Difference between VPN and Direct Connect

  • Hardware VPN
  • VPN is associated with Virtual Private Gateway, not with your VPC. What you can do is to detach the VPG and can reattach it to another VPC.

  • VPN Billing
  • Pay for the connection hours
  • Pay for data transfer
  • Depends where is the Customer Gateway. If it is in your DC, data transfer charge is standard Internet data transfer
  • If you are using via Direct Connect public VIF, you are charged by Direct Connect rates
  • Another VPC in the same region via EIP - local region charges
  • Another VPC in another AWS region - remote region data transfer charges
  • Connections over a DX are not encrypted. Workaround is that you would create a public VIF to access endpoints. Another service is VPN endpoints within AWS public zone. You can create a VPN running over the top of DX connection.

  • Virtual Interface (VIF) - VLAN and BGP sessions.

Private VIF

  • Private VIF: connects you to a virtual private cloud (VPC) but not to the VPC+2 DNS server and not the VPC endpoint for AWS S3.
  • They are per region only. They are one to one connection. Single VLAN on your network and VPC. Connects to the VGW.

Public VIF

  • Public VIF connects you to public AWS services and located within the associated region. Anyone else using AWS public IPs and managed VPN public IPs (+VPN endpoints). Not the public internet.

Transit VIF

DirectConnect Gateway

  • Global resource to create private VIFs within different AWS Regions which are associated with the DXGW. The main purpose is to connect to other VPCs outside of the region via DGW. You can associate on premises gateways or AWS private gateways with DirectConnect Gateway. It advertises all the networks with BGP. This reduces the admin overhead. However, it’s not a transitive device.
  • There is a port charge for this connection. Charged for traffic data transfer out, it’s a lot lower than internet connection. There is a significant installation time as well.
  • VPN can serve as a backup for DirectConnect connection.
  • DXGW will not connect to a VPC within a different account. You need to create a different DX Gateway for that purpose. It only creates connectivity between VPCs and On-premises gateways.
  • 10 VGW per DXGW.
  • 1 DX can have many private VIFs == many DX Gateways.

Transit Gateway

  • Instead of directly connecting your DX Gateway to the VGW of specific VPCs, it will connect to the Transit Gateway. It’s a regional resource and you can connect to the remote region’s Transit Gateway as well.
  • Transitive routing service, as known as full mesh.
  • Create a Transit Gateway within a region and connect to different VPCs with VPC attachment and to your onpremises router with VPN attachment. It’s capable of routing in a transitive way.
  • Transit Gateway can be shared within Resource Access as well.
  • You create a transit VIF - 1 per DX Connection and this is associated with the DXGW.
  • 3 TGWs can be attached to the DX Gateway. Also, TGWs can be peered.

1G/10G dedicated connections

  • Let’s say within your account, you created a 1G or 10G Direct Connect connection. On that connection, you are going to create a virtual interface. You will also choose a VLAN. You can create multiple of those for specific VPCs. You can also share these across accounts. There is also an option to enter another AWS account number on that connection. It will become a hosted virtual interface. Within partner hosted connections: VLAN ID is chosen for you by the partner


  • Within each Direct Connect location, AWS has 2 redundant routers. Moving a connection to another account is done by raising a support case
  • You can delete and re-create VIFs if you want to move it to another VGW to connect to your VPC
  • You can connect via 2 different DX locations to achieve full resiliency. Plus, VPN as a backup.
  • There is AWS DX Router and Customer / Provider DX Router within the DX Location connected via a single cross-connect. This links a DX port with a customer or provider router.
  • 7 single points of failure;
    • DX Location, DX Router, Cross Connect, Customer DX Router, Extension, Customer Premises & Router.
  • You can use multiple DX Routers both from AWS and your side. 2 independent DX ports mean the architecture tolerate a failure.

