Hybrid network connection - Hybrid Connectivity

Hybrid network connection

Site-to-Site Virtual Private Network (VPN)

A site-to-site IPsec VPN enables two different networks (sites) to communicate in a secure manner over an untrusted transport such as the internet. From a hybrid connectivity point of view the VPN connection is established between an on-premises site and Amazon Virtual Private Cloud (Amazon VPC). There are two options to establish a Site-to-Site VPN with AWS:

  • AWS Managed Site-to-Site VPN (S2S VPN): Is a fully managed and highly available VPN service. See AWS Managed VPN for more information. Also, you can optionally enable acceleration for your Site-to-Site VPN connection. See Accelerated Site-to-Site VPN connections

  • Software Site-to-Site VPN (Customer-managed VPN): Unlike the AWS Managed VPN, with this VPN connectivity option, the customer is responsible for provisioning and managing (configuration, patching, upgrading, licensing) the entire VPN solution. This typically involves running a VPN software (open source or commercial) on an EC2 instance, or it could be a VPN virtual appliance from AWS Marketplace, including SD-WAN solutions. For more information, see Software Site-to-Site VPN.

AWS Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated and private network connection from your premises to AWS. See AWS Direct Connect

There are two types of Direct Connect connections: dedicated and hosted connection. See AWS Direct Connect connections for more information.

  • AWS Direct Connect Virtual Interface (VIF): Virtual interface is logical interface built on top of the physical connection. There are three primary types of VIFs: Private VIF, Public VIF and Transit VIF. See AWS Direct Connect virtual interfaces for more information. Figure 1 illustrates hybrid connectivity model that uses Private and Public VIFs. Public VIF in particular, is used to access all AWS public services, such S3, DynamoDB, as well as public EC2 IP ranges. Public VIF provides the ability to reach any AWS public IP, including AWS S2S VPN endpoints. VPN over public VIF is a common connectivity option for scenarios that require encryption in transit for the Direct Connect (DX) connection.


Hosted Virtual Interface (Hosted VIF) is another option that technically offers connectivity to AWS resources. It can refer to either a VIF assigned to a different AWS account than the AWS account which owns the AWS Direct Connect connection. Also, it can refer to a VIF provided by an AWS Direct Connect partner. AWS no longer allows new partners to offer this model, for more information see Hosted Virtual Interfaces (Hosted VIF).

Hybrid connectivity model that uses Private and Public VIFs

Figure 1 – AWS Direct Connect Private and Public VIFs