Direct_connect_vpn
Chapter 12: AWS Direct Connect & VPN
Section titled “Chapter 12: AWS Direct Connect & VPN”Hybrid Network Connectivity
Section titled “Hybrid Network Connectivity”12.1 Overview
Section titled “12.1 Overview”AWS provides multiple options for connecting your on-premises infrastructure to AWS cloud.
Hybrid Connectivity Options+------------------------------------------------------------------+| || +------------------------+ || | AWS Cloud | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Site-to- | | Direct | | Client | || | Site VPN | | Connect | | VPN | || | | | | | | || | IPSec | | Dedicated| | SSL-based| || | Tunnel | | Connection| | User VPN | || +----------+ +----------+ +----------+ || || Site-to-Site VPN: Encrypted tunnel over internet || Direct Connect: Dedicated private connection || Client VPN: Managed OpenVPN-based user access || |+------------------------------------------------------------------+12.2 AWS Site-to-Site VPN
Section titled “12.2 AWS Site-to-Site VPN”Architecture
Section titled “Architecture” Site-to-Site VPN Architecture+------------------------------------------------------------------+| || On-Premises AWS Cloud || +------------------+ +------------------+ || | | | | || | +------------+ | | +------------+ | || | | Customer | | | | Virtual | | || | | Gateway | | | | Private | | || | | (Router) | | | | Gateway | | || | +------------+ | | | (VGW) | | || | | | | +------------+ | || | | | | | | || | +----------+----------+--------+ | || | | | | || | | IPSec | | || | | Tunnel | | || | | x2 | | || | | | | || | +------------+ | | +------------+ | || | | Private | | | | VPC | | || | | Network | | | | 10.0.0.0/16| | || | +------------+ | | +------------+ | || | | | | || +------------------+ +------------------+ || || Features: || - Two tunnels for redundancy || - IPSec encryption || - Static routes or BGP || - Quick setup (minutes) || |+------------------------------------------------------------------+VPN Components
Section titled “VPN Components” VPN Components+------------------------------------------------------------------+| || 1. Customer Gateway (CGW) || +----------------------------------------------------------+ || | - Physical router on-premises | || | - Public IP address | || | - BGP ASN (if using BGP) | || +----------------------------------------------------------+ || || 2. Virtual Private Gateway (VGW) || +----------------------------------------------------------+ || | - AWS-managed VPN concentrator | || | - Attached to VPC | || | - Supports BGP | || +----------------------------------------------------------+ || || 3. Transit Gateway (TGW) || +----------------------------------------------------------+ || | - Alternative to VGW | || | - Hub for multiple VPCs | || | - Better scalability | || +----------------------------------------------------------+ || || 4. VPN Connection || +----------------------------------------------------------+ || | - Two IPSec tunnels | || | - Different endpoints for HA | || | - Each tunnel has 2 IPs (pair) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Routing Options
Section titled “Routing Options” VPN Routing Options+------------------------------------------------------------------+| || Static Routing || +----------------------------------------------------------+ || | | || | Configuration: | || | - Manually specify routes | || | - Add routes to route table | || | | || | Route Table: | || | +----------------------------------------------------+ | || | | Destination | Target | | || | | 10.0.0.0/16 | local | | || | | 192.168.1.0/24 | vpn-xxxxxx | | || | +----------------------------------------------------+ | || | | || | Pros: Simple, predictable | || | Cons: Manual updates, no failover | || +----------------------------------------------------------+ || || Dynamic Routing (BGP) || +----------------------------------------------------------+ || | | || | Configuration: | || | - BGP ASN on both sides | || | - Routes exchanged automatically | || | | || | BGP Peering: | || | +----------------------------------------------------+ | || | | AWS Side: | | || | | ASN: 64512 (default) or custom | | || | | IPs: 169.254.x.x (link-local) | | || | | | | || | | Customer Side: | | || | | ASN: Your ASN (e.g., 65000) | | || | | IPs: 169.254.x.x (link-local) | | || | +----------------------------------------------------+ | || | | || | Pros: Automatic failover, route propagation | || | Cons: More complex setup | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+12.3 AWS Direct Connect
Section titled “12.3 AWS Direct Connect”Architecture
