AWS Government, Education, & Nonprofits Blog

AWS networking capabilities gives you choices for hybrid cloud connectivity, but which service works best for your use case?

A post by Wesley Joyce, Senior Solutions Architect, AWS


Public sector customers have been using Amazon Web Services (AWS) within their hybrid cloud environments since AWS was born in 2006. Most customers have resources on-premises, engaging in multi-year journeys of cloud adoption. Often they are seeking to improve connectivity for migration, cloud bursting, backup and disaster recovery, or leveraging cloud-native technologies from on-premises.

With so many services and features available around networking, customers sometimes choose ones that aren’t properly tailored to their needs. Picking a bad fit can waste time and money, forcing you to initiate a redesign or implement complicated workarounds.

To help you find your perfect fit, let’s investigate the building blocks available for on-premises connectivity with AWS GovCloud (US). We’ll review factors to consider when designing your hybrid network and common design patterns and service quotas that may affect your final architecture, sharing insights that are applicable to any region.

Learn about the building blocks and apply AWS Well Architected (WA) with a network lens to assess your architecture for best practices for security, cost, reliability, performance, and operational excellence – based on years of field experience.

The building blocks

Amazon Virtual Private Cloud (Amazon VPC) is a logically isolated, private section of the AWS Cloud to launch resources in a virtual data center in the cloud. Amazon VPC allows you to leverage multiple Availability Zones (AZ) within a region so that you can build greater fault tolerance within your workloads. You have complete control.

WA – Security: Do you need IPSec VPN for network-level encryption in transit?

With AWS VPN, you can create IPsec Site-to-Site VPN tunnels from an Amazon VPC to on-premises customer gateway enabling a hybrid environment.

The following diagram depicts an Amazon VPC leveraging two AZs and AWS VPN.

Figure 1 – Amazon VPC with AWS VPN

WA – Performance: Is your internet connection sufficient, saturated, or unreliable? Would a dedicated connection help from a performance perspective? AWS Direct Connect helps move large volumes of data into or out of the cloud, with more effective throughput compared to shared Internet connections.

AWS Direct Connect (DX) allows you to establish dedicated connections from on-premises to AWS. With DX, you can bypass the Internet, which often reduces network costs, improves bandwidth throughput, and provides a more consistent network experience. You can request 1 or 10Gbps connections directly from AWS, which currently supports three types of virtual interfaces (VIF) enabling additional building blocks. You can also work with a DX partner for sub 1Gbps connectivity, but they might support different VIF types.

The following diagram depicts a design pattern using DX to connect to an Amazon VPC in the local region and public AWS services globally.

Figure 2 – AWS Direct Connect

WA – Cost optimization: Would DX help from a cost perspective? Do you require traffic between each VPC to flow on-premises, or can you minimize egress by leveraging services that support east/west traffic? Data ingress – not data egress – is always free with AWS. DX provides cost reduction in cost per GB compared to standard Internet data out charges. Designing multi-VPC/region architectures to minimize data egress increases cost-efficiency.

WA – Multi-Account: How many accounts, regions, and Amazon VPCs do you need to support your workloads? Did you factor in isolation, compliance, and DR?

AWS Direct Connect Gateway (DXG) allows customers to access Amazon VPCs deployed in any unclassified AWS Regions (except China) with DX connections. Use a single private VIF to connect to DXG, which links to up to 10 Amazon VPCs simultaneously across multiple regions, for north-south traffic.

The following diagram depicts a design pattern using DXG to connect to multiple VPCs across regions.

Figure 3 – DXG

AWS Transit Gateway enables you to connect thousands of Amazon VPCs in a region and your on-premises networks with a single gateway. It provides control over connectivity policies, scale, and monitoring your networks. It’s a managed IP router where you can create multiple route tables and attach VPCs, VPNs, and DXG (via transit VIF) for centralized control of routing for both east-west and north-south traffic.

The following diagram depicts a design pattern using AWS VPNs to connect to AWS Transit Gateway over the Internet or DX, which can connect to thousands of Amazon VPCs in each region.

Figure 4 – AWS Transit Gateway

The following diagram depicts a design pattern using DXG to connect to AWS Transit Gateway, which in turn can connect to thousands of VPCs in the local region.

Figure 5 – AWS Transit Gateway with Direct Connect Gateway

Additional best practices and probing questions include:

  • WA – Service Availability: All of the building blocks are available within the unclassified North America regions including AWS GovCloud (US) and other regions globally. Did you refer to the Region table to check availability?
  • WA – Reliability: AWS services have quotas for each account to help guarantee availability of resources and minimize billing risks. Some service quotas can be raised, others are hard quotas. Did you check quotas for each building block?
  • WA – Scale: As customers deploy multiple Amazon VPCs across one or more regions, in addition to quotas, some services currently only work within a single consolidated billing family. Do you have a single or multiple master payer accounts?
  • WA – Operational Excellence: Customers with a network presence at DX locations can terminate connection(s) on their devices. Then, they’re responsible for managing additional connections and peering relationships. Some customers may not have a presence at DX locations or prefer not to manage additional network infrastructure. Did you consider a DX partner to reduce network management challenges?

Visit our hybrid cloud digital hub to download our eBook or watch on-demand webinars to learn more as you consider your approach to connecting on-premises workloads to AWS. Check out part two to dive deeper into common design considerations and decision flow charts to help you narrow down the building blocks.