There are several options to connect to a virtual private cloud (VPC) in Amazon Virtual Private Cloud (Amazon VPC). How do I decide which option to use?
You can connect to your VPC through a virtual private network (VPN), AWS Direct Connect (DX), a VPC peering connection, a VPC endpoint, ClassicLink, an internet gateway, a network address translation (NAT) gateway, or a NAT instance.
The best option depends on your specific use case and preferences.
Review the following options for connecting to your VPC and choose the best one for your use case.
You can use an AWS managed VPN connection or a third-party VPN solution. Use a third-party solution if you require full access and management of the AWS side of the VPN connection.
After creating your VPN connection, you can download the Internet Protocol Security (IPsec) VPN configuration from the Amazon VPC console to configure the firewall or device in your local network that connects to the VPN.
An AWS Direct Connect (DX connection) links your internal network to a DX location over a standard 1-Gbps or 10-Gbps Ethernet fiber-optic cable.
DX usage is charged per port-hour with additional data transfer rates that vary by AWS Region. For more information, see AWS Direct Connect pricing.
VPC peering connection
A VPC peering connection connects two VPCs and routes traffic between them through private IP addresses, which allows the VPCs to function as if they are on the same network. These connections aren't subject to common issues, such as a single point of failure or network bandwidth bottlenecks, because they don't rely on physical hardware.
VPC peering is supported for VPCs across all AWS Regions in both the same or different AWS accounts. For more information, see VPC Peering Limitations.
A VPC endpoint is a private connection between your VPC and another AWS service that doesn't require internet access. The two types of VPC endpoints are interface VPC endpoints (for AWS PrivateLink services) and gateway VPC endpoints. After you configure a VPC endpoint, instances in your VPC can use private IP addresses to communicate with:
- Resources in other AWS services
- VPC endpoint services hosted by other AWS accounts
- Supported AWS Marketplace partner services
ClassicLink (only for EC2-Classic instances)
ClassicLink enables you to link an EC2-Classic instance to a VPC in your account within the same AWS Region without requiring public IP addresses or Elastic IP addresses for communication between instances.
Note: This option is available to users with accounts that support the EC2-Classic platform. You can use ClassicLink with any EC2-Classic instance.
An internet gateway enables communication between instances in your VPC and the internet. You can scope the route to all destinations not explicitly known to the route table or to a narrower range of IP addresses.
A NAT gateway is a managed service that enables instances in a private subnet of a VPC to connect to the internet or other AWS services without allowing connections to those instances from the internet.
Note: Be sure to create the NAT gateway in a public subnet. For more information, see NAT Gateway Rules and Limitations.
A NAT instance in the public subnet of a VPC enables instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services while also preventing those instances from receiving inbound traffic initiated by someone on the internet.
Note: A NAT gateway is recommended for common use cases. For more information, see Comparison of NAT Instances and NAT Gateways.