[AWS Architect] (17) VPN and DX

Hybrid cloud architecture combines resources in the cloud with on-premise resources and use them just like all resources are in the same environment.

VPN (Virtual Private Network)

VPN provides a secure connection between a VPC and on-premise networks.

  • In AWS, VPN allows communication with all resources without public IP addresses and an Internet gateway.
  • VPN provides an additional level of security by encrypting traffic.

VPC VPN components

  • Virtual Private Gateway (VPG) is attached to a VPC. Only one VPG is attached to VPC.
  • Customer Gateway (CGW) is the configuration for an on-premise router.
  • VPN connection – Each connection uses two IPsec tunnels (parallel routes) for redundancy.

Best Practices

  • Use dynamic VPN: It uses the Border Gateway Protocol (BPG)

AWS VPN CloudHub

VPN CloudHub is a hub that can connect multiple VPNs.

  • It is low cost and easy to manage.
  • It is over the public internet, but all traffic is encrypted.

Direct Connect (DX)

DX is a physical connection between the on-premise network and AWS via customer router at a DX location or via a DX partner – 1 Gbps or 10 Gbps.

  • Virtual Interfaces (VIFs) run on top of the DX. DX is not encrypted.
    • Public VIFs can only access AWS public service endpoints.
    • Private VIFs are used to connect to VPCs. It uses the internal IP addresses and cannot access public IP addresses.
  • Use multiple private VIF to connect to multiple VPCs.
  • It requires some time to setup. If you need quick access, DX is not an option.
  • DX reduces the network cost and increases the network consistency (stable and reliable). So it is useful for high throughput workloads.

Steps to create a Direct Connect Connection

  • Create a PUBLIC virtual interface in the DX console.
  • VPC console -> VPC Connections -> Create a Customer Gateway
  • Create a Virtual Private Gateway and attach it to the target VPC

VPN vs. DX

  • VPN is used when: urgent connection need, deployed fast, cheap and economical, encryption is required, flexible to change locations, highly available, short-term connection
  • DX is used when: higher throughput, consistent performance, low latency, large amount of data.
  • If you need an urgent connection, you can use VPN first and then move on to the DX for better throughput.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s