Amazon Virtual Private Cloud (Amazon VPC) allows you to create a virtual network in the AWS cloud – no VPNs, hardware, or physical data centers are required. You can define your own network space, and control how your network and the Amazon EC2 resources inside your network are exposed to the Internet.
It creates a virtual network in the AWS cloud that closely resembles a traditional on-premises network. There are many use cases for Amazon VPC, such as,
- Isolation: You can use Amazon VPC to create a virtual network that is isolated from the Internet, providing a high level of security for your resources.
- Network customization: Amazon VPC allows you to create a custom network topology that closely matches your on-premises infrastructure. You can create your own IP address ranges, subnets, and network gateways.
- Hybrid cloud architectures: Amazon VPC enables you to create hybrid cloud architectures, allowing you to connect your on-premises data centers to the AWS cloud using VPN or Direct Connect connections.
- Multi-tier applications: You can use Amazon VPC to create multi-tier applications, with separate subnets for each tier (e.g. web, application, and database) for better security and manageability.
- Security: You can control access to your resources in the VPC through security groups and network ACLs. Also, You can also use AWS Services like Security Group, Network ACLs, VPC Flow Logs, and Security Hub to secure your VPC and all resources running inside your VPC
- Compliance and Auditing: you can use Amazon VPC to meet compliance and regulatory requirements by creating isolated networks and controlling access to your resources.
- Cost optimization: with VPC you have the flexibility to create a different network for different applications and resources and configure it according to your need, which can help you in saving costs,
Overall, Amazon VPC provides a flexible and secure way to deploy and run your applications on the AWS cloud and enables you to take advantage of the scalability and reliability of AWS while maintaining control over your network environment.
Now let’s see the several connectivity options available to connect the AWS VPC to other remote networks. Connectivity options in AWS can be broadly categorized into two types.
- Network-to-Amazon VPC connectivity options
- Amazon VPC-to-Amazon VPC connectivity options
In this blog, we will discuss the first type.
1. Network to Amazon VPC connectivity options
By extending your internal networks into the AWS Cloud, these alternatives are helpful for connecting AWS resources with your current on-site services (such as monitoring, authentication, security, data, or other systems). Your internal users can easily connect to resources hosted on AWS using this network extension, just like they would with any other internally facing resource.
It is advisable to use non-overlapping IP ranges for each network being connected when connecting a VPC to a remote customer network. To link one or more VPCs to your home network, for instance, ensure they are set up with distinct Classless Inter-Domain Routing (CIDR) ranges. Each VPC should be given access to a single, contiguous (group of networks that are touching each other)/next or together in sequence, non-overlapping CIDR block.
Following are the various connectivity option to connect your remote network to Amazon VPC
a. AWS Managed VPN
As seen in the following image, Amazon VPC offers the option of setting up an IP Protocol Security (IPsec) VPN connection over the internet between your remote networks and Amazon VPC.
Figure: AWS Managed VPN diagram
Consider this approach if you want to take advantage of AWS-managed VPN endpoints that include automated redundancy and failover built into the AWS side of the VPN connection. In order to establish redundancy and failover on your side of the VPN connection, the virtual private gateway also enables and encourages numerous user gateway connections, as shown in the following image.
Figure: Redundant AWS Managed VPN diagram
b. AWS Transit Gateway + VPN
AWS Transit Gateway is a high availability and scalability regional network transit hub that is managed by AWS and used to connect customer networks and VPCs. As illustrated in the following image, AWS Transit Gateway + VPN offers the option of setting up an IPsec VPN connection between your remote network and the Transit Gateway over the internet using the Transit Gateway VPN attachment.
Figure: AWS Transit Gateway and VPN diagram
c. AWS Direct Connect
Establishing a dedicated connection to one or more VPCs in the same region from an on-premises network is simple with AWS Direct Connect. You can create private connectivity between AWS and your data center, office, or colocation environment using a private virtual interface (VIF) on AWS Direct Connect, as depicted in the following figure.
Figure: AWS Direct Connect diagram
A physical connection is established between your remote network (in this case let’s use a data center as your remote network) and AWS. One end of the cable is connected to the router in the data center while the other end is connected to the AWS Direct Connect router in an AWS Direct Connect location. Such a connection allows us to bypass the internet in our network path. You can find the list of AWS Direct Connect locations available for your region of interest on the AWS website.
It is recommended to choose the AWS Direct Connect location and AWS Region closest to your remote infrastructure to reduce cost, management overhead, and latency. High availability requires several dynamically routed AWS Direct Connect connections, as depicted in the accompanying diagram.
Figure: Redundant AWS Direct Connect diagram
Some of the advantages of AWS direct connect are as follows.
- Increased bandwidth: With Direct Connect, customers can establish a dedicated connection with a maximum bandwidth of 10 Gbps, allowing for faster and more reliable data transfer between on-premises and AWS environments.
