I was studying for an AWS certification and was stumped by a question regarding establishing a secure yet low latency connectivity option between an on-premise network and an AWS VPC.
Spoiler - Direct Connect + VPN.
This made me realize that I had gaps in my understanding of the various connectivity options. Thus, I read the whitepaper on AWS - Network to AWS VPC Connectivity Options. The following post describes what I learned. You can skip the rest of this post and check out the table here for a quick overview.
At a high level, there are 3 components/concepts. These can be combined together or used individually based on the requirements.
- VPN
- Transit Gateway
- Direct Connect
VPN
AWS lets you create a Virtual Gateway in each VPC that enables you to establish a VPN (a virtual private network) between your on-premise network and the VPC. The connection is secured over IPsec.
Each VGW is built with redundancy and fault tolerance on the AWS side. And on the customer side, it is possible to establish the same redundancy and fault tolerance via multiple customer gateways connecting to the VGW.
Routing over the VPN can either be dynamic or over static routes.
AWS VPN CloudHub
A VPN can also provide secure communications between multiple branches of a company via the VPN CloudHub feature.
Transit Gateway + VPN
Managing multiple VGWs and VPCs for different environments and internal clients can get tedious. A Transit Gateway provides central routing to various different VPCs. Customers can establish a secure VPN to the Transit Gateway.
The Transit Gateway is highly available, and customers can establish multiple client gateways to ensure availability on their end.
I hadn't realized until I did some preliminary reading on Transit Gateway that it is more than just a component facilitating connectivity between on-premise data centers and AWS. A Transit Gateway simplifies the management of inter-region peering and acts as a Cloud Router to streamline the maintenance of complete routing tables.
Direct Connect
The VPN options mentioned in the previous sections operate over the Internet and, as a result, can be subject to high latency. Some applications require low latency, better bandwidth, bandwidth costs, and better network performance. For these solutions, a Direct Connect is a better option.
A Direct Connect involves establishing a link between the on-premise Data Center and Amazon's Data Center. This generally requires using a telecom provider to provide the network circuit for this to work.
Network traffic from the customer data center to the Direct connect is established over 802.1q VLAN, an industry standard. Traffic past this point is via private VIFs (Virtual Network Interfaces)
It is possible to set up multiple Direct Connects for redundancy and improved bandwidth.
Direct Connect Gateway
Each Direct Connect is linked to a single VPC. Utilizing a Direct Connect Gateway to manage connections in a central location is recommended to ease the management of multiple VPCs
Direct Connect + VPN
Direct Connect + Transit Gateway
Direct Connect + Transit Gateway + VPN
