By using AWS re:Post, you agree to the AWS re:Post Terms of Use

VPN vs Direct Connect

Language: English
VPN vs Direct Connect
3
Diagram that shows differences in VPN and Direct Connect connectivity.
profile pictureAWS
EXPERT
updated 4 months ago5.4K views

VPN vs Direct Connect

Diagram that shows differences in VPN and Direct Connect. This is a common question for smaller companies determining their needs and understanding responsibilities of each type of connectivity.

Enter image description here

Details of all Amazon Virtual Private Cloud Connectivity Options can be found here: Network-to-Amazon VPC connectivity options

4 Comments

The Direct Connect part of the diagram appears to be missing a Direct Connect Gateway (DXGW). It's advisable always to use a DXGW between Direct Connect connections and TGWs/VGWs. While a DXGW has no meaningful physical existence, it effectively tells the AWS backbone network that potential multiple routes that exist between a source and a destination are related. The backbone network then uses this knowledge to minimise or avoid, if possible, single points of failure between all related components.

For example, if in your diagram, a second DX would be added with a route for some or all of the same on-premises networks, the VGW would allow it to be associated as a second link and used for redundancy with BGP. However, the AWS backbone network may not be able to recognise that these connections serve as backups for one another and might therefore share parts of physical infrastructure and fibre routes between the two links. By placing a DXGW in between, the AWS backbone network will avoid that as much as possible.

The DXGW will also allow sharing a single VIF with VGWs in up to 10 VPCs via VGWs or a single transit VIF with up to 6 TGWs. There's no additional cost, reduction in availability, anything additional to monitor, increase in administrative overhead, or other downside to using a DXGW, so it's recommended always simply to implement DX connectivity with a DXGW, even when starting with a non-redundant connection and no particular scaling needs.

EXPERT
replied 4 months ago

Great points Leo! Added the DxGW to the diagram.

profile pictureAWS
EXPERT
replied 4 months ago

This is great diagram iBehr. I suggest to also mention the option of using S2S VPN over transit VIF (like in the second diagram described here).

profile pictureAWS
EXPERT
replied 4 months ago

Thanks Yaniv! Added the option for S2S over Transit VIF.

profile pictureAWS
EXPERT
replied 4 months ago