AWS Direct Connect and Site-to-Site VPN

Hybrid connectivity — dedicated private connections vs encrypted tunnels, covering VGW, Transit Gateway, DX Gateway, and failover patterns.

Overview

AWS Direct Connect (DX) and Site-to-Site VPN are the two primary options for connecting on-premises networks to AWS — Direct Connect provides a dedicated private connection with consistent performance, while Site-to-Site VPN establishes encrypted tunnels over the public internet.

Aspect	Direct Connect	Site-to-Site VPN
Connection type	Dedicated fibre via DX location (colocation facility)	Encrypted IPsec tunnels over public internet
Bandwidth	1 Gbps, 10 Gbps, 100 Gbps (or hosted: 50 Mbps–10 Gbps)	Up to 1.25 Gbps per tunnel
Latency	Consistent, low (private path)	Variable (internet-dependent)
Setup time	Weeks to months (physical cross-connect)	Minutes to hours
Encryption	Not encrypted by default (add VPN over DX)	Encrypted (IPsec)
Cost	Port fee + data transfer (no internet egress)	Per-hour + data transfer

Core Concepts

Concept	Description
Direct Connect (DX)	A dedicated network connection from on-premises to AWS via a DX location
DX Location	A colocation facility where AWS has equipment; the physical meeting point for DX connections
Virtual Interface (VIF)	A logical connection over a DX port — Private VIF (VPC), Public VIF (AWS public services), or Transit VIF (Transit Gateway)
DX Gateway	A globally available gateway that connects a DX connection to VPCs in multiple regions
Site-to-Site VPN	Encrypted IPsec tunnel between on-premises and AWS over the internet
Virtual Private Gateway (VGW)	VPN endpoint on the AWS side, attached to a single VPC
Customer Gateway (CGW)	Representation of the on-premises VPN device in AWS configuration
Transit Gateway (TGW)	Hub that connects multiple VPCs, VPNs, and DX connections with transitive routing
Link Aggregation Group (LAG)	Bundles multiple DX connections (same speed) into a single logical connection for throughput

Direct Connect Architecture

On-Premises          DX Location              AWS Region
┌──────────┐      ┌───────────────┐      ┌────────────────────────┐
│ Customer  │      │  Customer     │      │                        │
│ Router    │──────│  Router/Cage  │      │   VPC A (10.0.0.0/16)  │
│           │      │       │       │      │          ▲              │
└──────────┘      │       │ DX    │      │   Private VIF          │
                  │       │ Port  │──────│──→ VGW or TGW          │
                  │       │       │      │          ▼              │
                  │       │       │      │   VPC B (10.1.0.0/16)  │
                  └───────────────┘      │                        │
                                         └────────────────────────┘

Virtual Interface Types

VIF Type	Connects To	Use Case
Private VIF	VGW (single VPC) or DX Gateway	Access VPC resources via private IP
Public VIF	AWS public service endpoints	Access S3, DynamoDB, and other public AWS APIs privately
Transit VIF	Transit Gateway (via DX Gateway)	Access multiple VPCs across regions via TGW

SAA/SAP Tip: To connect a single DX to VPCs in multiple regions, use a DX Gateway with Transit VIF or Private VIFs. A DX Gateway is globally available and does not require multiple physical connections.

Site-to-Site VPN Architecture

On-Premises              Internet                AWS
┌──────────────┐      ┌──────────┐      ┌──────────────────────┐
│ CGW Device   │══════│ IPsec    │══════│  VGW or TGW          │
│ (VPN Router) │ Tunnel│ Tunnel  │      │      │               │
└──────────────┘   1  └──────────┘      │      ▼               │
       │                                │  VPC (10.0.0.0/16)   │
       │              ┌──────────┐      │                      │
       │══════════════│ IPsec    │══════│  (2 tunnels for HA)  │
            Tunnel 2  │ Tunnel   │      │                      │
                      └──────────┘      └──────────────────────┘

Each VPN connection provides two tunnels for redundancy (across different AWS endpoints)
Max throughput: 1.25 Gbps per tunnel; ECMP (Equal Cost Multi-Path) over TGW enables higher aggregate throughput
Supports BGP for dynamic routing or static routes

Redundancy and Failover Patterns

Pattern	Description	Resilience Level
Single DX	One DX connection — single point of failure	Low
DX + VPN backup	DX as primary, VPN as failover over the internet	Medium
Dual DX (same location)	Two connections at the same DX location	Medium–High
Dual DX (different locations)	Two connections at geographically separate DX locations	High
Dual DX + VPN	Maximum resilience — two DX connections plus VPN failover	Highest

Exam Trap: A single Direct Connect connection is a single point of failure. For production workloads, always deploy a second DX or a VPN backup. The exam tests this pattern frequently.

