1. Hybrid Connectivity Overview

Many organizations operate in a hybrid model: some workloads in AWS, some on-premises. AWS provides two main approaches to connect on-premises networks to AWS: VPN (over the internet, encrypted) and Direct Connect (dedicated private line). This lesson covers VPN.

VPN vs Direct Connect at a Glance

VPN = encrypted tunnel over the public internet. Quick to set up (minutes–hours). Lower cost. Variable performance (depends on internet). Direct Connect = dedicated physical fiber connection. Weeks–months to set up. Higher cost. Consistent performance, lower latency. Both can be used together for redundancy.

2. AWS Site-to-Site VPN

Site-to-Site VPN creates an encrypted IPSec tunnel between your on-premises network and your AWS VPC. It connects two networks (site-to-site), not individual users.


Key Components

Architecture

Site-to-Site VPN Architecture:
On-Premises Internet AWS┌───────────┐ ┌──────────┐│ Servers │ ┌──────────┐ │ VPC ││ | │ │ Encrypted │ │ | ││ Customer │────│ IPSec │────│ VGW or ││ Gateway │ │ Tunnels │ │ TGW ││ (Router) │ │ (2 per │ │ | │└───────────┘ │ connection)│ │ Subnets │ └──────────┘ └──────────┘

Key Facts

  1. Each VPN connection provides 2 IPSec tunnels for redundancy (active/passive or active/active)
  2. Each tunnel supports up to 1.25 Gbps throughput
  3. Encrypted with IPSec (AES-256)
  4. Supports dynamic routing (BGP) or static routing
  5. VPN goes over the PUBLIC internet — latency varies, not guaranteed
  6. Quick to set up: minutes to hours (vs weeks for Direct Connect)
  7. Monthly cost: ~$0.05/hour per VPN connection (~$36/month)


VGW vs TGW for VPN

3. Accelerated Site-to-Site VPN

  1. Uses AWS Global Accelerator to route VPN traffic through the AWS global network instead of the public internet
  2. Traffic enters the closest AWS Edge Location and travels on AWS’s private backbone
  3. Reduces latency and jitter. More consistent performance.
  4. Must use Transit Gateway (not VGW) for accelerated VPN
  5. Additional cost: Global Accelerator charges + data transfer premium

Accelerated VPN

Standard VPN = traffic goes over the public internet the entire way. Accelerated VPN = traffic enters the nearest AWS Edge Location and uses AWS’s private backbone for the majority of the journey. Better for long-distance or latency-sensitive VPN connections.

4. VPN CloudHub

  1. Connect multiple on-premises sites to a single VGW
  2. Sites can communicate with each other through the VGW (hub-and-spoke between on-prem sites)
  3. Uses BGP for dynamic routing
  4. Low cost: just VPN connection charges
  5. Traffic between sites goes through AWS (over the internet, encrypted)
  6. Use for: connecting multiple branch offices that need to talk to each other and to AWS
VPN CloudHub:
Office A (CGW-A) ───┐ | Office B (CGW-B) ────VGW──── VPC | Office C (CGW-C) ───┘
A can talk to B, B can talk to C, all via VGW. All traffic encrypted. Goes over public internet.

5. AWS Client VPN

AWS Client VPN provides secure TLS-based VPN connections from individual user devices (laptops, phones) to your AWS VPC. It is for remote user access, not site-to-site.


Key Characteristics

  1. OpenVPN-based protocol (TLS)
  2. Users install an OpenVPN client on their device
  3. Connects individual users to your VPC (not networks to networks)
  4. Managed by AWS: scales automatically, highly available
  5. Supports: Active Directory authentication, SAML 2.0 (SSO), mutual TLS (certificate-based)
  6. Can access: VPC resources, on-premises resources (if VPN/DX connected), and the internet (via VPC)
  7. Billed per active client connection per hour


Site-to-Site VPN vs Client VPN

Exam Tip

VPN questions: "Connect on-premises data center to AWS quickly" = Site-to-Site VPN. "Remote employees access VPC" = Client VPN. "Multiple VPCs from one VPN" = VPN to TGW. "Increase VPN bandwidth" = ECMP with TGW (multiple connections). "Reduce VPN latency" = Accelerated VPN (Global Accelerator). "Connect multiple offices through AWS" = VPN CloudHub. Each VPN connection = 2 tunnels × 1.25 Gbps each.