Lesson 24

Hybrid Connectivity

AWS Site-to-Site VPN and AWS Direct Connect

1. Connecting VPC to On-Premises

By default, instances in a VPC cannot communicate with a remote on-premises network. AWS provides two primary options to establish this connectivity: AWS Site-to-Site VPN (over the public internet) and AWS Direct Connect (dedicated private connection).

2. AWS Site-to-Site VPN

AWS Site-to-Site VPN creates a secure, encrypted connection between your VPC and your on-premises data center over the public internet.

Components

Component	Description
Virtual Private Gateway	The AWS-side VPN concentrator attached to your VPC. It is the target for VPN-bound traffic in your route table.
Customer Gateway	An AWS resource that provides information to AWS about your on-premises VPN device (IP address, routing). It is not a physical device.
VPN Connection	The secure encrypted tunnel between the virtual private gateway and the customer gateway.

Setup Steps

Create a virtual private gateway and attach it to your VPC.
Define the customer gateway resource with your on-premises VPN device information.
Establish the Site-to-Site VPN connection between the two gateways.
Update route tables to point on-premises-bound traffic to the virtual private gateway.
Update security group rules to allow traffic from the on-premises network.

Exam tip: Site-to-Site VPN runs over the public internet. It is encrypted and secure, but performance depends on internet conditions and bandwidth.

3. AWS Direct Connect

AWS Direct Connect (DX) enables you to establish a dedicated, private network connection between your on-premises data center and AWS. It uses open standard 802.1q VLANs.

Benefits over VPN

Reduces network costs (for high-volume data transfer)
Increases bandwidth throughput
Provides a more consistent network experience than internet-based connections
Bypasses the public internet entirely

Core idea: VPN = encrypted over the public internet (quick to set up, variable performance). Direct Connect = dedicated private fiber connection (takes longer to provision, consistent high performance).

4. Comparison

Feature	AWS Site-to-Site VPN	AWS Direct Connect
Network path	Public internet (encrypted)	Dedicated private connection
Setup time	Minutes to hours	Weeks (requires physical cabling)
Bandwidth	Up to ~1.25 Gbps	1 Gbps, 10 Gbps, or higher
Performance	Variable (internet-dependent)	Consistent, lower latency
Cost	Lower initial cost	Higher upfront but lower per-GB cost at scale
Encryption	IPsec encrypted	Not encrypted by default; can add IPsec on top

When to Choose Which

Need quick, low-cost connectivity for a proof of concept or low-volume traffic? → Site-to-Site VPN.

Need consistent high bandwidth, low latency, and reduced data transfer costs at scale? → AWS Direct Connect.

Need the highest reliability with a backup option? → Use DX as primary and Site-to-Site VPN as backup.

5. Quick Quiz

Primary Source: AWS Academy Module 5: Networking and Content Delivery (module-5.txt), Section 3: VPC Networking.

Ask your teacher: If you need to distinguish when to choose Site-to-Site VPN vs. Direct Connect, the key differentiators are setup speed (VPN = fast) vs. consistent performance (DX = dedicated). The exam may present a scenario that emphasizes one over the other.