Quick Overview of the Network Connectivity Options in AWS
AWS offers a variety of network connectivity options tailored to different use cases—whether it’s enabling internet access, private communication within the cloud, hybrid setups, or secure remote access. Choosing the right option depends on factors like security, cost, performance, and scalability.
The diagrams below summarizes the key network connectivity options available in AWS Cloud.
Here is a brief on each of the connecivity options depicted in the diagram above. Uses route table entries to direct traffic.
1. Connectivity to the Internet
1.1 Internet Gateway (IGW)
IGW allows both inbound and outbound access to the internet, and it is used for resources (e.g. EC2 instances) in public subnet that need to be reached from the internet.
- One Gateway Per VPC: You can only associate one IGW with a single VPC. Subnets from multiple AZs can access the same IGW.
- Supports both IPv4 and IPv6: The IGW supports both IPv4 and IPv6 communications.
- Usage is Free: The internet gateway usage is free.
1.2 NAT Gateway
NAT gateway allows only outbound access to the internet. It is enables resources in a private subnet to access the internet but, restricts any one from internet to access these resources.
- A Zonal Resource: A NAT gateway is deployed in a specific AZ(public subnet). You may use it from multiple AZs but, to ensure high availability, create a separate NAT gateway in each AZ.
- Only Outbound Access: It's useful for a database in a private subnet to access a patch updates from internet.
- Usage is Charged: It is a managed service with high availability and incurs charge for its usage.
- NAT for PrivateLinks: NAT gateway is also used for creating PrivateLinks. PrivateLinks are used for providing access to shared services within AWS cloud.
2. Connectivity Within Cloud
2.1 VPC Gateway Endpoint
Gateway endpoints allow secure access to AWS services like S3 and DynamoDB without using the internet.
- No Data Transfer Cost: There is no data transfer cost for traffic within the same region.
- Limited Services: Only supports specific services sch as S3 and DynamoDB.
2.2 VPC Interface Endpoint
Interface endpoints use AWS PrivateLink to connect to AWS services or third-party services privately over the VPC.
- Secure, Private Access: Provides a secure, private access to services via Elastic Network Interfaces (ENIs).
- Supports Many Services: A wide range of AWS services support access through privateLinks.
- Usage is Charged: Adds per-hour and per-GB costs for endpoint usage.
2.3 PrivateLink
AWS PrivateLink provides private connectivity between VPCs or on-premises networks to AWS or third-party services.
- Secure, Private Access: Simplifies service access by making them available as local IP address.
- Usage is Charged: Service consumer pays for data transfer and endpoint usage.
2.4 VPC Peering
VPC peering allows you to connect two VPCs in the same or different AWS Regions.
- Simple and Cost-Effective: It is simple and cost-effective for one-to-one VPC connections.
- Non Transitive: Does not support transitive peering. For instance if VPC B is connected to VPC A and VPC C, it does not establish connection between VPC A and VPC C..
- Active Connection Quota 50: The default active VPC peering connections per VPC is 50 and we can extend this up to 125 on request.
2.5 Transit Gateway
Transit Gateway enables you to connect multiple VPCs and on-premises networks using a hub-and-spoke model.
- Simplifies Complex Networks: The hub-and-spoke architecture simplifies connections and it's a recommended option over VPC peering when we have larger number of VPCs to connect with each other.
- Costs More wrt VPC Peering: Transit Gateway has higher cost compared to VPC peering.
3. Hybrid Network Connectivity
3.1 Site-to-Site VPN
Site-to-Site VPN establishes a secure connection between an on-premises network and an AWS VPC over a public internet.
- Uses IPSec Protocol: It transmits data over public internet but, encrypts data using IPSec protocol.
- Latency Depends on Internet: Latency and performance depend on internet quality. It may not be suitable for high-throughput use cases.
3.2 Direct Connect
AWS Direct Connect provides a dedicated, private connection between an on-premises network and AWS Cloud.
- Secure Connection: Avoids the public internet for greater reliability and security.
- High Bandwidth: High-speed, low-latency connections (up to 100 Gbps).
- Dedicated Connection: Requires additional setup time and costs for the physical connection.
4. Remote Client Connectivity
4.1 Client VPN
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network.
- Based on OpenVPN: Provides secure access over the internet using OpenVPN protocol.
- Performance: Performance depends on user location and internet connectivity.