Hybrid Connectivity: Direct Connect and VPN
Learn how to connect on-premises data centers to AWS using Site-to-Site VPN and AWS Direct Connect — and when to choose each.
Learning outcomes
By the end of this lesson, you will be able to:
- Explain what hybrid connectivity means.
- Describe how AWS Site-to-Site VPN works.
- Describe how AWS Direct Connect works.
- Compare VPN and Direct Connect across key dimensions.
- Choose the right service based on common exam scenarios.
- Recognize AWS Transit Gateway as a way to connect multiple VPCs.
What is hybrid connectivity?
Hybrid connectivity means linking your on-premises data center (or corporate office) to your AWS VPC so resources in both environments can communicate as if they were on the same private network.
Common reasons:
- Migrating workloads gradually (not all at once).
- Keeping sensitive data on-premises while running applications in AWS.
- Extending an existing corporate network into the cloud.
AWS offers two primary services for this: Site-to-Site VPN and Direct Connect.
AWS Site-to-Site VPN
A Site-to-Site VPN creates an encrypted tunnel between your on-premises network and your AWS VPC over the public internet.
How it works
- You set up a Virtual Private Gateway on the AWS side (attached to your VPC).
- You configure a Customer Gateway on your side (your on-premises router/firewall).
- AWS creates two VPN tunnels (for redundancy) between them.
- All traffic is encrypted using IPsec.
Key characteristics
| Feature | Detail |
|---|---|
| Connection type | Encrypted tunnel over the public internet |
| Setup time | Minutes to hours |
| Bandwidth | Up to ~1.25 Gbps per tunnel |
| Encryption | Yes (IPsec) |
| Cost | Low — hourly charge + data transfer |
| Reliability | Subject to internet variability (jitter, latency spikes) |
Tip
Exam pattern: "Need a private connection quickly" or "encrypted connection over the internet" → Site-to-Site VPN.
AWS Direct Connect
AWS Direct Connect establishes a dedicated, private physical connection between your data center and AWS — bypassing the public internet entirely.
How it works
- You work with a Direct Connect partner (or go to an AWS Direct Connect location) to provision a physical cross-connect.
- A dedicated fiber connection links your network to AWS.
- Traffic flows over this private link — not through the internet.
Key characteristics
| Feature | Detail |
|---|---|
| Connection type | Dedicated private physical link |
| Setup time | Weeks to months |
| Bandwidth | 1 Gbps, 10 Gbps, or 100 Gbps (dedicated); 50 Mbps–10 Gbps (hosted) |
| Encryption | Not encrypted by default (add VPN on top for encryption) |
| Cost | Higher — port charges + data transfer |
| Reliability | Consistent latency and throughput (no internet variability) |
Note
Direct Connect does not encrypt traffic by default. If you need encryption over a Direct Connect link, you can run a VPN tunnel on top of it.
Tip
Exam pattern: "Need consistent, high-throughput, low-latency connectivity" or "dedicated private connection" → Direct Connect.
Side-by-side comparison
| Dimension | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Travels over | Public internet | Dedicated private link |
| Setup time | Minutes to hours | Weeks to months |
| Bandwidth | Up to ~1.25 Gbps/tunnel | Up to 100 Gbps |
| Latency | Variable (internet-dependent) | Consistent and low |
| Encrypted | Yes (IPsec) | No (add VPN for encryption) |
| Cost | Lower | Higher |
| Best for | Quick setup, backup connectivity, lower bandwidth needs | High throughput, consistent performance, large data transfers |
AWS Transit Gateway — connecting multiple VPCs
As your AWS environment grows, you may have dozens of VPCs across accounts and Regions. AWS Transit Gateway acts as a central hub that connects:
- Multiple VPCs
- On-premises networks (via VPN or Direct Connect)
- Other Transit Gateways (across Regions)
Think of it as a network router in the cloud — instead of creating individual peering connections between every pair of VPCs, everything connects through the Transit Gateway.
Note
For the CCP exam, you only need to know that Transit Gateway exists and that it simplifies connecting multiple VPCs and on-premises networks. You won't be asked about configuration details.
Summary
| Service | What it does | Speed to set up | Best for |
|---|---|---|---|
| Site-to-Site VPN | Encrypted tunnel over the internet | Minutes to hours | Quick, encrypted, lower-bandwidth connections |
| Direct Connect | Dedicated private physical link | Weeks to months | High-throughput, consistent-latency workloads |
| Transit Gateway | Central hub connecting multiple VPCs and on-prem networks | Hours to days | Large multi-VPC environments |
Knowledge Check
Next lesson
Lesson 6: Networking Review Quiz