Security - Hybrid Connectivity



This section refers to the security considerations that influence the hybrid connectivity type selection. These considerations are:

  • transport type – internet or private network connection

  • encryption in transit

Impact on design decision

Your security requirements and policies might permit use of internet or require a private network connection between AWS and your company network. They also impact the decision, if encryption in transit must be provided by the network or if performing encryption at application layer is acceptable.

Requirement definition

  • Do your security requirements and policies allow the usage of encrypted connections over the internet to connect to AWS or mandate the usage of private network connections?

  • When leveraging private network connections, does the network layer have to provide encryption in transit?

Technical solutions

If you can leverage the internet, then AWS Site-to-Site VPN could be used to create encrypted tunnels between your network and your Amazon VPCs or AWS Transit Gateways over the internet. Extending your SD-WAN solution into AWS over the internet may also be an option if you are leveraging an internet-based connection. The Customer-managed VPN and SD-WAN section later in this whitepaper cover the specific considerations for SD-WAN.

If you require the usage of a private network connection between AWS and your company network, then AWS recommends the usage of AWS Direct Connect Dedicated Connections or Hosted Connections. If encryption in transit is required over the private network connection, then you should establish a Site-to-Site VPN over Direct Connect.

Site-to-Site VPN Direct Connect
Transport Over the internet Private network connection
Encryption in transit Yes Requires S2S VPN over Direct Connect.