How can I connect to my Amazon VPC?

4 minute read

I want to decide which option to use to provide connectivity to and from a virtual private cloud (VPC) in Amazon Virtual Private Cloud (Amazon VPC).


Review the following options for connecting to your VPC and choose the best one for your use case.

AWS VPN connection

AWS Site-to-Site VPN Connection provides secure connectivity from a remote network location to your VPC. Establish a VPN connection to an AWS managed virtual private gateway. The virtual private gateway is the VPN device on the AWS side of the connection. After you create your connection, download the Internet Protocol Security (IPsec) VPN configuration from the VPC console. Use the IPsec VPN configuration to configure the firewall or device in your local network that connects to the VPN.

You can also choose to use a third-party VPN solution. Use a third-party solution if you require full access and management of the AWS side of the VPN connection.

AWS Client VPN

AWS Client VPN is a managed client-based VPN service. It allows you to securely access your resources and other connected networks using an Open-VPN based VPN client.

Direct Connect connection

An AWS Direct Connect links your on-premises internal network to a Direct Connect location over a standard 1-Gbps, 10-Gbps or 100-Gbps Ethernet fiber-optic cable. This direct connection to the Direct Connect location provides connectivity to your VPCs and other resources within the AWS Regions.

Direct Connect usage is charged per port-hour with additional data transfer rates that vary by AWS Region. For more information, see AWS Direct Connect pricing.

VPC peering connection

A VPC peering connection connects two VPCs and routes traffic between them through private IP addresses. This allows the VPCs to function like they are on the same network. Because they don't rely on physical hardware, these connections aren't subject to common issues such as a single point of failure or network bandwidth bottlenecks.

VPC peering is supported for VPCs across all AWS Regions in both the same or different AWS accounts. For more information, see VPC peering limitations.

VPC endpoints

A VPC endpoint is a private connection between your VPC and another AWS service that doesn't require internet access. The two types of VPC endpoints are interface VPC endpoints (for AWS PrivateLink services) and gateway VPC endpoints. After you configure a VPC endpoint, instances in your VPC can use private IP addresses to communicate with:

Internet gateway

An internet gateway enables communication between instances in your VPC and the internet. You can scope the route to all destinations not explicitly known to the route table or to a narrower range of IP addresses.

NAT gateway

A NAT gateway is a managed service that allows resources in a private subnet of a VPC to connect to the internet. It can also connect to other AWS services. It doesn't allow connections to those instances from the internet

Note: Be sure to create the NAT gateway in a public subnet. For more information, see NAT gateways.

NAT instance

A NAT instance in the public subnet of a VPC allows resources in the private subnet to initiate outbound IPv4 traffic. This traffic can be to the internet or other AWS services. It prevents those instances from receiving inbound traffic initiated by internet connections.

Note: Using a NAT gateway is best practice for common use cases. For more information, see Compare NAT gateways and NAT instances.

Transit gateway

A transit gateway acts as a central hub for connecting your VPCs and your on-premises networks. 

Related information

What is Amazon VPC?

Amazon VPC quotas

Configure route tables

AWS OFFICIALUpdated 8 months ago