Transcription
Amazon Virtual Private CloudConnectivity OptionsJanuary 2018
2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.NoticesThis document is provided for informational purposes only. It represents AWS’scurrent product offerings and practices as of the date of issue of this document,which are subject to change without notice. Customers are responsible formaking their own independent assessment of the information in this documentand any use of AWS’s products or services, each of which is provided “as is”without warranty of any kind, whether express or implied. This document doesnot create any warranties, representations, contractual commitments,conditions or assurances from AWS, its affiliates, suppliers or licensors. Theresponsibilities and liabilities of AWS to its customers are controlled by AWSagreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers.
ContentsIntroduction1Network-to-Amazon VPC Connectivity Options2AWS Managed VPN4AWS Direct Connect6AWS Direct Connect VPN8AWS VPN CloudHub10Software VPN11Transit VPC13Amazon VPC-to-Amazon VPC Connectivity Options14VPC Peering16Software VPN17Software-to-AWS Managed VPN19AWS Managed VPN20AWS Direct Connect22AWS PrivateLink25Internal User-to-Amazon VPC Connectivity OptionsSoftware Remote-Access VPN2627Conclusion29Appendix A: High-Level HA Architecture for Software VPN Instances30VPN Monitoring31Contributors31Document Revisions32
AbstractAmazon Virtual Private Cloud (Amazon VPC) lets customers provision a private,isolated section of the Amazon Web Services (AWS) Cloud where they canlaunch AWS resources in a virtual network using customer-defined IP addressranges. Amazon VPC provides customers with several options for connectingtheir AWS virtual networks with other remote networks. This documentdescribes several common network connectivity options available to ourcustomers. These include connectivity options for integrating remote customernetworks with Amazon VPC and connecting multiple Amazon VPCs into acontiguous virtual network.This whitepaper is intended for corporate network architects and engineers orAmazon VPC administrators who would like to review the available connectivityoptions. It provides an overview of the various options to facilitate networkconnectivity discussions as well as pointers to additional documentation andresources with more detailed information or examples.
Amazon Web Services – Amazon VPC Connectivity OptionsIntroductionAmazon VPC provides multiple network connectivity options for you to leveragedepending on your current network designs and requirements. Theseconnectivity options include leveraging either the internet or an AWS DirectConnect connection as the network backbone and terminating the connectioninto either AWS or user-managed network endpoints. Additionally, with AWS,you can choose how network routing is delivered between Amazon VPC andyour networks, leveraging either AWS or user-managed network equipment androutes. This whitepaper considers the following options with an overview and ahigh-level comparison of each:User Network–to–Amazon VPC Connectivity Options AWS Managed VPN – Describes establishing a VPN connection fromyour network equipment on a remote network to AWS managed networkequipment attached to your Amazon VPC. AWS Direct Connect – Describes establishing a private, logicalconnection from your remote network to Amazon VPC, leveraging AWSDirect Connect. AWS Direct Connect VPN – Describes establishing a private,encrypted connection from your remote network to Amazon VPC,leveraging AWS Direct Connect. AWS VPN CloudHub – Describes establishing a hub-and-spoke modelfor connecting remote branch offices. Software VPN – Describes establishing a VPN connection from yourequipment on a remote network to a user-managed software VPNappliance running inside an Amazon VPC. Transit VPC – Describes establishing a global transit network on AWSusing Software VPN in conjunction with AWS managed VPN.Amazon VPC–to–Amazon VPC Connectivity Options Page 1VPC Peering – Describes the AWS-recommended approach forconnecting multiple Amazon VPCs within and across regions using theAmazon VPC peering feature.