Section titled “Architecture” Direct Connect Architecture+------------------------------------------------------------------+| || Your Data Center AWS Direct Connect || +------------------+ +------------------+ || | | | Location | || | +------------+ | | +------------+ | || | | Customer | | | | Direct | | || | | Router | | | | Connect | | || | +------------+ | | | Endpoint | | || | | | | +------------+ | || | | | | | | || | +----------+----------+--------+ | || | | | | || | | Dedicated| | || | | Circuit | | || | | | | || | | v | || | | +------------------+ | || | | | AWS Backbone | | || | | | Network | | || | | +------------------+ | || | | | | || | | v | || | | +------------------+ | || | | | VPC | | || | | | 10.0.0.0/16 | | || | | +------------------+ | || | | | | || +------------------+ +------------------+ || || Features: || - Dedicated private connection || - No internet exposure || - Consistent network performance || - Reduced data transfer costs || |+------------------------------------------------------------------+Direct Connect Components
Section titled “Direct Connect Components” Direct Connect Components+------------------------------------------------------------------+| || 1. Direct Connect Location || +----------------------------------------------------------+ || | - Colocation facility | || | - AWS equipment installed | || | - Multiple locations worldwide | || +----------------------------------------------------------+ || || 2. Direct Connect Gateway || +----------------------------------------------------------+ || | - Global resource | || | - Connects to multiple VPCs | || | - Same or different regions | || | - Works with Transit Gateway | || +----------------------------------------------------------+ || || 3. Virtual Interface (VIF) || +----------------------------------------------------------+ || | | || | Types: | || | | || | a) Private VIF | || | - Access VPC resources | || | - Connect to VGW or Direct Connect Gateway | || | - Use private IP addresses | || | | || | b) Public VIF | || | - Access AWS public services | || | - S3, DynamoDB, etc. | || | - Use public IP addresses | || | | || | c) Transit VIF | || | - Connect to Transit Gateway | || | - Hub for multiple VPCs | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Direct Connect Speeds
Section titled “Direct Connect Speeds” Direct Connect Connection Speeds+------------------------------------------------------------------+| || Dedicated Connections || +----------------------------------------------------------+ || | Speed | Use Case | || |-----------------|---------------------------------------| || | 1 Gbps | Small workloads | || | 10 Gbps | Medium to large workloads | || | 100 Gbps | High-bandwidth requirements | || +----------------------------------------------------------+ || || Hosted Connections (Partner) || +----------------------------------------------------------+ || | Speed | Use Case | || |-----------------|---------------------------------------| || | 50 Mbps | Small workloads | || | 100 Mbps | Small to medium | || | 200 Mbps | Medium workloads | || | 300 Mbps | Medium workloads | || | 400 Mbps | Medium workloads | || | 500 Mbps | Medium workloads | || +----------------------------------------------------------+ || || Port Speeds: 1, 10, 100 Gbps || MACsec encryption available on 10/100 Gbps || |+------------------------------------------------------------------+12.4 Direct Connect + VPN (Hybrid)
Section titled “12.4 Direct Connect + VPN (Hybrid)” Direct Connect + VPN Hybrid+------------------------------------------------------------------+| || Why Combine? || +----------------------------------------------------------+ || | | || | 1. Encryption for Direct Connect | || | - Direct Connect: No encryption by default | || | - VPN over Direct Connect: IPSec encryption | || | | || | 2. Backup for Direct Connect | || | - Primary: Direct Connect (high bandwidth) | || | - Backup: Site-to-Site VPN (failover) | || | | || +----------------------------------------------------------+ || || Architecture || +----------------------------------------------------------+ || | | || | On-Premises AWS | || | +------------+ +------------+ | || | | Customer | | Virtual | | || | | Gateway | | Private | | || | +------------+ | Gateway | | || | | +------------+ | || | | | | || | +--------+---------------+ | || | | | || | +--------+--------+ | || | | | | || | v v | || | +------------+ +------------+ | || | | Direct | | Site-to- | | || | | Connect | | Site VPN | | || | | (Primary) | | (Backup) | | || | +------------+ +------------+ | || | | || +----------------------------------------------------------+ || || BGP Configuration for Failover: || +----------------------------------------------------------+ || | Direct Connect: | || | - Local Preference: 100 (preferred) | || | - AS_PATH: Shorter | || | | || | VPN Backup: | || | - Local Preference: 50 (backup) | || | - AS_PATH: Longer | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+12.5 AWS Client VPN
Section titled “12.5 AWS Client VPN” AWS Client VPN+------------------------------------------------------------------+| || Architecture || +----------------------------------------------------------+ || | | || | Remote Users | || | +------------+ +------------+ +------------+ | || | | User 1 | | User 2 | | User 3 | | || | | (Laptop) | | (Laptop) | | (Mobile) | | || | +------------+ +------------+ +------------+ | || | | | | | || | +-------+-------+---------------+ | || | | | || | v | || | +------------+ | || | | Client VPN | | || | | Endpoint | | || | +------------+ | || | | | || | v | || | +------------+ | || | | VPC | | || | | Resources | | || | +------------+ | || | | || +----------------------------------------------------------+ || || Features: || - Managed OpenVPN-based service || - SSL/TLS authentication || - Certificate-based or SAML-based auth || - Access to VPC resources || - Split tunnel support || |+------------------------------------------------------------------+Client VPN Authentication
