Hybrid network connection - Hybrid Connectivity

Hybrid network connection

Site-to-Site Virtual Private Network (VPN)

A site to site IPsec VPN enables two different networks (sites) to communicate in a secure manner over an untrusted transport such as the internet. From a hybrid connectivity point of view the VPN connection is established between an on-premises site and Amazon Virtual Private Cloud (Amazon VPC). There are two options to establish a Site-to-Site VPN with AWS:

  • AWS Managed Site-to-Site VPN (AWS S2S VPN): Is a fully managed and highly available VPN service. See AWS Managed VPN for more information. Also, you can optionally enable acceleration for your Site-to-Site VPN connection. See Accelerated Site-to-Site VPN connections

  • Software Site-to-Site VPN (Customer-managed VPN): Unlike the AWS Managed VPN, with this VPN connectivity option, the customer is responsible for provisioning and managing the entire VPN solution, typically running a VPN software on an EC2 instance, or it could be a VPN virtual appliance from AWS Marketplace, including SD-WAN solutions. See Software Site-to-Site VPN for more information.

AWS Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. See AWS Direct Connect

There are two types of AWS Direct Connect connections: dedicated connection and hosted connection. See AWS Direct Connect connections for more information.

  • AWS Direct Connect Virtual Interface (VIF): Virtual interface is logical interface built on top of the physical connection. There are three primary types of VIFs: Private VIF, Public VIF and Transit VIF. See AWS Direct Connect virtual interfaces for more information. Figure 1 illustrates hybrid connectivity model that uses Private and Public VIFs. Public VIF in particular, is used to access all AWS public services, such S3, DynamoDB, as well as public EC2 IP ranges. Public VIF provides the ability to reach any AWS public IP, including AWS S2S VPN endpoints. VPN over public VIF is a common connectivity option for scenarios that require encryption in transit for the Direct Connect (DX) connection.

Note

Hosted Virtual Interface (Hosted VIF) is another option that technically offers connectivity to AWS resources. It can refer to either a VIF assigned to a different AWS account than the AWS account which owns the AWS Direct Connect connection. Also, it can refer to a VIF provided by an AWS Direct Connect partner. AWS no longer allows new partners to offer this model, for more information see Hosted Virtual Interfaces (Hosted VIF).

Figure 1 – AWS Direct Connect Private and Public VIFs