Amazon Web Services – Amazon VPC Connectivity Options Software VPN – Describes connecting multiple Amazon VPCs using VPNconnections established between user-managed software VPNappliances running inside of each Amazon VPC. Software-to-AWS Managed VPN – Describes connecting multipleAmazon VPCs with a VPN connection established between a usermanaged software VPN appliance in one Amazon VPC and AWSmanaged network equipment attached to the other Amazon VPC. AWS Managed VPN – Describes connecting multiple Amazon VPCs,leveraging multiple VPN connections between your remote network andeach of your Amazon VPCs. AWS Direct Connect – Describes connecting multiple Amazon VPCs,leveraging logical connections on customer-managed AWS DirectConnect routers. AWS PrivateLink – Describes connecting multiple Amazon VPCs,leveraging VPC interface endpoints and VPC endpoint services.Internal User-to-Amazon VPC Connectivity Options Software Remote-Access VPN – In addition to customer network–to–Amazon VPC connectivity options for connecting remote users to VPCresources, this section describes leveraging a remote-access solution forproviding end-user VPN access into an Amazon VPC.Network-to-Amazon VPC ConnectivityOptionsThis section provides design patterns for you to connect remote networks withyour Amazon VPC environment. These options are useful for integrating AWSresources with your existing on-site services (for example, monitoring,authentication, security, data or other systems) by extending your internalnetworks into the AWS Cloud. This network extension also allows your internalusers to seamlessly connect to resources hosted on AWS just like any otherinternally facing resource.VPC connectivity to remote customer networks is best achieved when usingnon-overlapping IP ranges for each network being connected. For example, ifPage 2
Amazon Web Services – Amazon VPC Connectivity Optionsyou’d like to connect one or more VPCs to your home network, make sure theyare configured with unique Classless Inter-Domain Routing (CIDR) ranges. Weadvise allocating a single, contiguous, non-overlapping CIDR block to be usedby each VPC. For additional information about Amazon VPC routing andconstraints, see the Amazon VPC Frequently Asked Questions.1OptionUse CaseAdvantagesLimitationsAWSManagedVPNAWS managedIPsec VPNconnection over theinternetReuse existing VPN equipmentand processesReuse existing internetconnectionsNetwork latency, variability,and availability aredependent on internetconditionsAWS managed endpointincludes multi-data centerredundancy and automatedfailoverCustomer managedendpoint is responsible forimplementing redundancyand failover (if required)Supports static routes ordynamic Border GatewayProtocol (BGP) peering androuting policiesCustomer device mustsupport single-hop BGP(when leveraging BGP fordynamic routing)More predictable networkperformance Reducedbandwidth costsMay require additionaltelecom and hostingprovider relationships or newnetwork circuits to beprovisionedAWS DirectConnectDedicated networkconnection overprivate lines1 or 10 Gbps provisionedconnectionsSupports BGP peering androuting policiesAWS DirectConnect VPNPage 3IPsec VPNconnection overprivate linesSame as the previous optionwith the addition of a secureIPsec VPN connectionSame as the previous optionwith a little additional VPNcomplexity
Amazon Web Services – Amazon VPC Connectivity OptionsOptionUse CaseAdvantagesLimitationsAWS VPNCloudHubConnect remotebranch offices in ahub-and-spokemodel for primary orbackup connectivityReuse existing internetconnections and AWS VPNconnections (for example, useAWS VPN CloudHub as backupconnectivity to a third-partyMPLS network)Network latency, variability,and availability aredependent on the internetAWS managed virtual privategateway includes multi-datacenter redundancy andautomated failoverUser managed branch officeendpoints are responsiblefor implementingredundancy and failover (ifrequired)Supports BGP for exchangingroutes and routing priorities (forexample, prefer MPLSconnections over backup AWSVPN connections)SoftwareVPNTransitVPCSoftware appliancebased VPNconnection over theinternetSupports a wider array of VPNvendors, products, andprotocolsSoftware appliancebased VPNconnection with hubVPCSame as the previous optionwith the addition of AWSmanaged VPN connectionbetween