Section titled “Client VPN Authentication” Client VPN Authentication Methods+------------------------------------------------------------------+| || 1. Certificate-based Authentication || +----------------------------------------------------------+ || | | || | Setup: | || | 1. Create Certificate Authority (ACM) | || | 2. Import server certificate | || | 3. Import client certificates | || | 4. Configure VPN endpoint | || | | || | Pros: Simple, AWS-native | || | Cons: Manual certificate management | || +----------------------------------------------------------+ || || 2. SAML-based Authentication || +----------------------------------------------------------+ || | | || | Setup: | || | 1. Create IAM Identity Provider | || | 2. Configure SAML with IdP (Okta, Azure AD, etc.) | || | 3. Create IAM role for VPN access | || | 4. Configure VPN endpoint | || | | || | Pros: SSO integration, centralized management | || | Cons: More complex setup | || +----------------------------------------------------------+ || || 3. Active Directory Authentication || +----------------------------------------------------------+ || | | || | Setup: | || | 1. AWS Managed AD or AD Connector | || | 2. Associate directory with VPN endpoint | || | 3. Users authenticate with AD credentials | || | | || | Pros: Existing AD integration | || | Cons: Requires AD infrastructure | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+12.6 Transit Gateway
Section titled “12.6 Transit Gateway” Transit Gateway Architecture+------------------------------------------------------------------+| || +------------------------+ || | Transit Gateway | || | (Hub) | || +------------------------+ || | || +--------+--------+--------+--------+--------+ || | | | | | | || v v v v v v || +------+ +------+ +------+ +------+ +------+ +------+ || | VPC | | VPC | | VPC | | VPN | | DX | | VPC | || | A | | B | | C | | | | | | D | || +------+ +------+ +------+ +------+ +------+ +------+ || || Benefits: || - Central hub for network connectivity || - Simplifies network topology || - Transitive routing support || - Cross-region connectivity || - Scalable (thousands of attachments) || |+------------------------------------------------------------------+Transit Gateway Route Tables
Section titled “Transit Gateway Route Tables” Transit Gateway Route Tables+------------------------------------------------------------------+| || Isolated Routing Pattern || +----------------------------------------------------------+ || | | || | Shared Services Route Table | || | +----------------------------------------------------+ | || | | Routes to: All VPCs | | || | | Associated with: Shared Services VPC | | || | +----------------------------------------------------+ | || | | || | Production Route Table | || | +----------------------------------------------------+ | || | | Routes to: Shared Services VPC only | | || | | Associated with: Production VPCs | | || | +----------------------------------------------------+ | || | | || | Development Route Table | || | +----------------------------------------------------+ | || | | Routes to: Shared Services VPC only | | || | | Associated with: Development VPCs | | || | +----------------------------------------------------+ | || | | || | Result: | || | - Production cannot reach Development | || | - Both can reach Shared Services | || | - Shared Services can reach all | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+12.7 Practical Configuration
Section titled “12.7 Practical Configuration”Site-to-Site VPN with Terraform
Section titled “Site-to-Site VPN with Terraform”# ============================================================# Customer Gateway# ============================================================
resource "aws_customer_gateway" "main" { bgp_asn = 65000 ip_address = "203.0.113.1" # On-premises router public IP type = "ipsec.1"
tags = { Name = "customer-gateway" }}
# ============================================================# Virtual Private Gateway# ============================================================
resource "aws_vpn_gateway" "main" { vpc_id = aws_vpc.main.id
tags = { Name = "vpn-gateway" }}
# ============================================================# VPN Connection# ============================================================
resource "aws_vpn_connection" "main" { customer_gateway_id = aws_customer_gateway.main.id vpn_gateway_id = aws_vpn_gateway.main.id type = "ipsec.1"
# Optional: Static routes static_routes_only = false # Use BGP
tags = { Name = "vpn-connection" }}
