AWS VPN vs Direct Connect: How to Choose On-Premises Connectivity
Compare AWS Site-to-Site VPN and Direct Connect differences, costs, and performance. Learn selection criteria for each scenario.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
Choose Site-to-Site VPN for quick setup and low cost, Direct Connect for stable bandwidth and consistent performance. Using VPN as a backup for Direct Connect is a best practice.
Exam Tip
Exam Essential: "Fast and cheap = VPN", "Stable bandwidth + consistent performance = Direct Connect", "DX backup = VPN"
On-Premises to AWS Connection Options
| Option | Path | Encryption | Setup Time |
|---|---|---|---|
| Site-to-Site VPN | Internet | ✅ IPsec | Minutes |
| Direct Connect | Dedicated line | ❌ (default) | Weeks to months |
| Direct Connect + VPN | Dedicated line | ✅ IPsec | Weeks to months |
| Client VPN | Internet | ✅ TLS | Minutes |
Site-to-Site VPN
Components
[On-Premises] [AWS]
┌──────────────┐ ┌──────────────────┐
│ │ IPsec Tunnel 1 │ │
│ Customer │ ═════════════════│ Virtual Private │
│ Gateway │ IPsec Tunnel 2 │ Gateway (VGW) │
│ (CGW) │ ═════════════════│ or │
│ │ Internet │ Transit Gateway │
└──────────────┘ └──────────────────┘
| Component | Description |
|---|---|
| Customer Gateway (CGW) | VPN device (or software) on-premises side |
| Virtual Private Gateway (VGW) | AWS-side VPN endpoint (attached to VPC) |
| Transit Gateway (TGW) | Used when connecting to multiple VPCs |
VPN Characteristics
| Item | Details |
|---|---|
| Bandwidth | Up to 1.25 Gbps per tunnel |
| Tunnels | 2 per connection (high availability) |
| Encryption | IPsec (automatic) |
| Cost | $0.05/connection-hour + data transfer |
| Setup Time | Minutes |
Accelerated VPN
Improves VPN performance through AWS Global Accelerator network.
Regular VPN: [On-Premises] → Internet → [AWS VGW]
Accelerated: [On-Premises] → Internet → [Nearest Edge] → AWS Backbone → [VGW]
Direct Connect (DX)
Connection Types
| Type | Bandwidth | Connection Method |
|---|---|---|
| Dedicated Connection | 1, 10, 100 Gbps | Dedicated port at AWS Direct Connect location |
| Hosted Connection | 50Mbps - 10Gbps | Connection through a partner |
Components
[On-Premises] [DX Location] [AWS]
┌──────────┐ ┌──────────────┐ ┌──────────┐
│ Data │ │ │ │ │
│ Center │──────│ Cross- │──────│ VGW │
│ │Dedic.│ Connect │ AWS │ or │
│ │Line │ │Network│ DX GW │
└──────────┘ └──────────────┘ └──────────┘
Virtual Interface (VIF)
| VIF Type | Purpose | Connects To |
|---|---|---|
| Private VIF | Access VPC resources | VGW or Direct Connect Gateway |
| Public VIF | Access AWS public services | S3, DynamoDB, etc. (public endpoints) |
| Transit VIF | Connect to Transit Gateway | TGW (multiple VPCs) |
Exam Tip
Private VIF vs Public VIF: Use Private VIF for VPC internal resources (EC2, RDS), Public VIF for dedicated line access to public services like S3
Direct Connect Gateway
Enables access to VPCs in multiple regions with a single DX connection.
┌─── VGW (ap-northeast-2) → VPC A
[DX Connection] → [DX Gateway] ─── VGW (us-east-1) → VPC B
└─── VGW (eu-west-1) → VPC C
VPN vs Direct Connect Detailed Comparison
| Comparison | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Path | Internet | Dedicated network |
| Bandwidth | Up to 1.25 Gbps/tunnel | Up to 100 Gbps |
| Latency | Variable (via internet) | Consistent (dedicated line) |
| Encryption | ✅ IPsec automatic | ❌ Unencrypted by default |
| Setup Time | Minutes | Weeks to months |
| Cost | Low | High |
| Availability | 2 tunnels | 99.99% SLA (when redundant) |
| Large Data | Not suitable | Suitable |
Selection Guide
On-Premises to AWS Connection Selection:
│
▼
Large data transfer or consistent performance needed?