hub and spoke VPCsFully customer-managedsolutionCustomer is responsible forimplementing HA (highavailability) solutions for allVPN endpoints (if required)Same as the previoussectionAWS managedIPsec VPNconnection for spokeVPC connectionAWS Managed VPNAmazon VPC provides the option of creating an IPsec VPN connection betweenremote customer networks and their Amazon VPC over the internet, as shownin the following figure. Consider taking this approach when you want to takeadvantage of an AWS managed VPN endpoint that includes automated multi–data center redundancy and failover built into the AWS side of the VPNconnection. Although not shown, the Amazon virtual private gateway representstwo distinct VPN endpoints, physically located in separate data centers toincrease the availability of your VPN connection.Page 4
Amazon Web Services – Amazon VPC Connectivity OptionsAWS managed VPNThe virtual private gateway also supports and encourages multiple user gatewayconnections so you can implement redundancy and failover on your side of theVPN connection as shown in the following figure. Both dynamic and staticrouting options are provided to give you flexibility in your routing configuration.Dynamic routing uses BGP peering to exchange routing information betweenAWS and these remote endpoints. With dynamic routing, you can also specifyrouting priorities, policies, and weights (metrics) in your BGP advertisementsand influence the network path between your networks and AWS.It is important to note that when you use BGP, both the IPSec and the BGPconnections must be terminated on the same user gateway device, so it must becapable of terminating both IPSec and BGP connections.Page 5
Amazon Web Services – Amazon VPC Connectivity OptionsRedundant AWS managed VPN connectionsAdditional Resources Adding a Virtual Private Gateway to Your VPC2 Customer Gateway device minimum requirements3 Customer Gateway devices known to work with Amazon VPC4AWS Direct ConnectAWS Direct Connect makes it easy to establish a dedicated connection from anon-premises network to Amazon VPC. Using AWS Direct Connect, you canestablish private connectivity between AWS and your data center, office, orcolocation environment. This private connection can reduce network costs,increase bandwidth throughput, and provide a more consistent networkexperience than internet-based connections.AWS Direct Connect lets you establish 1 Gbps or 10 Gbps dedicated networkconnections (or multiple connections) between AWS networks and one of theAWS Direct Connect locations. It uses industry-standard VLANs to accessPage 6
Amazon Web Services – Amazon VPC Connectivity OptionsAmazon Elastic Compute Cloud (Amazon EC2) instances running within anAmazon VPC using private IP addresses. You can choose from an ecosystem ofWAN service providers for integrating your AWS Direct Connect endpoint in anAWS Direct Connect location with your remote networks. The following figureillustrates this pattern. You can also work with your provider to create sub-1Gconnection or use link aggregation group (LAG) to aggregate multiple 1 gigabitor 10 gigabit connections at a single AWS Direct Connect endpoint, allowing youto treat them as a single, managed connection.AWS Direct ConnectAWS Direct Connect allows you to connect your AWS Direct Connectconnection to one or more VPCs in your account that are located in the same ordifferent regions. You can use Direct Connect gateway to achieve this. A DirectConnect gateway is a globally available resource. You can create the DirectConnect gateway in any public region and access it from all other public regions.This feature also allows you to connect to any of the participating VPCs fromany Direct Connect location, further reducing your costs for using AWS serviceson a cross-region basis. The following figure illustrates this pattern.Page 7
