AWS Direct Connect and VPNs - Amazon EC2 Overview and Networking Introduction for Telecom Companies

AWS Direct Connect and VPNs

AWS Direct Connect (DX) provides a dedicated connection from your on-premises network to one or more Amazon VPCs. It’s possible to create a single sub-1 Gbps connection or use a link aggregation group (LAG) to aggregate multiple 1 GBps or 10-Gbps connections into a single managed connection. DX uses VLANs to access Amazon EC2 instances running within the VPC. DX supports both static and dynamic routing through BGP. One of the following virtual interfaces (VIFs) must be created in order to use a DX connection:

  • Private virtual interface – used to access VPC resources using private IP addresses

  • Public virtual interface – used to access all AWS public services using public IP addresses

  • Transit virtual interface – used to access one or more AWS Transit Gateways associated with DX gateways.

Figure 13 – AWS Direct Connect

Typically, DX is used for critical, latency sensitive workloads given the dedicated nature of the connectivity. AWS also offers a Service Level Agreement for AWS Direct Connect as per the following policy: https://aws.amazon.com/directconnect/sla/.

If the workload does not require the dedicated nature of DX, using an AWS managed VPN provides the option of creating an IPsec VPN connection over the internet between your on-premises environment and Amazon VPC. With an AWS managed VPN, you can take advantage of automated multi-data center redundancy and failover, which is built into the AWS side of VPN. Basically, a virtual private gateway will terminate two distinct VPN endpoints in two separate data centers. The redundancy can be further improved by also implementing redundancy at your side of connection and terminating VPN endpoints on two separate customer gateways at the on-premises environment. Finally, both dynamic and static routing options are supported to give you flexibility in setting your routing configuration. Dynamic routing uses BGP peering to exchange routing information between AWS and your on-premises environment. With dynamic routing, you can also specify routing priorities, policies, and weights (metrics) in your BGP advertisements and influence the network path taken between your networks and AWS.

The potential drawbacks of using an AWS managed VPN are that availability is dependent on the internet conditions, and the VPN adds complexity to implementing redundancy and failover (if necessary) at your end. DX, on the other hand, provides dedicated connectivity and minimal latency. However, it does require new network circuits to be provisioned through your hosting provider, unless you are the hosting provider.

Figure 14 – VPN Connectivity