[AWS] VPN and DX

Hybrid cloud architecture combines resources in the cloud with on-premise resources and use them just like all resources are in the same environment. There are a couple of ways to setup communication between AWS VPCs and on-premise networks.

AWS Managed VPN

VPN (Virtual Private Network) provides a secure connection between a VPC and on-premise networks over the existing internet connection.

  • In AWS, VPN allows communication with all resources without public IP addresses and an Internet gateway.
    • It is a quick and simple way to establish a secure tunneled connection to a VPC.
  • VPN provides an additional level of security by encrypting traffic.
  • It works as a redundant connection option besides Direct Connect (DX).

VPN Components

  • Virtual Private Gateway (VPG) is attached to a VPC. Only one VPG is attached to VPC.
  • Customer Gateway (CGW) is the configuration for an on-premise router.
  • VPN connection – Each connection uses two IPsec tunnels (parallel routes) for redundancy.

Best Practices

  • Use dynamic VPN: It uses the Border Gateway Protocol (BPG)

AWS VPN CloudHub

VPN CloudHub is a hub that can connect multiple VPNs.

  • It is low cost and easy to manage.
  • It is over the public internet, but all traffic is encrypted.


  • If you have multiple sites in multiple VPNs, you can use AWS VPN CloudHub to connect these sites together.
    • You can use CloudHub to link remote offices to access AWS resources each other.


  • Assign multiple Customer Gateways to Virtual Private Gateway, each with unique IP ranges

Direct Connect (DX)

DX is a physical connection between the on-premise network and AWS via customer router at a DX location or via a DX partner – 1 Gbps or 10 Gbps.

Two Types of DX

  • Dedicated Connection: Physical connection to a single customer. Communication can be done through the AWS Direct Connect console, the CLI, or the API.
  • Hosted Connection: A customer requests a hosted connectivity through the contract with AWS DX Partner, who provisions the connection.

DX Features

  • Virtual Interfaces (VIFs) run on top of the DX. DX is not encrypted.
    • Public VIFs can only access AWS public service endpoints.
    • Private VIFs are used to connect to VPCs. It uses the internal IP addresses and cannot access public IP addresses.
  • Use multiple private VIF to connect to multiple VPCs.
  • It requires some time to setup. If you need quick access, DX is not an option.
  • DX reduces the network cost and increases the network consistency (stable and reliable). So it is useful for high throughput workloads.

Steps to create a Direct Connect Connection

  • Create a PUBLIC virtual interface in the DX console.
  • VPC console -> VPC Connections -> Create a Customer Gateway
  • Create a Virtual Private Gateway and attach it to the target VPC

VPN vs. DX

  • VPN is used when: urgent connection need, deployed fast, cheap and economical, encryption is required, flexible to change locations, highly available, short-term connection
  • DX is used when: higher throughput, consistent performance, low latency, large amount of data.
  • If you need an urgent connection, you can use VPN first and then move on to the DX for better throughput.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s