Amazon Web Services – Amazon VPC Connectivity OptionsAWS Direct Connect GatewayAdditional Resources AWS Direct Connect product page5 AWS Direct Connect locations6 AWS Direct Connect FAQs AWS Direct Connect LAGs AWS Direct Connect Gateways Getting Started with AWS Direct Connect87AWS Direct Connect VPNWith AWS Direct Connect VPN, you can combine one or more AWS DirectConnect dedicated network connections with the Amazon VPC VPN. Thiscombination provides an IPsec-encrypted private connection that also reducesnetwork costs, increases bandwidth throughput, and provides a more consistentnetwork experience than internet-based VPN connections.You can use AWS Direct Connect to establish a dedicated network connectionbetween your network create a logical connection to public AWS resources, suchas an Amazon virtual private gateway IPsec endpoint. This solution combinesthe AWS managed benefits of the VPN solution with low latency, increasedPage 8
Amazon Web Services – Amazon VPC Connectivity Optionsbandwidth, more consistent benefits of the AWS Direct Connect solution, andan end-to-end, secure IPsec connection.The following figure illustrates this option.EC2 InstancesAWS PublicDirect ConnectCustomer WANAvailability ZoneVirtualAWS DirectVPNPrivateEC2 InstancesRemoteVPC Subnet 2ServersAmazon VPCAWS Direct Connect and VPNAdditional Resources AWS Direct Connect product page9 AWS Direct Connect FAQs10 Adding a Virtual Private Gateway to Your VPC11Page 9
Amazon Web Services – Amazon VPC Connectivity OptionsAWS VPN CloudHubBuilding on the AWS managed VPN and AWS Direct Connect options describedpreviously, you can securely communicate from one site to another using theAWS VPN CloudHub. The AWS VPN CloudHub operates on a simple hub-andspoke model that you can use with or without a VPC. Use this design if you havemultiple branch offices and existing internet connections and would like toimplement a convenient, potentially low cost hub-and-spoke model for primaryor backup connectivity between these remote offices.The following figure depicts the AWS VPN CloudHub architecture, with bluedashed lines indicating network traffic between remote sites being routed overtheir AWS VPN connections.CustomerCustomer NetworkEC2 InstancesCustomerAvailability ZoneCustomer NetworkVirtualEC2 InstancesVPC Subnet 2CustomerCustomer NetworkAWS VPN CloudHubAWS VPN CloudHub leverages an Amazon VPC virtual private gateway withmultiple gateways, each using unique BGP autonomous system numbers(ASNs). Your gateways advertise the appropriate routes (BGP prefixes) overtheir VPN connections. These routing advertisements are received andPage 10
Amazon Web Services – Amazon VPC Connectivity Optionsreadvertised to each BGP peer so that each site can send data to and receivedata from the other sites. The remote network prefixes for each spoke must haveunique ASNs, and the sites must not have overlapping IP ranges. Each site canalso send and receive data from the VPC as if they were using a standard VPNconnection.This option can be combined with AWS Direct Connect or other VPN options(for example, multiple gateways per site for redundancy or backbone routingthat you provide) depending on your requirements.Additional Resources AWS VPN CloudHub12 Amazon VPC VPN Guide13 Customer Gateway device minimum requirements14 Customer Gateway devices known to work with Amazon VPC15 AWS Direct Connect product page16Software VPNAmazon VPC offers you the flexibility to fully manage both sides of yourAmazon VPC connectivity by creating a VPN connection between your remotenetwork and a software VPN appliance running in your Amazon VPC network.This option is recommended if you must manage both ends of the VPNconnection either for compliance purposes or for leveraging gateway devicesthat are not currently supported by Amazon VPC’s VPN solution. The followingfigure shows this option.Page 11
Amazon Web Services – Amazon VPC Connectivity OptionsClientsClientsSoftware VPNinternetApplianceAvailability ZoneVPC RouterinternetVPNCustomer VPNEC2 InstancesRemoteVPC Subnet 2ServersSoftware VPNYou can choose from an ecosystem of multiple partners and open sourcecommunities that have produced software VPN appliances that run on AmazonEC2. These include products from well-known security companies like CheckPoint, Astaro, OpenVPN Technologies, and Microsoft, as well as popular opensource tools like OpenVPN, Openswan, and IPsec-Tools. Along with this choicecomes the responsibility for you to manage the software appliance, includingconfiguration, patches, and upgrades.Note that this design introduces a potential single point of failure into thenetwork design because the software VPN appliance runs on a single AmazonEC2 instance. For additional information, see Appendix A: High-Level HAArchitecture for Software VPN Instances.Additional Resources VPN Appliances from the AWS Marketplace17 Tech Brief - Connecting Cisco ASA to VPC EC2 Instance (IPSec)18Page 12