Encryption Options

Scenario	Encryption Method
DX alone	Not encrypted (private but not encrypted at L3)
VPN alone	IPsec encryption (built-in)
DX + VPN overlay	IPsec VPN tunnel running over the DX connection for encryption
DX + MACsec	Layer 2 encryption on 10 Gbps and 100 Gbps dedicated DX connections

SAA/SAP Tip: For "encrypted connectivity with consistent latency," the answer is VPN over Direct Connect (IPsec tunnel running on top of the DX link) or MACsec for supported DX speeds. DX alone does not encrypt traffic.

VPN over Transit Gateway

When connected to a Transit Gateway, VPN supports ECMP (Equal Cost Multi-Path) routing:

Multiple VPN tunnels aggregate bandwidth (e.g., 4 tunnels × 1.25 Gbps = 5 Gbps)
Requires BGP and TGW (VGW does not support ECMP)
Useful when DX is not available but higher throughput is needed

Common Use Cases

Hybrid cloud — Extend on-premises data centre into AWS VPCs with predictable, low-latency connectivity via DX.
Data migration — Transfer large datasets over DX with consistent bandwidth (avoids internet congestion).
Disaster recovery — Replicate on-premises workloads to AWS; VPN as an immediate, low-cost DR link.
Compliance — Private connectivity that does not traverse the public internet (DX with MACsec).
Multi-region networking — DX Gateway + Transit VIF to connect on-premises to VPCs across multiple regions.
Quick-start hybrid — Site-to-Site VPN for immediate connectivity while waiting for DX provisioning.

SAA/SAP Exam Tips

SAA/SAP Tip: When a question asks for "private connectivity that does not go over the internet," the answer is Direct Connect. When it adds "encrypted," pair DX with a VPN overlay or MACsec.

Exam Trap: Direct Connect takes weeks to months to provision because it requires a physical cross-connect at a DX location. If the question needs connectivity "immediately" or "quickly," Site-to-Site VPN is the answer (optionally as a bridge until DX is ready).

SAA/SAP Tip: For "highest available hybrid connectivity," the answer is two DX connections at different DX locations plus a VPN backup. The exam often tests understanding of DX redundancy levels.

Cross-Cloud Equivalents

Provider	Service / Solution	Notes
AWS	AWS Direct Connect + Site-to-Site VPN	Baseline
Azure	Azure ExpressRoute + Azure VPN Gateway	ExpressRoute = DX equivalent; similar model
GCP	Cloud Interconnect (Dedicated / Partner) + Cloud VPN	Dedicated Interconnect = DX; Partner = hosted DX
On-Premises	MPLS circuits, IPsec VPN appliances (Cisco, Palo Alto, Fortinet)	Traditional WAN connectivity

Pricing Model

Direct Connect

Dimension	Unit	Notes
Port hours	Per hour	Varies by speed (1G, 10G, 100G) and location
Data transfer out	Per GB	Lower than internet egress; varies by region
Data transfer in	Free	No charge for inbound data over DX

Site-to-Site VPN

Dimension	Unit	Notes
VPN connection hours	Per hour	~$0.05/hr per connection
Data transfer out	Per GB	Standard internet egress rates
Accelerated VPN (Global Accelerator)	Per hour + per GB	Optional; improves performance via AWS backbone

Amazon VPC — the network environment that DX/VPN connects to
AWS Transit Gateway — centralised hub for multiple VPC and hybrid connections
Amazon Route 53 — DNS failover between DX and VPN paths
AWS CloudWatch — monitor DX and VPN tunnel metrics

AWS Direct Connect and Site-to-Site VPN

On this page