VPN and AWS Direct Connect

Most organisations do not run everything in the cloud. They have on-premises data centres, branch offices, or co-location facilities that need to communicate securely with their AWS VPCs. AWS provides two primary connectivity options: Site-to-Site VPN for encrypted tunnels over the public internet, and AWS Direct Connect for dedicated private network links. This lesson compares both and explains when to use each.

---

AWS Site-to-Site VPN

A Site-to-Site VPN creates an encrypted IPsec tunnel between your on-premises network and your AWS VPC over the public internet.

Components

Component	Where	Purpose
Virtual Private Gateway (VGW)	AWS side	VPN endpoint attached to a VPC
Customer Gateway (CGW)	On-premises side	Represents your on-premises router/firewall
VPN Connection	Between VGW and CGW	The encrypted tunnel(s)

Architecture

On-Premises Network
  ┌──────────────────┐
  │ Customer Gateway  │  (your router)
  │  Public IP: x.x.x.x │
  └────────┬─────────┘
           │  IPsec tunnel (encrypted)
           │  over the public internet
           ▼
  ┌──────────────────┐
  │ Virtual Private   │  (AWS-managed)
  │ Gateway (VGW)     │
  └────────┬─────────┘
           │
           ▼
  ┌──────────────────┐
  │     VPC          │
  │  10.0.0.0/16     │
  └──────────────────┘

Key Properties

Property	Detail
Encryption	IPsec (AES-256)
Tunnels	Two tunnels per connection for redundancy
Bandwidth	Up to 1.25 Gbps per tunnel
Latency	Variable — depends on internet path
Setup time	Minutes to hours
Cost	~$0.05/hour per VPN connection + data transfer
Availability	Each tunnel terminates in a different AZ

Accelerated VPN

AWS Global Accelerator can be used with Site-to-Site VPN to route traffic through the AWS global backbone instead of the public internet, improving latency and consistency.

When to Use Site-to-Site VPN

• You need connectivity quickly (can be set up in under an hour)
• Your bandwidth requirements are under 1.25 Gbps per tunnel
• You want an encrypted connection
• You want a backup for Direct Connect
• Your budget is limited

---

AWS Direct Connect

AWS Direct Connect provides a dedicated, private network connection between your on-premises data centre and AWS. Traffic does not traverse the public internet.

How It Works

1. You establish a physical connection from your data centre (or co-location) to an AWS Direct Connect location (a partner facility).
2. AWS provisions a cross-connect between your router and the AWS router at that location.
3. You create virtual interfaces (VIFs) over the physical connection:
   • Private VIF — access your VPC via private IPs
   • Public VIF — access AWS public services (S3, DynamoDB, etc.) without going through the internet
   • Transit VIF — connect to a Transit Gateway

Architecture

On-Premises Data Centre
  ┌──────────────────┐
  │  Your Router      │
  └────────┬─────────┘
           │  Dedicated fibre / cross-connect
           ▼
  ┌──────────────────────────────┐
  │  AWS Direct Connect Location │
  │  (partner co-location)       │
  │  ┌──────────────────┐       │
  │  │ AWS Router        │       │
  │  └────────┬─────────┘       │
  └───────────┼─────────────────┘
              │  AWS backbone
              ▼
  ┌──────────────────┐
  │  VPC / Transit GW │
  └──────────────────┘

Key Properties

Property	Detail
Connection speeds	1 Gbps, 10 Gbps, 100 Gbps (dedicated); 50 Mbps – 10 Gbps (hosted)
Latency	Consistent, lower than VPN (private path)
Encryption	Not encrypted by default — use MACsec (layer 2) or VPN over Direct Connect for encryption
Setup time	Days to weeks (physical provisioning required)
Cost	Port-hour charge + data transfer out (varies by speed and location)
Availability	Single connection is a single point of failure

Dedicated vs Hosted Connections

Type	Speed	Port	Provisioned by
Dedicated	1 / 10 / 100 Gbps	Physical port allocated to you	AWS
Hosted	50 Mbps – 10 Gbps	Sub-port via an AWS partner	AWS Direct Connect Partner