Amazon Web Services – Amazon VPC Connectivity Options Tech Brief - Connecting Multiple VPCs with EC2 Instances (IPSec)19 Tech Brief - Connecting Multiple VPCs with EC2 Instances (SSL)20Transit VPCBuilding on the Software VPN design mentioned above, you can create a globaltransit network on AWS. A transit VPC is a common strategy for connectingmultiple, geographically disperse VPCs and remote networks in order to create aglobal network transit center. A transit VPC simplifies network managementand minimizes the number of connections required to connect multiple VPCsand remote networks. The following figure illustrates this design.Software VPN and Transit VPCPage 13
Amazon Web Services – Amazon VPC Connectivity OptionsAlong with providing direct network routing between VPCs and on-premisesnetworks, this design also enables the transit VPC to implement more complexrouting rules, such as network address translation between overlapping networkranges, or to add additional network-level packet filtering or inspection. Thetransit VPC design can be used to support important use cases like, privatenetworking, shared connectivity and cross account AWS usage.Additional Resources Tech Brief - Global Transit Network Solution - Transit VPCAmazon VPC-to-Amazon VPC ConnectivityOptionsUse these design patterns when you want to integrate multiple Amazon VPCsinto a larger virtual network. This is useful if you require multiple VPCs due tosecurity, billing, presence in multiple regions, or internal charge-backrequirements to more easily integrate AWS resources between Amazon VPCs.You can also combine these patterns with the Network–to–Amazon VPCConnectivity Options for creating a corporate network that spans remotenetworks and multiple VPCs.VPC connectivity between VPCs is best achieved when using non-overlapping IPranges for each VPC being connected. For example, if you’d like to connectmultiple VPCs, make sure each VPC is configured with unique Classless InterDomain Routing (CIDR) ranges. Therefore, we advise you to allocate a single,contiguous, non-overlapping CIDR block to be used by each VPC. For additionalinformation about Amazon VPC routing and constraints, see the Amazon VPCFrequently Asked Questions.21Page 14
Amazon Web Services – Amazon VPC Connectivity OptionsOptionUse CaseAdvantagesLimitationsVPC PeeringAWS-provided networkconnectivity betweentwo VPCs.Leverages AWSnetworking infrastructureVPC peering does notsupport transitive peeringrelationships.Does not rely on VPNinstances or a separatepiece of physical hardwareNo single point of failureNo bandwidth bottleneckSoftware VPNSoftware appliancebased VPN connectionsbetween VPCsLeverages AWSnetworking equipment inregion and internet pipesbetween regionsYou are responsible forimplementing HAsolutions for all VPNendpoints (if required)Supports a wider array ofVPN vendors, products,and protocolsVPN instances couldbecome a networkbottleneckManaged entirely by youSoftware-toAWSmanaged VPNSoftware appliance toVPN connectionbetween VPCsLeverages AWSnetworking equipment inregion and internet pipesbetween regionsAWS managed endpointincludes multi-data centerredundancy andautomated failoverAWSmanagedVPNVPC-to-VPC routingmanaged by you overIPsec VPN connectionsusing your equipmentand the internetReuse existing AmazonVPC VPN connectionsAWS managed endpointincludes multi-data centerredundancy andautomated failoverSupports static routes anddynamic BGP peering androuting policiesAWS DirectConnectVPC-to-VPC routingmanaged by you usingyour equipment in anAWS Direct Connectlocation and privatelinesConsistent networkperformanceReduced bandwidth costs1 or 10 Gbps provisionedconnectionsSupports static routes andBGP peering and routingpoliciesPage 15You are responsible forimplementing HAsolutions for the softwareappliance VPN endpoints(if required)VPN instances couldbecome a networkbottleneckNetwork latency,variability, and availabilitydepend on internetconditionsThe endpoint you manageis responsible forimplementing redundancyand failover (if required)May require additionaltelecom and hostingprovider relationships
