain Routing (CIDR) ranges. We recommend allocating a single, contiguous, non-overlapping CIDR block to be used by each VPC. For additional information about Amazon VPC routing and constraints, see the Amazon VPC Frequently Asked Questions.

Option Use Case Advantages Limitations

AWS Site-to-Site VPN

AWS managed IPsec VPN connection over the internet to individual VPC

Reuse existing VPN equipment and processes

Reuse existing internet connections

AWS managed high availability VPN service

Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies

Network latency, variability, and availability are dependent on internet conditions

You are responsible for implementing redundancy and failover (if required)

Remote device must support single-hop BGP (when leveraging BGP for dynamic routing)

AWS Transit Gateway + AWS Site-to-Site VPN

AWS managed IPsec VPN connection over the internet to regional router for multiple VPCs

Same as the previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as the previous option

AWS Direct Connect

Dedicated network connection over private lines

More predictable network performance

Reduced bandwidth costs

Supports BGP peering and routing policies

Might require additional telecom and hosting provider relationships or new network circuits to be provisioned

AWS Direct Connect + AWS Transit Gateway

Dedicated network connection over private lines to regional router for multiple VPCs

Same as the previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as previous option

AWS Direct Connect + AWS Site-to-Site VPN

IPsec VPN connection over private lines

More predictable network performance

Reduced bandwidth costs

Supports BGP peering and routing policies on AWS Direct Connect

Reuse existing VPN equipment and processes

AWS managed high availability VPN service

Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies on VPN connection

May require additional telecom and hosting provider relationships or new network circuits to be provisioned

You are responsible for implementing redundancy and failover (if required)

Remote device must support single-hop BGP (when leveraging BGP for dynamic routing)

AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN

IPsec VPN connection over private lines to regional router for multiple VPCs

Same as previous option

AWS managed high availability and scalability regional network hub for up to 5,000 attachments

Same as previous option

AWS VPN CloudHub

Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity

Reuse existing internet connections and AWS VPN connections

AWS managed high availability VPN service

Supports BGP for exchanging routes and routing priorities

Network latency, variability, and availability are dependent on the internet

User managed branch office endpoints are responsible for implementing redundancy and failover (if required)

AWS Transit Gateway + SD-WAN solutions

Connect remote branches and offices with a software-defined wide area network by using the AWS backbone or the internet as a transit network.

Supports a wider array of SD-WAN vendors, products, and protocols

Some vendor solutions have integration with AWS native services.

You are responsible for implementing HA (high availability) of the SD-WAN appliances if they are placed in an Amazon VPC.

Software VPN

Software appliance-based VPN connection over the internet

Supports a wider array of VPN vendors, products, and protocols

Fully customer-managed solution

You are responsible for implementing HA (high availability) solutions for all VPN endpoints (if required)