The customer has a hybrid deployment, and they require a consistent connection between their data center and AWS. You should consider multiple architecture choices for this solution. However, I ultimately chose AWS Direct Connect because the customer needed consistent, dedicated throughput for the high volume of data that flows between the data center and AWS.
For more information about common networking setups with AWS, see Network-to-Amazon VPC connectivity options.
AWS Direct Connect
The AWS Direct Connect cloud service is the shortest path to your AWS resources. While your network traffic is in transit, it remains on the AWS global network and never touches the public internet. This isolation reduces the chance of encountering bottlenecks or unexpected increases in latency.
When you create a new connection, you can choose a hosted connection that’s provided by an AWS Direct Connect Delivery Partner, or choose a dedicated connection from AWS — and deploy at over 100 AWS Direct Connect locations around the globe. With AWS Direct Connect SiteLink, you can send data between AWS Direct Connect locations to create private network connections between the offices and data centers in your global network.
Each dedicated AWS Direct Connect connection consists of a single dedicated connection between ports on your router and an AWS Direct Connect device. We recommend establishing a second connection for redundancy.
When you request multiple ports at the same AWS Direct Connect location, they will be provisioned on redundant AWS equipment.
If you have configured a backup Internet Protocol security (IPsec) virtual private network (VPN) connection instead, all virtual private cloud (VPC) traffic will fail over to the VPN connection automatically. Traffic to or from public resources, such as Amazon Simple Storage Service (Amazon S3), will be routed over the internet. If you don’t have a backup AWS Direct Connect link or an IPsec VPN link, then Amazon VPC traffic will be dropped if a failure occurs. Traffic to or from public resources will be routed over the internet.
For more general information about AWS Direct Connect, see What is AWS Direct Connect? and AWS Direct Connect FAQs.
AWS Managed VPN
AWS Site-to-Site VPN
By default, instances that you launch into a VPC can’t communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.VPN connection is a general term, but in AWS, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports IPsec VPN connections.
Virtual private gateway
A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You create a virtual private gateway and attach it to the VPC where you want to create the Site-to-Site VPN connection.
Consider taking this approach when you want to take advantage of an AWS managed VPN endpoint that includes automated redundancy and failover built into the AWS side of the VPN connection.
The virtual private gateway also supports and encourages multiple user gateway connections so that you can implement redundancy and failover on your side of the VPN connection, as shown in the following figure.
The previous diagram also shows a customer gateway on the customer-network side. A customer gateway device is a physical or software appliance that you own or manage in your on-premises network (that is, on your side of a Site-to-Site VPN connection). You or your network administrator must configure the device to work with the Site-to-Site VPN connection.
AWS Client VPN
AWS Client VPN is a fully managed, remote-access VPN solution that your remote workforce can use to securely access resources within both AWS and your on-premises network. It’s fully elastic, so it automatically scales up or down, based on demand. When you migrate applications to AWS, your users access the applications in the same way before, during, and after the move. AWS Client VPN, including the software client, supports the OpenVPN protocol.The following scenarios are examples of how you could use AWS Client VPN.
Scenario 1
The configuration for this scenario includes a single target VPC. We recommend this configuration if you need to give clients access to the resources inside only a single VPC.
Scenario 2
The configuration for this scenario includes access to only an on-premises network. We recommend this configuration if you need to give clients access to the resources inside only an on-premises network.
Scenario 3
In the configuration for the scenario shown in the following diagram, clients can access a single VPC, and clients can also route traffic to each other. We recommend this configuration if the clients that connect to the same client VPN endpoint also need to communicate with each other. Clients can communicate with each other by using the unique IP address that’s assigned to them from the client Classless Inter-Domain Routing (CIDR) range when they connect to the client VPN endpoint.
- For more information about AWS Site-to-Site VPN, see What is Amazon Site-to-Site VPN?
For more resources about AWS VPN services, see the following:
- For more information about AWS Client VPN, see What is AWS Client VPN?
AWS Transit Gateway
Morgan mentioned that if multiple Regions or AWS accounts were all connected to a remote data center by using AWS Direct Connect, then she might recommend using AWS Transit Gateway.
AWS Transit Gateway connects your VPCs and on-premises networks through a central hub. This arrangement simplifies your network and minimizes complex peering relationships. Transit Gateway acts as a cloud router — each new connection is made only once.
As you expand globally, inter-Region peering connects transit gateways together through the AWS global network. Your data is automatically encrypted and never travels over the public internet.
Without AWS Transit Gateway
The following diagram shows what a network solution might look like without the use of AWS Transit Gateway. Notice that there are many different connection points between the different components. This network configuration is complex, and it can be difficult to manage.
With AWS Transit Gateway
In contrast, the following diagram shows what a network solution might look like with the use of AWS Transit Gateway. Transit Gateway is the hub for the connections between the different networks. Using a transit gateway can make the network easier to manage. You can apply route tables so that the transit gateway can connect networks to each other in a more centralized manner.
The following example shows what using AWS Transit Gateway with AWS Direct Connect could look like for a solution that has a remote network and three AWS Regions. Each Region has multiple VPCs.
For more information about AWS Transit Gateway, see What is a transit gateway?
