I want to decide which option to use to provide connectivity to and from a virtual private cloud (VPC) in Amazon Virtual Private Cloud (Amazon VPC).
Review the following options for connecting to your VPC and choose the best one for your use case.
AWS VPN connection
AWS Site-to-Site VPN Connection provides secure connectivity from a remote network location to your VPC. Establish a VPN connection to an AWS managed virtual private gateway. The virtual private gateway is the VPN device on the AWS side of the connection. After you create your connection, download the Internet Protocol Security (IPsec) VPN configuration from the VPC console. Use the IPsec VPN configuration to configure the firewall or device in your local network that connects to the VPN.
You can also choose to use a third-party VPN solution. Use a third-party solution if you require full access and management of the AWS side of the VPN connection.
AWS Client VPN
AWS Client VPN is a managed client-based VPN service. It allows you to securely access your resources and other connected networks using an Open-VPN based VPN client.
Direct Connect connection
An AWS Direct Connect links your on-premises internal network to a Direct Connect location over a standard 1-Gbps, 10-Gbps or 100-Gbps Ethernet fiber-optic cable. This direct connection to the Direct Connect location provides connectivity to your VPCs and other resources within the AWS Regions.
Direct Connect usage is charged per port-hour with additional data transfer rates that vary by AWS Region. For more information, see AWS Direct Connect pricing.
VPC peering connection
A VPC peering connection connects two VPCs and routes traffic between them through private IP addresses. This allows the VPCs to function like they are on the same network. Because they don't rely on physical hardware, these connections aren't subject to common issues such as a single point of failure or network bandwidth bottlenecks.
VPC peering is supported for VPCs across all AWS Regions in both the same or different AWS accounts. For more information, see VPC peering limitations.
A VPC endpoint is a private connection between your VPC and another AWS service that doesn't require internet access. The two types of VPC endpoints are interface VPC endpoints (for AWS PrivateLink services) and gateway VPC endpoints. After you configure a VPC endpoint, instances in your VPC can use private IP addresses to communicate with:
An internet gateway enables communication between instances in your VPC and the internet. You can scope the route to all destinations not explicitly known to the route table or to a narrower range of IP addresses.
A NAT gateway is a managed service that allows resources in a private subnet of a VPC to connect to the internet. It can also connect to other AWS services. It doesn't allow connections to those instances from the internet
Note: Be sure to create the NAT gateway in a public subnet. For more information, see NAT gateways.
A NAT instance in the public subnet of a VPC allows resources in the private subnet to initiate outbound IPv4 traffic. This traffic can be to the internet or other AWS services. It prevents those instances from receiving inbound traffic initiated by internet connections.