Amazon Web Services – Amazon VPC Connectivity OptionsOptionUse d networkconnectivity betweentwo VPCs usinginterface endpoints.Leverages AWSnetworking infrastructureVPC Endpoint servicesonly available in AWSregion in which they arecreated.No single point of failureVPC PeeringA VPC peering connection is a networking connection between two VPCs thatenables routing using each VPC’s private IP addresses as if they were in thesame network. This is the AWS recommended method for connecting VPCs.VPC peering connections can be created between your own VPCs or with a VPCin another AWS account. VPC peering also supports inter-region peering.Traffic using inter-region VPC Peering always stays on the global AWSbackbone and never traverses the public internet, thereby reducing threatvectors, such as common exploits and DDoS attacks.VPC-to-VPC peeringPage 16
Amazon Web Services – Amazon VPC Connectivity OptionsAWS uses the existing infrastructure of a VPC to create VPC peeringconnections. These connections are neither a gateway nor a VPN connectionand do not rely on a separate piece of physical hardware. Therefore, they do notintroduce a potential single point of failure or network bandwidth bottleneckbetween VPCs. Additionally, VPC routing tables, security groups, and networkaccess control lists can be leveraged to control which subnets or instances areable to utilize the VPC peering connection.A VPC peering connection can help you to facilitate the transfer of data betweenVPCs. You can use them to connect VPCs when you have more than one AWSaccount, to connect a management or shared services VPC to application- orcustomer-specific VPCs, or to connect seamlessly with a partner’s VPC. Formore examples of scenarios in which you can use a VPC peering connection, seethe Amazon VPC Peering Guide.22Additional Resources Amazon VPC User Guide23 Amazon VPC Peering Guide24Software VPNAmazon VPC provides network routing flexibility. This includes the ability tocreate secure VPN tunnels between two or more software VPN appliances toconnect multiple VPCs into a larger virtual private network so that instances ineach VPC can seamlessly connect to each other using private IP addresses. Thisoption is recommended when you want to connect VPCs across multiple AWSRegions and manage both ends of the VPN connection using your preferredVPN software provider. This option uses an internet gateway attached to eachVPC to facilitate communication between the software VPN appliances.Page 17
Amazon Web Services – Amazon VPC Connectivity OptionsInter-region VPC-to-VPC routingYou can choose from an ecosystem of multiple partners and open sourcecommunities that have produced software VPN appliances that run on AmazonEC2. These include products from well-known security companies like CheckPoint, Sophos, OpenVPN Technologies, and Microsoft, as well as popular opensource tools like OpenVPN, Openswan, and IPsec-Tools. Along with this choicecomes the responsibility for you to manage the software appliance includingconfiguration, patches, and upgrades.Note that this design introduces a potential single point of failure into thenetwork design as the software VPN appliance runs on a single Amazon EC2instance. For additional information, see Appendix A: High-Level HAArchitecture for Software VPN Instances.Additional Resources VPN Appliances from the AWS Marketplace25 Tech Brief - Connecting Multiple VPCs with EC2 Instances (IPSec)26 Tech Brief - Connecting Multiple VPCs with EC2 Instances (SSL)27Page 18
Amazon Web Services – Amazon VPC Connectivity OptionsSoftware-to-AWS Managed VPNAmazon VPC provides the flexibility to combine the AWS managed VPN andsoftware VPN options to connect multiple VPCs. With this design, you cancreate secure VPN tunnels between a software VPN appliance and a virtualprivate gateway to connect multiple VPCs into a larger virtual private network,allowing instances in each VPC to seamlessly connect to each other usingprivate IP addresses. This option is recommended when you want to connectVPCs across multiple AWS regions and would like to take advantage of the AWSmanaged VPN endpoint including automated multi-data center redundancy andfailover built into the virtual private gateway side of the VPN connection. Thisoption uses a virtual private gateway in one Amazon VPC and a combination ofan internet gateway and software VPN appliance in another Amazon VPC asshown in the following figure.Intra-region VPC-to-VPC routingPage 19
