Computer Networks

Cloud Connectivity

A company grows: offices in three cities, production in AWS, database in Azure (legacy). How do you connect all of this securely with minimal latency? Cloud connectivity is the bridge between on-premises and the cloud.

**Goldman Sachs** - Direct Connect to multiple regions for low-latency trading
**Netflix** - Transit Gateway for hundreds of VPCs with microservices
**Capital One** - hybrid cloud with VPN backup for Direct Connect

Предварительные знания

Site-to-Site VPN

**Site-to-Site VPN** is an encrypted tunnel between your office (on-premises) and the cloud over the public internet. AWS, GCP, and Azure provide managed VPN endpoints - you just need a compatible router on your end.

Unlike client VPN (for remote employees), Site-to-Site connects entire networks. All devices in the office get access to cloud resources as if they were on the same local network.

**Two tunnels for high availability:** AWS VPN automatically creates two IPsec tunnels to different endpoints. If one endpoint is under maintenance, traffic flows through the second.

**Limitations of internet-based VPN:** • **Latency** - depends on ISP, typically 20-100ms • **Jitter** - latency instability, a problem for VoIP/video • **Bandwidth** - limited by internet speed, up to ~1.25 Gbps • **Reliability** - depends on ISP quality

Why does AWS VPN create two IPsec tunnels instead of one?

Direct Connect / ExpressRoute

**Direct Connect** (AWS) / **ExpressRoute** (Azure) / **Cloud Interconnect** (GCP) is a dedicated physical connection between your data center and the cloud, bypassing the public internet. A cable runs from your equipment to the cloud provider's point of presence.

Imagine: instead of driving on a shared road (the internet), you build a personal bridge directly to AWS. Expensive, but guaranteed speed and latency.

**Direct Connect does not encrypt traffic by default!** It's a dedicated channel, but not an encrypted one. For sensitive data - add VPN on top of Direct Connect (MACsec or IPsec).

**Direct Connect options:** • **Dedicated Connection** - physical port of 1/10/100 Gbps dedicated to you • **Hosted Connection** - an AWS partner shares part of their port (50 Mbps - 10 Gbps) • **Direct Connect Gateway** - one DX connection to many VPCs in different regions

What is the main advantage of Direct Connect over VPN?

VPC Peering

**VPC Peering** is a connection between two VPCs that allows traffic to flow directly through the internal AWS network. Without peering, traffic between VPCs would have to go via the internet.

Peering acts like a virtual cable between VPCs. Traffic never leaves the AWS network, providing low latency and high security. VPCs can be in different regions (inter-region peering) or even in different AWS accounts.

**Non-transitive:** VPC Peering is not transitive. If A↔B and B↔C, A CANNOT communicate with C through B. You need a separate peering A↔C or a Transit Gateway.

**VPC Peering limitations:** • VPC CIDR blocks must not overlap • Not transitive (full mesh required for N VPCs) • Maximum 125 peering connections per VPC • Doesn't support edge-to-edge routing through VPN/DX

If VPC-A is peered with VPC-B, and VPC-B is peered with VPC-C, can VPC-A communicate with VPC-C?

Transit Gateway

**Transit Gateway (TGW)** is a regional hub for connecting VPCs, VPNs, and Direct Connect. Instead of full mesh peering (N×(N-1)/2 connections), all VPCs connect to a single TGW.

Imagine: instead of connecting every house to every other house with a cable, all houses connect to a single telephone exchange. Transit Gateway is the central exchange for your cloud network.

**Transit Gateway Routing:** TGW has its own route tables. You can segment traffic - for example, production VPCs can't see development VPCs, even though all are connected to the same TGW.

**When to use what:** • **VPC Peering** - 2-3 VPCs, simple requirements, minimal cost • **Transit Gateway** - many VPCs, hybrid connectivity, complex segmentation • **Transit Gateway + RAM** - multi-account architectures (AWS Organizations)

VPN over the internet is sufficient for enterprise workloads

For critical applications, you need Direct Connect with VPN on top for encryption

VPN over the internet has unpredictable latency and jitter. Direct Connect provides SLA-backed latency. Financial systems, real-time analytics, and VoIP require a stable connection that the internet cannot guarantee

What problem does Transit Gateway solve compared to VPC Peering?

