Understanding AWS Direct Connect vs Internet VPN

We recently held a webinar with Adam Blackington from Amazon Web Service on increasing the value of data in motion. The point of the webinar was to illustrate that the connectivity you choose between your cloud providers, colocation data centers, and enterprise SaaS makes a difference in how much value you can derive from application and data workflows. As part of this webinar, we covered the different ways to connect to your Amazon VPCs and AWS services. We looked at the benefits of partner-hosted AWS Direct Connect connections. And our Director of Technical Marketing Keith Burns demonstrated a huge difference in Kafka throughput when using PacketFabric private connectivity vs VPN tunnels.

So, in this blog post, beside recapping details of what we covered during the webinar, it’s a good opportunity to compare two common ways to get private network connections to and between virtual private clouds: Direct Connect vs public Internet VPNs.

The Value of Data in Motion

The webinar kicked off looking at how enterprise application and data workflows are now flowing across a hybrid and multi-cloud core that consists of on-premises colocation-based data centers, public cloud service providers like Amazon, Azure, GCP, IBM, and Oracle, and enterprise SaaS like Salesforce and Webex.

PacketFabric CMO Alex Henthorn-Iwane discussed various use cases that illustrate this cloud core concept. These fall into two major categories. The first is application workflows. One example is payment processing, which often runs on a hybrid or multi-cloud basis, with issuer versus merchant payments processed in different providers to avoid concentration risk. More broadly, many applications and transactional systems require services to communicate with low latency across data centers, cloud and SaaS providers, and even geographically disparate regions within a single provider.

The other major category of use cases involve data transfers. Examples include content replication, database synchronization, backup and disaster recovery, and origin server to CDN content pulls.

In all of these cases, the demands to move higher volumes with lower latency and faster throughput are only growing. As Alex quipped, “Nobody in IT is being asked to make things run slower!”

Hybrid Cloud: VPN Connections vs Direct Connect

During the webinar, Adam discussed options for connecting to AWS. Let’s spell out the hybrid cloud scenario. You have an on-premises data center hosted in a colocation facility. You want to set up private network connectivity from there to your AWS cloud services such as EC2 instances in a secure fashion. AWS region.

First option is to set up a virtual private gateway (VGW) as the endpoint for site to site VPN connectivity over the Internet between your AWS VPCs and your on-premises network (we’ll skip over AWS CloudHub and vpc peering topics but you can read more about it here). You configure an IPSec VPN tunnel from the VPG to a virtual interface (VIF) IP address on your on-premises router, then set up BGP peering.

The second option is to configure either a Direct Connect Gateway (DGW) or Transit Gateway (TGW) and use a private virtual interface to connect your VGWs to the dedicated network connection port in a Direct Connect location. That port in turn either cross-connects directly to your colocation-based data center, or via a WAN service. Choosing between topologies built with DGW or TGW hinges on your routing requirements such as the size of your BGP route table, and need for overlapping CIDR/private IP blocks.

Direct Connect Advantages Over VPN

AWS Managed VPNs offer private connectivity, but what they don’t offer is low latency or a consistent network experience, since the Internet is a shared network, and unpredictable as a transport underlay. And Internet VPN connectivity isn’t very scalable, since VPN tunnels are limited to a maximum bandwidth of 1.25 Gbps.

Direct Connect helps on these fronts. You can get high scalability connections, up to 100 Gbps. Since the connections are private, you get higher and more consistent network performance and greater inherent security in accessing your AWS resources. Furthermore, Direct Connect is a SLA-backed service due to higher redundancy, so you get greater reliability, plus privacy for compliance or security purposes.

There’s an additional economic benefit. With site-to-site VPN, as you scale bandwidth consumption, you’re exposed to higher and more unpredictable egress charges. By comparison, Direct Connect offers lower and more predictable egress charges. So moving to Direct Connect can lead to significant savings.

Why Use Partner-Hosted Direct Connect

Adam also covered why partner hosted Direct Connected is a great option. First of all, what is a Hosted Direct Connect? Essentially, it’s where a provider like PacketFabric has pre-configured ports on AWS edge devices, and where you can automatically create virtual circuit connections through that port.

There are a number of reasons to utilize partner-hosted Direct Connect. The first is that you get more granular bandwidth options. The minimum bandwidth for the AWS Direct Connect service is 10 Gbps. With partner-hosted Direct Connect, you can start at sub-10G speeds, which means that you can also take advantage of more flexible pricing options for varying bandwidth levels.

A second reason to use partner-hosted direct connect is that you can get your connectivity established much faster. With PacketFabric, if you’ve already got a port in one of our PoPs, you can provision in around ten minutes.

But there’s another really good reason, which is reach. Let’s say your data center is in a colocation facility that isn’t a Direct Connect location? The good news is if you’ve already got an Ethernet port in a PacketFabric PoP, you can simply set up a VLAN from your data center and map it to a private, Ethernet Virtual Private Line (EVPL) across our carrier-class, low-latency, failover-protected network and get to one of our AWS Direct Connect on-ramps close to the AWS regional data center where your VPCs are hosted. Easy!

The Dedicated AWS Direct Connect Option

While partner-hosted direct connect is super easy and fast, sometimes 10G just isn’t enough. With PacketFabric, you can also get dedicated AWS Direct Connect (and GCP) ports with link aggregation group support, up to 100G. Learn more about hosted versus dedicated cloud connections. Even though you can get a Direct Connection directly from AWS, many PacketFabric customers choose to connect via our network because it allows them to manage many different types of connectivity, including multi-cloud connections and data center interconnection, from a single portal and vendor. In addition, with PacketFabric, you can contract on a monthly basis for all these services, giving you tremendous flexibility to change your network as requirements shift over time.

Bandwidth is Good. Throughput is Better.

During the webinar, our Technical Marketing Director Keith Burns illustrated the performance benefits of using PacketFabric hosted Direct Connect versus the Internet by running comparison of Kafka streaming throughput over Internet VPN and PacketFabric hosted cloud connectivity (via our Cloud Router) between AWS and Azure. The difference is eye opening: The PacketFabric connectivity delivered 225% throughput versus Internet VPN. Check out the webinar or this shorter demo video to see more details.

Learn More, and Get Started

If you’d like to understand how PacketFabric cloud connectivity works, check out our knowledge base. If you’re ready to get started, request a demo or just register a self-service account.