Amazon Web Services – Amazon VPC Connectivity OptionsNote that this design introduces a potential single point of failure into thenetwork design as the software VPN appliance runs on a single Amazon EC2instance. For additional information, see Appendix A: High-Level HAArchitecture for Software VPN Instances.Additional Resources Tech Brief - Connecting Multiple VPCs with Sophos Security Gateway28 Configuring Windows Server 2008 R2 as a Customer Gateway forAmazon Virtual Private Cloud29AWS Managed VPNAmazon VPC provides the option of creating an IPsec VPN to connect yourremote networks with your Amazon VPCs over the internet. You can takeadvantage of multiple VPN connections to route traffic between your AmazonVPCs as shown in the following figure.Page 20
Amazon Web Services – Amazon VPC Connectivity OptionsRouting traffic between VPCsPage 21
Amazon Web Services – Amazon VPC Connectivity OptionsWe recommend this approach when you want to take advantage of AWSmanaged VPN endpoints including the automated multi-data centerredundancy and failover built into the AWS side of each VPN connection.Although not shown, the Amazon virtual private gateway represents two distinctVPN endpoints, physically located in separate data centers to increase theavailability of each VPN connection.Amazon virtual private gateway also supports multiple customer gatewayconnections (as described in the Customer Network–to–Amazon VPC Optionsand AWS managed VPN sections and shown in the figure Redundant AWSmanaged VPN connections), allowing you to implement redundancy andfailover on your side of the VPN connection. This solution can also leverage BGPpeering to exchange routing information between AWS and these remoteendpoints. You can specify routing priorities, policies, and weights (metrics) inyour BGP advertisements to influence the network path traffic will take to andfrom your networks and AWS.This approach is suboptimal from a routing perspective since the traffic musttraverse the internet to get to and from your network, but it gives you a lot offlexibility for controlling and managing routing on your local and remotenetworks, and the potential ability to reuse VPN connections.Additional Resources Amazon VPC Users Guide30 Customer Gateway device minimum requirements31 Customer Gateway devices known to work with Amazon VPC32 Tech Brief - Connecting a Single Router to Multiple VPCs33AWS Direct ConnectAWS Direct Connect makes it easy to establish a dedicated network connectionfrom your premises to your Amazon VPC or among Amazon VPCs. This optioncan potentially reduce network costs, increase bandwidth throughput, andprovide a more consistent network experience than the other VPC-to-VPCconnectivity options.Page 22
Amazon Web Services – Amazon VPC Connectivity OptionsYou can divide a physical AWS Direct Connect connection into multiple logicalconnections, one for each VPC. You can then use these logical connections forrouting traffic between VPCs, as shown in the following figure. In addition tointra-region routing, you can connect AWS Direct Connect locations in otherregions using your existing WAN providers and leverage AWS Direct Connect toroute traffic between regions over your WAN backbone network.Page 23
Amazon Web Services – Amazon VPC Connectivity OptionsIntra-region VPC-to-VPC routing with AWS Direct ConnectPage 24
Amazon Web Services – Amazon VPC Connectivity OptionsWe recommend this approach if you’re already an AWS Direct Connectcustomer or would like to take advantage of AWS Direct Connect’s reducednetwork costs, increased bandwidth throughput, and more consistent networkexperience. AWS Direct Connect can provide very efficient routing since trafficcan take advantage of 1 Gbps or 10 Gbps fiber connections physically attachedto the AWS network in each region. Additionally, this service gives you the
Amazon Web Services - Amazon VPC Connectivity Options Page 5 AWS managed VPN The virtual private gateway also supports and encourages multiple user gateway connections so you can implement redundancy and failover on your side of the VPN connection as shown in the following figure. Both dynamic and static
![Index [beckassets.blob.core.windows ]](/img/66/30639857-1119689333-14.jpg)