Key Takeaways

**Site-to-Site VPN** - fast setup over the internet, but unpredictable latency
**Direct Connect** - dedicated 1-100 Gbps channel, low latency, but expensive and slow to provision
**VPC Peering** - direct VPC connection, but non-transitive (full mesh required)
**Transit Gateway** - hub for VPCs, VPN, DX; O(N) instead of O(N²) connections
**Hybrid approach** - Direct Connect as primary, VPN as backup

Вопросы для размышления

What type of connectivity would you choose for connecting an office of 50 people to an AWS VPC?
When is VPC Peering preferable to Transit Gateway despite its limitations?
How would you design a backup for a Direct Connect connection?

Связанные уроки

dist-11-replication

Computer Networks

Cloud Connectivity

**Goldman Sachs** - Direct Connect to multiple regions for low-latency trading
**Netflix** - Transit Gateway for hundreds of VPCs with microservices
**Capital One** - hybrid cloud with VPN backup for Direct Connect

Предварительные знания

Site-to-Site VPN

Unlike client VPN (for remote employees), Site-to-Site connects entire networks. All devices in the office get access to cloud resources as if they were on the same local network.

**Two tunnels for high availability:** AWS VPN automatically creates two IPsec tunnels to different endpoints. If one endpoint is under maintenance, traffic flows through the second.

Why does AWS VPN create two IPsec tunnels instead of one?

Direct Connect / ExpressRoute

Imagine: instead of driving on a shared road (the internet), you build a personal bridge directly to AWS. Expensive, but guaranteed speed and latency.

**Direct Connect does not encrypt traffic by default!** It's a dedicated channel, but not an encrypted one. For sensitive data - add VPN on top of Direct Connect (MACsec or IPsec).

What is the main advantage of Direct Connect over VPN?

VPC Peering

**VPC Peering** is a connection between two VPCs that allows traffic to flow directly through the internal AWS network. Without peering, traffic between VPCs would have to go via the internet.

**Non-transitive:** VPC Peering is not transitive. If A↔B and B↔C, A CANNOT communicate with C through B. You need a separate peering A↔C or a Transit Gateway.

If VPC-A is peered with VPC-B, and VPC-B is peered with VPC-C, can VPC-A communicate with VPC-C?

Transit Gateway

**Transit Gateway (TGW)** is a regional hub for connecting VPCs, VPNs, and Direct Connect. Instead of full mesh peering (N×(N-1)/2 connections), all VPCs connect to a single TGW.

Imagine: instead of connecting every house to every other house with a cable, all houses connect to a single telephone exchange. Transit Gateway is the central exchange for your cloud network.

**Transit Gateway Routing:** TGW has its own route tables. You can segment traffic - for example, production VPCs can't see development VPCs, even though all are connected to the same TGW.

VPN over the internet is sufficient for enterprise workloads

For critical applications, you need Direct Connect with VPN on top for encryption

What problem does Transit Gateway solve compared to VPC Peering?

Key Takeaways

**Site-to-Site VPN** - fast setup over the internet, but unpredictable latency
**Direct Connect** - dedicated 1-100 Gbps channel, low latency, but expensive and slow to provision
**VPC Peering** - direct VPC connection, but non-transitive (full mesh required)
**Transit Gateway** - hub for VPCs, VPN, DX; O(N) instead of O(N²) connections
**Hybrid approach** - Direct Connect as primary, VPN as backup

Вопросы для размышления

What type of connectivity would you choose for connecting an office of 50 people to an AWS VPC?
When is VPC Peering preferable to Transit Gateway despite its limitations?
How would you design a backup for a Direct Connect connection?

Связанные уроки

dist-11-replication

Cloud Connectivity

Предварительные знания

Site-to-Site VPN

Direct Connect / ExpressRoute

VPC Peering

Transit Gateway

Key Takeaways

Related Topics

Вопросы для размышления

Связанные уроки

Cloud Connectivity

Предварительные знания

Site-to-Site VPN

Direct Connect / ExpressRoute

VPC Peering

Transit Gateway

Key Takeaways

Related Topics

Вопросы для размышления

Связанные уроки