VPC Connectivity Options

- networking aws

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

AWS VPC connectivity falls into one of three categories:

Network to AWS VPC

The following five ways are the options to connect existing networks to an AWS VPC. This could be an internal corproate network or a network in another cloud provider’s cloud.

Hardware VPN

This solution uses a hardware VPN from your network to AWS-managed VPN hardware. The advantages of this is that you can resuse your existing VPN equipment and process, reuse your existing Internet connection, it supports BGP, and Amazon manages multi-datacenter redundancy and automated failover. The disadvantages are the customer has to manage the failover equipment on the customer side, the VPN device must support single-hop BGP, and the normal network latency that comes from using IPSec VPN connections.

This is a great option and the right option for most customers starting out on AWS that want to connect their internal network to their VPC.

AWS Direct Connect

Direct Connect is a dedicated network over private lines, provided by an AWS Direct Connect partner. It’s a private, direct 1 Gbps or 10 Gbps link to AWS. It can use 802.1q VLANs to connect to multiple VPCs. The advantages are better bandwidth, more predictable perfomance, ad BGP peering and routing. The disadvantages are costs and the overhead with working with a telco provider to connecto AWS direct connect. These can be from a port on an AWS router in an Internet exchange/Colo facility or through a partner.

AWS Direction Connect + VPN

This is running a VPN connection through your AWS Direct Connect circuit. This is for those with tin foil hats or compliance requirements to encrypt all of this traffic. It combines the disadvantages of Direct Connect and Hardware VPN with the only advantage of encrypting your traffic over a private link.

AWS VPN CloudHub

This connects multiple branches in a hub-and-spoke model for connectivity to an AWS VPC. This is helpful because VPC cannot be used for transit traffic. Its advantages are reusing existing Internet connections, it uses the AWS managed VPN gateway and supports BGP for exchanging routes and routing priotities. When connecting to AWS over MPLS, this can be utilized as a backup link and routing prioties configured to prefer MPLS first. Its disadvantages are the same as hardware VPN, latency and the customer end points must manage redundancy.

Software VPN

This is running a Software VPN appliance (e.g., Checkpoint, Palo Alto, Juniper SRX, etc.) in the EC2 cloud. Its advantages is that it’s fully customer-managed and it supports a wide variety of virtual appliances. The disadvantages are the same, AWS doesn’t manage your redundancy and you’re requried to maintain and license the EC2 instances and construct your own HA. While this option provides the most flexibility, it also requires the most work.


The following five options are ways to connect one VPC to another VPC.

VPC Peering

This option peers two VPCs within a single advantage, and its main disadvantage is just that, it’s limited to intra-Region peering. However, it is the lowest overhead and leverages AWS networking ifrastructure, doesn’t rely on VPN, doesn’t have a single point of failure and doesn’t have any bandwidth bottleneck.

Software VPN

Software VPN utilizes two EC2 instances running software appliances to form a VPN connection between the two VPCs. It’s managed entirely by the customer but will leverage intra-region and Internet pipes between regions. Additionally, it’s encrypted with whatever encryption you choose. The disadvantages are the customer must manage all HA and redundancy and that these instances could easily become a bottleneck and would require downtime to move to a larger instance.

Software to Hardware VPN

This is similar to the Software VPN solution with one end of the connection being the AWS VPN hardware. This alleviates some of the HA and administration overhead on one end of the connection but not the other.

Hardware VPN

This is VPC-to-VPC connections managed by the customer over connections through the customer’s hardware. Its advantages are reusing existing VPN connections and AWS-managed endpoints include redundancy. This also supports BGP routing. The disadvantages are network latency through the Internet and the endpoint you manage is responsible for failover and HA. This could be also called AWS VPC to Hardware to AWS VPC, you are inserting your own router/firewall architecture between VPCs and therefore all traffic between VPCs flows through a customer managed device.

AWS Direct Connect

This is the same as Hardware VPN, but without the Hardware. It utilizes AWS Direct Connect and 802.1q VLANs to connect multiple VPCs to a customer-managed firewall/router. It has reduced bandwidth costs, consistent network performance, and 1 or 10 Gbps connectivity. It also supports static routes and BGP peering. The disadvantage is all inter-VPC traffic flows through your hardware, you’re responsible for the HA and failover of that equipment and it requires additional telecom and hosting provider relationships.

Internal User to AWS VPC

There are two options for connecting a single user to an AWS VPC.

User Network to Amazon VPC

This extends your data center to AWS, using one of the methodologies above. The user connects using existing remote access methods and has access to the AWS VPC through the corporate network.

Software Remote Access VPN

This option is running an EC2 instance that allows SSL or IPSec VPN connections from a client device into that instance.

See this PDF for more details.