│
Yes → [Direct Connect]
│ └── Encryption needed? → DX + VPN combination
No
│
▼
Quick setup or cost savings?
│
Yes → [Site-to-Site VPN]
│
No
│
▼
Individual user remote access?
│
Yes → [Client VPN]
High Availability Configuration
VPN Redundancy
[On-Premises] [AWS]
CGW 1 ════ 2 tunnels ════ VGW (AZ-a)
CGW 2 ════ 2 tunnels ════ VGW (AZ-b)
→ Total 4 tunnels, fully redundant
Direct Connect Redundancy
Maximum Resiliency (AWS Recommended):
[On-Premises] ─── DX Connection 1 ─── [DX Location A] ─── [AWS]
[On-Premises] ─── DX Connection 2 ─── [DX Location B] ─── [AWS]
→ 2 locations, 2 connections each = 99.99% SLA
DX + VPN Backup
Primary: [On-Premises] ═══ Direct Connect ═══ [AWS VPC]
Backup: [On-Premises] ─── Site-to-Site VPN ── [AWS VPC]
DX failure → Automatic failover to VPN
Exam Tip
Best Practice: Configuring Site-to-Site VPN as a backup for Direct Connect is a cost-effective redundancy method.
Client VPN
A service for individual users to remotely access AWS VPC from laptops/PCs.
| Item | Site-to-Site VPN | Client VPN |
|---|---|---|
| Connection Entity | Network to Network | User to Network |
| Use Case | Data center ↔ VPC | Remote worker → VPC |
| Protocol | IPsec | TLS (OpenVPN) |
| Authentication | PSK or Certificate | AD, SAML, Certificate |
SAA-C03 Exam Focus Points
- ✅ VPN Selection: "Quick setup, low cost, encryption = VPN"
- ✅ DX Selection: "Stable bandwidth, consistent latency, large data = Direct Connect"
- ✅ DX Encryption: "DX is unencrypted by default, use DX + VPN for encryption"
- ✅ Redundancy: "Configure VPN as DX backup"
- ✅ DX Gateway: "Connect multiple region VPCs with single DX"
Exam Tip
Sample Exam Question: "You need to transfer several TB of data daily from an on-premises data center to AWS with consistent performance. What is the appropriate solution?" → Answer: AWS Direct Connect (large data + consistent performance)
Frequently Asked Questions
Q: Is Direct Connect encrypted?
Not encrypted by default. If encryption in transit is required, configure Site-to-Site VPN over Direct Connect, or use MACsec (MAC Security).
Q: Why does Direct Connect setup take so long?
Because physical dedicated lines must be installed. Cross-connect setup at the DX location, ISP contracts, etc. are required, typically taking weeks to months.
Q: What if VPN bandwidth is insufficient?
Using Transit Gateway with ECMP (Equal-Cost Multi-Path) support allows aggregating bandwidth from multiple VPN tunnels. For long-term bandwidth needs, consider Direct Connect.
Q: Does using Direct Connect and VPN together double the cost?
Yes. However, VPN only carries traffic during DX failures, so normally only the VPN connection cost ($0.05/hour) applies. Data transfer costs are based on actual usage.
Q: What's the difference between Client VPN and Site-to-Site VPN?
Site-to-Site VPN is network-to-network connection (data center ↔ VPC), while Client VPN is individual user remote access (laptop → VPC). Different purposes.
Related Posts
- VPC Basics: CIDR, Subnets, Route Tables
- VPC Peering vs Transit Gateway
- VPC Endpoints (Interface vs Gateway)