- Improved security: By establishing a dedicated connection, customers can improve security and reduce the risk of data breaches, as traffic does not traverse the public internet.
- Reduced network costs: By using Direct Connect, customers can reduce the cost of data transfer between on-premises and AWS environments, as data transferred over the dedicated connection is not subject to data transfer charges.
- Enhanced network control: Direct Connect allows customers to use their own network infrastructure and devices, such as firewalls and VPN appliances, in conjunction with their VPC. This gives customers greater control over their network environment and enables them to implement advanced security, compliance, and regulatory requirements.
- Improved availability: Direct Connect can be set up in a redundant way, with two or more connections in different availability zones, improving the availability of the connection.
- Latency reduction: Direct Connect connections generally lower latency than internet-based connections.
d. AWS Direct Connect and AWS Transit Gateway
As illustrated in the following image, AWS Direct Link + AWS Transit Gateway enables your network to connect up to three regional centralized routers over a private dedicated connection by employing transit VIF attachment to the Direct Connect gateway.
Figure: AWS Direct Connect and AWS Transit Gateway diagram
Each AWS Transit Gateway serves as a network transit hub to link VPCs in the same region and centralize the setup of Amazon VPC routing. This solution makes it easier to manage connections between an Amazon VPC and your networks using a private connection, which has several advantages over internet-based connections, including lower network costs, higher bandwidth throughput, and more reliable network performance.
e. AWS Direct Connect + VPN
Let us understand this connectivity option through the following diagram. Amazon VPC has a VPN gateway (also called a virtual interface, VIF) that connects to your remote network (in this case, corporate data center) through AWS Direct Connect.
You can configure an AWS Direct Connect public virtual interface to establish a dedicated network connection between your remote network (in this case, corporate data center) to public AWS resources through a virtual private gateway. You can achieve this setup by setting the routing of the traffic from the VPC destined to your remote network, which travels through a virtual private gateway and AWS Direct Connect connection. It bypasses the internet service providers in your network path.
This approach is demonstrated in the following figure.
Figure: AWS Direct Connect and VPN diagram
This solution offers a more reliable network experience than internet-based VPN connections by combining the advantages of an end-to-end encrypted IP Protocol Security (IPSec) connection with the low latency and higher bandwidth of AWS Direct Connect.
f. AWS Direct Connect + AWS Transit Gateway + VPN
Figure: AWS Direct Connect and AWS Transit Gateway and VPN diagram
Implementing public VIF on AWS Direct Connect enables end-to-end IPSec-encrypted connections between your networks and a regional centralized router for Amazon VPCs over a private dedicated connection using AWS Direct Connect + AWS Transit Gateway + VPN, as demonstrated in the following figure.
If you wish to manage numerous IPSec VPN connections to Amazon VPCs in the same region more easily and affordably while still getting the low latency and reliable network performance advantages of a dedicated private connection over an internet-based VPN, give this strategy some thought. Your router and the AWS Direct Connect establish a BGP connection across the open VIF. The AWS Transit Gateway and your router will establish a new BGP session or a static router across the IPSec VPN channel.
g. AWS VPN CloudHub
Suppose you have the requirement to connect multiple VPCs to multiple remote sites.
Using the AWS VPN CloudHub, you can securely interact between two entities. It runs on a straightforward hub-and-spoke topology. This model allows your multiple remote sites to communicate with the multiple VPCs and also with each other.
Now let us see how to use AWS VPN CloudHub. Refer to the below diagram that has AWS VPC and 3 remote office locations.
- Create a single virtual private gateway on the AWS side with multiple customer gateways.
- Each customer gateway is configured to advertise its Border Gateway Patrol (BGP) routes over its AWS site-to-site VPN connection.
- Each site can now send data to and receive data from the other sites and the VPC.
The AWS VPN CloudHub architecture is depicted in the following picture, where dashed lines illustrate network traffic being forwarded across AWS VPN connections between remote sites.
Figure: AWS VPN Cloudhub diagram
h. Software site-to-site VPN
By establishing a VPN connection between your distant network and a software VPN appliance running on your Amazon VPC network, Amazon VPC gives you the ability to completely manage both sides of your Amazon VPC connectivity. This choice is advised if you need to control both ends of the VPN connection, either for compliance reasons or to use gateway devices that Amazon VPC’s VPN solution does not yet support. This type is displayed in the following figure.
Figure: Software Site-to-Site VPN diagram
When integrating your remote networks with Amazon VPC, AWS offers a number of effective, secure connectivity solutions to help you make the most of the platform. The connectivity options and patterns highlighted in this blog are some of those that customers have used to successfully integrate various Amazon VPC networks or distant networks. Regardless of where your organization is physically located or hosted, you can utilize the information provided here to choose the best method for connecting the infrastructure needed to run it.
Check out these posts to learn about Difference between Public IP and Private IP address?