AWS Hybrid Networking - keshavbaweja-git/guides GitHub Wiki

AWS Virtual Private Gateway (VGW)

AWS VGW is a highly available, regional service. It contains multiple redundant components distributed across AZs in a VPC. It offers distributed IP routing and forwarding at VPC level. It acts as the gateway for your VPC to communicate with your remote networks. VGW is capable of terminating AWS Site-to-Site VPN connections and also AWS Direct Connect private virtual interfaces.

AWS Transit Gateway (TGW)

AWS Transit Gateway is a highly available and scalable regional service that enables you to connect multiple VPCs and on-premises networks through a central hub over Site-to-Site VPN and/or Direct Connect. Conceptually, an AWS Transit Gateway acts like a virtual cloud router. It is built on AWS Hyperplane, the Network Function Virtualization platform that underpins many other AWS services, like Network Load Balancer and NAT Gateway.

What can be attached to TGW: VPC, VGW, DX, TGW, SD/WAN or 3rd party appliance

TGWs support inter-region and intra-region peering

AWS Direct Connect Gateway (DXGW)

DXGW is a global service. You can create DXGW in any AWS region and access it from any other AWS region. A Direct Connect connection can be linked to a DXGW via private or transit VIF. A DXGW can be associated with a VGW (associated directly with a VPC) or AWS Transit Gateway.

Hybrid network connection

Site-to-Site VPN

A site to site IPSec VPN enables two different sites (networks) to communicate securely over an untrusted transport like Internet. A VPN connection is established between On-Premises site and Amazon VPC. A S2S VPN connection is comprised of two IPSec tunnels for HA.

  • AWS Managed Site-to-Site VPN
  • AWS Managed Site-to-Site VPN with Accelerated Site-to-Site VPN connections
  • Software Site-to-Site VPN

Direct Connect Connection

Establish a dedicated and private network connection from on-premises to AWS. A Direct Connect connection can be Dedicated or Hosted (provisioned by an AWS partner).

Direct Connect Virtual Interface is a logical interface built on top of the physical connection. There are three types of VIFs - public, private and transit.

Hybrid Connectivity Type considerations

Provisioning time

Connectivity type Provisioning type
Internet Hours to days
DX Dedicated Connection Days
when you already have equipment at DX location
DX Hosted Connection Few weeks
DX Dedicated Connection Several weeks to months

Security

Connectivity type Encrypted
Site-to-Site VPN Yes
Direct Connect No
S2S VPN over Direct Connect Yes

SLAs

Connectivity type SLA
Direct Connect with Maximum Resiliency 99.99%
Direct Connect with High Resiliency 99.9%
Any other connection type No SLA

Performance

Connectivity type Bandwidth
Direct Connect Dedicated/Hosted with LAG or ECMP > 10 Gbps
Direct Connect Dedicated/Hosted > 1.2 Gbps
AWS Accelerated S2S VPN with ECMP > 1.2 Gbps
AWS S2S VPN <= 1.2 Gbps

https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/hybrid-connectivity.pdf