[AWS] VPN and DX

Hybrid cloud architecture combines resources in the cloud with on-premise resources and use them just like all resources are in the same environment. There are a couple of ways to setup communication between AWS VPCs and on-premise networks.

AWS Managed VPN

VPN (Virtual Private Network) provides a secure connection between a VPC and on-premise networks over the existing internet connection.

  • In AWS, VPN allows communication with all resources without public IP addresses and an Internet gateway.
    • It is a quick and simple way to establish a secure tunneled connection to a VPC.
  • VPN provides an additional level of security by encrypting traffic.
  • It works as a redundant connection option besides Direct Connect (DX).

VPN Components

  • Virtual Private Gateway (VPG) is attached to a VPC. Only one VPG is attached to VPC.
  • Customer Gateway (CGW) is the configuration for an on-premise router.
  • VPN connection – Each connection uses two IPsec tunnels (parallel routes) for redundancy.
AWS Managed VPN – Single Connection
AWS Managed VPN – Redundant Connection

Best Practices

  • Use dynamic VPN: It uses the Border Gateway Protocol (BPG)

AWS VPN CloudHub

VPN CloudHub is a hub that can connect multiple VPNs.

  • It is low cost and easy to manage.
  • It is over the public internet, but all traffic is encrypted.

Use-cases:

  • If you have multiple sites in multiple VPNs, you can use AWS VPN CloudHub to connect these sites together.
    • You can use CloudHub to link remote offices to access AWS resources each other.

How:

  • Assign multiple Customer Gateways to Virtual Private Gateway, each with unique IP ranges
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpn-cloudhub.html

Direct Connect (DX)

DX is a physical connection between the on-premise network and AWS via customer router at a DX location or via a DX partner – 1 Gbps or 10 Gbps.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

Two Types of DX

  • Dedicated Connection: Physical connection to a single customer. Communication can be done through the AWS Direct Connect console, the CLI, or the API.
  • Hosted Connection: A customer requests a hosted connectivity through the contract with AWS DX Partner, who provisions the connection.

DX Features

  • Virtual Interfaces (VIFs) run on top of the DX. DX is not encrypted.
    • Public VIFs can only access AWS public service endpoints.
    • Private VIFs are used to connect to VPCs. It uses the internal IP addresses and cannot access public IP addresses.
  • Use multiple private VIF to connect to multiple VPCs.
  • It requires some time to setup. If you need quick access, DX is not an option.
  • DX reduces the network cost and increases the network consistency (stable and reliable). So it is useful for high throughput workloads.

Steps to create a Direct Connect Connection

  • Create a PUBLIC virtual interface in the DX console.
  • VPC console -> VPC Connections -> Create a Customer Gateway
  • Create a Virtual Private Gateway and attach it to the target VPC

VPN vs. DX

  • VPN is used when: urgent connection need, deployed fast, cheap and economical, encryption is required, flexible to change locations, highly available, short-term connection
  • DX is used when: higher throughput, consistent performance, low latency, large amount of data.
  • If you need an urgent connection, you can use VPN first and then move on to the DX for better throughput.

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s