Connect on-premises network securely to the AWS Cloud

Connect on-premises network securely to the AWS Cloud

Securely connect on-premises network with AWS Cloud

By default, the instances that we launch into a virtual private cloud (VPC) on AWS cannot communicate with our on-premises network.

We can use AWS Site-to-Site Virtual Private Network / AWS Direct Connect / AWS Transit Gateway to connect our on-premises network or branch office site to AWS VPC.

AWS Site-to-Site Virtual Private Network

AWS Site-to-Site is a highly available solution that enables us to securely connect our on-premises network or any local site to our VPC.

AWS Site-to-Site VPN provides two VPN tunnels across multiple Availability Zones that we can use simultaneously for high availability. We can stream primary traffic through the first tunnel and use the second tunnel for redundancy. If one tunnel goes down, traffic will still get delivered to our VPC. If we create a Site-to-Site VPN connection to our VPC, we are charged for each VPN connection hourly that our VPN connection is provisioned and available.

When we create a Site-to-Site VPN connection, we must specify the type of routing that we plan to use and we must update the route table for our subnet.

AWS Site-to-Site VPN supports two types of routing: Static and Dynamic routing

If our VPN device supports Border Gateway Protocol (BGP), we have to specify dynamic routing when we configure our Site-to-Site VPN connection. Dynamic routing uses the BGP to advertise routes to the virtual private gateway. Dynamic routing supports a maximum of 100 propagated routes per route table.

If our VPN device does not support BGP, we have to specify static routing. Static routing requires that we have to specify the routes (IP prefixes) for our network that should be communicated to the virtual private gateway. Static routing supports 50 non-propagated routes per route table by default, up to a maximum of 1,000 non-propagated routes.

BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

AWS Direct Connect

AWS Direct Connect (or DX) is another solution for connecting our on-premises network to the AWS global network.

AWS Direct Connect uses open standard 802.1q virtual local area networks (VLANs). We can establish a dedicated, private network connection from our on-premises to AWS. This private connection can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. Dedicated connections are available with 1-Gbps and 10-Gbps capacity.


AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between our intranet and Amazon VPC. Customers can also implement additional security controls by encrypting the traffic that rides the direct connections using similar protocols like SSL, HTTPs and SSH.

AWS Direct Connect Use cases

• Hybrid environments • Transferring large datasets • Network performance predictability • Security and compliance

We can implement highly available connectivity between our data centers and our VPC by coupling one or more DX connections that we use for primary connectivity with a lower-cost backup VPN connection.

AWS Transit Gateway

AWS Transit Gateway is a service that enables us to connect our VPCs and on-premises networks to a single gateway (called a transit gateway).

With AWS Transit Gateway, we only need to manage a single connection from the central gateway into each VPC, on-premises data center, or remote office across our network.

AWS Transit Gateway uses a hub-and-spoke model. This model significantly simplifies management and reduces operational costs because each network only needs to connect to the transit gateway and not to every other network.

Any new VPC is connected to the transit gateway, and is then automatically available to every other network that is connected to the transit gateway. This ease of connectivity makes it easier to scale your network as you grow.

We can use AWS Transit Gateway to connect up to 5,000 VPCs and on-premises networks.

Hope you have got some basic idea on securely connecting on-premises network with AWS.

Happy Learning 📚

Community and Social Footprints:

Thank you!

Did you find this article valuable?

Support Cloudnloud Tech Community by becoming a sponsor. Any amount is appreciated!