AWS Hybrid Networking - keshavbaweja-git/guides GitHub Wiki
AWS Virtual Private Gateway (VGW)
AWS VGW is a highly available, regional service. It contains multiple redundant components distributed across AZs in a VPC. It offers distributed IP routing and forwarding at VPC level. It acts as the gateway for your VPC to communicate with your remote networks. VGW is capable of terminating AWS Site-to-Site VPN connections and also AWS Direct Connect private virtual interfaces.
AWS Transit Gateway (TGW)
AWS Transit Gateway is a highly available and scalable regional service that enables you to connect multiple VPCs and on-premises networks through a central hub over Site-to-Site VPN and/or Direct Connect. Conceptually, an AWS Transit Gateway acts like a virtual cloud router. It is built on AWS Hyperplane, the Network Function Virtualization platform that underpins many other AWS services, like Network Load Balancer and NAT Gateway.
What can be attached to TGW: VPC, VGW, DX, TGW, SD/WAN or 3rd party appliance
TGWs support inter-region and intra-region peering
AWS Direct Connect Gateway (DXGW)
DXGW is a global service. You can create DXGW in any AWS region and access it from any other AWS region. A Direct Connect connection can be linked to a DXGW via private or transit VIF. A DXGW can be associated with a VGW (associated directly with a VPC) or AWS Transit Gateway.
Hybrid network connection
Site-to-Site VPN
A site to site IPSec VPN enables two different sites (networks) to communicate securely over an untrusted transport like Internet. A VPN connection is established between On-Premises site and Amazon VPC. A S2S VPN connection is comprised of two IPSec tunnels for HA.
- AWS Managed Site-to-Site VPN
- AWS Managed Site-to-Site VPN with Accelerated Site-to-Site VPN connections
- Software Site-to-Site VPN
Direct Connect Connection
Establish a dedicated and private network connection from on-premises to AWS. A Direct Connect connection can be Dedicated or Hosted (provisioned by an AWS partner).
Direct Connect Virtual Interface is a logical interface built on top of the physical connection. There are three types of VIFs - public, private and transit.
Hybrid Connectivity Type considerations
Provisioning time
| Connectivity type | Provisioning type |
|---|---|
| Internet | Hours to days |
| DX Dedicated Connection | Days |
| when you already have equipment at DX location | |
| DX Hosted Connection | Few weeks |
| DX Dedicated Connection | Several weeks to months |
Security
| Connectivity type | Encrypted |
|---|---|
| Site-to-Site VPN | Yes |
| Direct Connect | No |
| S2S VPN over Direct Connect | Yes |
SLAs
| Connectivity type | SLA |
|---|---|
| Direct Connect with Maximum Resiliency | 99.99% |
| Direct Connect with High Resiliency | 99.9% |
| Any other connection type | No SLA |
Performance
| Connectivity type | Bandwidth |
|---|---|
| Direct Connect Dedicated/Hosted with LAG or ECMP | > 10 Gbps |
| Direct Connect Dedicated/Hosted | > 1.2 Gbps |
| AWS Accelerated S2S VPN with ECMP | > 1.2 Gbps |
| AWS S2S VPN | <= 1.2 Gbps |
https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/hybrid-connectivity.pdf