Hybrid cloud architecture combines resources in the cloud with on-premise resources and use them just like all resources are in the same environment. There are a couple of ways to setup communication between AWS VPCs and on-premise networks.
AWS Managed VPN
VPN (Virtual Private Network) provides a secure connection between a VPC and on-premise networks over the existing internet connection.
- In AWS, VPN allows communication with all resources without public IP addresses and an Internet gateway.
- It is a quick and simple way to establish a secure tunneled connection to a VPC.
- VPN provides an additional level of security by encrypting traffic.
- It works as a redundant connection option besides Direct Connect (DX).
- Virtual Private Gateway (VPG) is attached to a VPC. Only one VPG is attached to VPC.
- Customer Gateway (CGW) is the configuration for an on-premise router.
- VPN connection – Each connection uses two IPsec tunnels (parallel routes) for redundancy.
- Use dynamic VPN: It uses the Border Gateway Protocol (BPG)
AWS VPN CloudHub
VPN CloudHub is a hub that can connect multiple VPNs.
- It is low cost and easy to manage.
- It is over the public internet, but all traffic is encrypted.
- If you have multiple sites in multiple VPNs, you can use AWS VPN CloudHub to connect these sites together.
- You can use CloudHub to link remote offices to access AWS resources each other.
- Assign multiple Customer Gateways to Virtual Private Gateway, each with unique IP ranges
Direct Connect (DX)
DX is a physical connection between the on-premise network and AWS via customer router at a DX location or via a DX partner – 1 Gbps or 10 Gbps.
Two Types of DX
- Dedicated Connection: Physical connection to a single customer. Communication can be done through the AWS Direct Connect console, the CLI, or the API.
- Hosted Connection: A customer requests a hosted connectivity through the contract with AWS DX Partner, who provisions the connection.
- Virtual Interfaces (VIFs) run on top of the DX. DX is not encrypted.
- Public VIFs can only access AWS public service endpoints.
- Private VIFs are used to connect to VPCs. It uses the internal IP addresses and cannot access public IP addresses.
- Use multiple private VIF to connect to multiple VPCs.
- It requires some time to setup. If you need quick access, DX is not an option.
- DX reduces the network cost and increases the network consistency (stable and reliable). So it is useful for high throughput workloads.
Steps to create a Direct Connect Connection
- Create a PUBLIC virtual interface in the DX console.
- VPC console -> VPC Connections -> Create a Customer Gateway
- Create a Virtual Private Gateway and attach it to the target VPC
VPN vs. DX
- VPN is used when: urgent connection need, deployed fast, cheap and economical, encryption is required, flexible to change locations, highly available, short-term connection
- DX is used when: higher throughput, consistent performance, low latency, large amount of data.
- If you need an urgent connection, you can use VPN first and then move on to the DX for better throughput.