# ============================================================# VPN Gateway Route Propagation# ============================================================
resource "aws_vpn_gateway_route_propagation" "private" { vpn_gateway_id = aws_vpn_gateway.main.id route_table_id = aws_route_table.private.id}
# ============================================================# Output VPN Configuration# ============================================================
output "vpn_connection_configuration" { value = aws_vpn_connection.main.customer_gateway_configuration}Direct Connect with Terraform
Section titled “Direct Connect with Terraform”# ============================================================# Direct Connect Gateway# ============================================================
resource "aws_dx_gateway" "main" { name = "direct-connect-gateway" amazon_side_asn = 64512}
# ============================================================# Direct Connect Gateway Association# ============================================================
resource "aws_dx_gateway_association" "main" { gateway_id = aws_dx_gateway.main.id associated_to = aws_vpc.main.id allowed_prefixes = [ aws_vpc.main.cidr_block ]}
# ============================================================# Direct Connect Connection (requires physical provisioning)# ============================================================
# Note: Direct Connect connections are typically provisioned# through AWS console or AWS support, not Terraform
# ============================================================# Transit VIF for Transit Gateway# ============================================================
resource "aws_dx_transit_virtual_interface" "main" { connection_id = "dxcon-xxxxxx" # Provisioned connection ID dx_gateway_id = aws_dx_gateway.main.id
name = "transit-vif" vlan = 100 address_family = "ipv4"
bgp_asn = 65000 bgp_auth_key = "secret-key"
cidr = "169.254.1.1/30"
tags = { Name = "transit-vif" }}Transit Gateway with Terraform
Section titled “Transit Gateway with Terraform”# ============================================================# Transit Gateway# ============================================================
resource "aws_ec2_transit_gateway" "main" { description = "Main Transit Gateway"
# Route table options default_route_table_association = "enable" default_route_table_propagation = "enable"
tags = { Name = "main-tgw" }}
# ============================================================# Transit Gateway VPC Attachment# ============================================================
resource "aws_ec2_transit_gateway_vpc_attachment" "main" { subnet_ids = aws_subnet.private[*].id transit_gateway_id = aws_ec2_transit_gateway.main.id vpc_id = aws_vpc.main.id
tags = { Name = "vpc-attachment" }}
# ============================================================# Transit Gateway Route Table# ============================================================
resource "aws_ec2_transit_gateway_route_table" "main" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "main-rt" }}
# ============================================================# Transit Gateway Route# ============================================================
resource "aws_ec2_transit_gateway_route" "default" { destination_cidr_block = "0.0.0.0/0" transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.main.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.main.id}
# ============================================================# VPN Attachment to Transit Gateway# ============================================================
resource "aws_vpn_connection" "main" { transit_gateway_id = aws_ec2_transit_gateway.main.id customer_gateway_id = aws_customer_gateway.main.id type = "ipsec.1"
tags = { Name = "vpn-to-tgw" }}12.8 Comparison Table
Section titled “12.8 Comparison Table” Connectivity Options Comparison+------------------------------------------------------------------+| || Feature | Site-to-Site VPN | Direct Connect || -----------------|------------------|------------------------|| Setup Time | Minutes | Weeks || Bandwidth | Up to 1.25 Gbps | Up to 100 Gbps || Latency | Variable | Consistent, low || Encryption | IPSec (built-in) | Optional (MACsec/VPN) || Cost | Hourly + data | Port + data || Reliability | Internet-based | Dedicated || Use Case | All traffic | High bandwidth, steady || |+------------------------------------------------------------------+12.9 Exam Tips
Section titled “12.9 Exam Tips”
- Site-to-Site VPN: Two tunnels for HA, IPSec encryption
- VGW vs TGW: TGW for multiple VPCs, VGW for single VPC
- Direct Connect: No encryption by default, use VPN over DX for encryption
- Direct Connect Gateway: Connect multiple VPCs across regions
- Virtual Interfaces: Private (VPC), Public (AWS services), Transit (TGW)
- BGP: Preferred for dynamic routing and failover
- Client VPN: Managed OpenVPN for remote users
- Transit Gateway: Hub for VPCs, VPN, Direct Connect
- Failover: Use BGP attributes (Local Preference, AS_PATH)
- MACsec: Layer 2 encryption for Direct Connect (10/100 Gbps)
Next Chapter
Section titled “Next Chapter”Chapter 13: Amazon Route 53 - DNS Service
Last Updated: February 2026