BGP (Border Gateway Protocol)

  • BGP neighbors exchange routing information - prefixes. More specific prefixes are preferred
  • BGP uses Autonomous System Numbers - ASNs. iBGP - between peers in the same AS. eBGP - between peers in different AS (when in the case you have a connection between AWS and your DC)
  • AS_PATH - measure of network distance: not the same as traceroute. This represents the whole network
  • ASN numbers can change per public/private VIFs for particular connections within BGP
  • Suppose you have 3 different regions us-west-1, us-east-1 and eu-west-1 with ASNs 7224, 7224 and 9800 with a Corporate Backbone Network with ASN = 65000. When you try to connect from us-west-1 to us-east-1, the announcement will be rejected because it will understand as if it was coming from the same region with same ASN. You can use the functionality of AS overwrite facing the region you want to connect from. If you want to connect from eu-west-1 to us-west-2, it is ok, ASN will be announced and since the number is different, it’s accepted. However, the other way around, when us-west-2 announces from ASN 7224, in to eu-west-1… You will find it’s rejected because 7224 is used internally for Direct Connect. You can actually put a specific CIDR address route in your VPC inside your IGW route table to tell if I have traffic for that specific CIDR block, send it to the VGW!
  • BGP Redundancy: Logical level redundancy where over a single DX connection, AWS gives you two physical devices in the backend as BGP peers. It automatically fails over to the second peer.
  • From two different on-premises locations, you can tag low, medium or high preferences to your routes (BGP communities) to prioritise traffic flow.

Accessing your resources over Direct Connect

  • First, you create a DX Gateway
  • Second, you create a private VIF to the gateway. You need to create the VLAN ID as the packets will go through tagged, now AWS end is auto-configured
  • Associate the VPC and VIF to the DX Gateway. You can also associate remote regions to the Gateway as well

Routing Preference 1) Local routes to the VPC
2) Longest prefix match first (/24 is more specific to /16)
3) Static route table entries preferred over dynamic
4) Dynamic routes
5) Prefer Direct Connect BGP routes
6) Shorter AS path
7) Considered equivalent, and will balance traffic per flow
8) VPN static routes
9) BGP routes from VPN
10) Shorter AS path

AWS VPN CloudHub

  • Way to connect multiple remote networks all into the same VGW. Exchanging routes via VGW. It gives you access to the VPC. You can also use same AS numbers but custom config required. Instead of connecting multiple remote offices, you can also connect another VPC in another region together with other locations. You can achieve this building software VPN instances. You can also connect a private DX VIF as well

Transit VPC

  • Moving 2 software VPN instances to a hub environment. Creating a VPC and putting these 2 instance in it acting as a Customer Gateway. VPN over Public VIF on Direct Connect is done with Virtual Routing and Forwarding!!!

Virtual Private Gateway

  • If you wanna connect your on-premises to AWS, you need to create a virtual private gateway. It’s a logical, fully redundant distributed router that sits at the edge of your VPC. VGW can terminate IPSec VPN. AWS is partnered with 3rd party colocation companies such as Equinix etc. for a Direct Connect location (physical DC). The customer picks the Direct Connect site and then the connection link; 1Gbps or 10Gbps which will generate the quote. Once the physical connection is done, you need to configure the logical/sub interfaces. In AWS, there are 2 different types, virtual interfaces, VIFs. Private VIF and Public VIF are both configured as separate .1q VLAN tag across Direct Connect.
  • You can set up only one Virtual Private Gateway per VPC.

Direct Connect Gateway

  • You can connect your on prem with this gateway to the other regions of your AWS services. You can think of this as a redundant peering point, distributed VRF. It’s only used for VPC attachment, no public connectivity.

Direct Connect Billing

  • Physical Connection: $0.30/port hour for 1G and $2.25/port hour for 10G. Data Transfer Out: per GB regardless of the service type, depends on the region etc. No charge for ingress data. Source/Destination of the data is important.

  • When you set up an IPSec tunnel over VPN Gateways and AWS supported customer gateways;

    • You obtain data integrity protection across the Internet
    • You obtain peer identity authentication between VPN gateway and customer gateway
    • Your data in transit is protected over the Internet
    • Your data is encrpyted across the Internet