5.2 VPC Connectivity — Peering, Transit Gateway, and Direct Connect
Key Takeaways
- VPC peering connects two VPCs privately with no single point of failure, but it is NOT transitive — each pair needs its own peering connection.
- AWS Transit Gateway is a hub-and-spoke network that connects thousands of VPCs, on-premises networks, and other Transit Gateways with centralized routing.
- AWS Direct Connect provides a dedicated private network connection from on-premises to AWS with consistent low latency and high bandwidth.
- AWS Site-to-Site VPN provides encrypted connectivity over the public internet — faster to set up than Direct Connect but with variable performance.
- For many VPCs (>3-4), Transit Gateway is more cost-effective and manageable than full-mesh VPC peering.
VPC Connectivity — Peering, Transit Gateway, and Direct Connect
Quick Answer: VPC Peering = simple, free data transfer within same AZ, no transitive routing. Transit Gateway = hub connecting thousands of VPCs and on-premises (transitive). Direct Connect = dedicated private link (1-100 Gbps, consistent latency). Site-to-Site VPN = encrypted tunnel over internet (quick setup, variable performance).
VPC Peering
VPC Peering creates a private network connection between two VPCs.
| Feature | Detail |
|---|---|
| Transitive? | NO — each pair needs its own peering connection |
| Cross-Region | Yes (inter-Region peering) |
| Cross-Account | Yes |
| CIDR overlap | Cannot peer VPCs with overlapping CIDR blocks |
| Cost | Free within same AZ; cross-AZ/cross-Region incurs data transfer charges |
| Bandwidth | No bandwidth limit |
VPC Peering Limitations
The main limitation is that peering is NOT transitive:
- If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A cannot talk to VPC-C through VPC-B
- For full connectivity, VPC-A must also peer directly with VPC-C
- This becomes unmanageable with many VPCs (n VPCs need n*(n-1)/2 peering connections)
AWS Transit Gateway
Transit Gateway is a network transit hub that connects VPCs, on-premises networks, VPN connections, and other Transit Gateways.
| Feature | Detail |
|---|---|
| Connectivity | Hub-and-spoke model — all VPCs connect to Transit Gateway |
| Transitive | YES — all attached networks can communicate through Transit Gateway |
| Scale | Thousands of VPCs per Transit Gateway |
| Cross-Region | Transit Gateway peering between Regions |
| Cross-Account | Share via AWS RAM (Resource Access Manager) |
| Bandwidth | Up to 50 Gbps per attachment |
| Route tables | Multiple route tables for segmentation |
| Cost | Per hour per attachment + per GB data processed |
When to Use Transit Gateway vs. VPC Peering
| Scenario | Best Option |
|---|---|
| 2-3 VPCs that need to communicate | VPC Peering (simpler, cheaper) |
| 10+ VPCs needing communication | Transit Gateway (hub-and-spoke) |
| VPCs + on-premises connectivity | Transit Gateway + VPN/Direct Connect |
| Simple point-to-point connection | VPC Peering |
| Complex routing, segmentation | Transit Gateway with route tables |
AWS Direct Connect
Direct Connect provides a dedicated, private network connection from your premises to AWS.
| Feature | Detail |
|---|---|
| Bandwidth | 1 Gbps, 10 Gbps, or 100 Gbps (dedicated connections) |
| Hosted connections | Sub-1 Gbps through partners (50 Mbps - 10 Gbps) |
| Latency | Consistent, lower than internet |
| Encryption | NOT encrypted by default (add VPN on top for encryption) |
| Setup time | Weeks to months (physical connection) |
| Redundancy | Single connection = single point of failure; use 2 connections for HA |
| Virtual Interfaces | Public VIF (AWS public services), Private VIF (VPC), Transit VIF (Transit Gateway) |
Direct Connect + VPN for Encryption
Direct Connect traffic is private but NOT encrypted. For encryption:
- Establish Direct Connect connection
- Create a VPN connection over the Direct Connect link
- This provides both the bandwidth/consistency of Direct Connect AND encryption
AWS Site-to-Site VPN
| Feature | Detail |
|---|---|
| Encryption | IPsec encrypted tunnel |
| Over | Public internet |
| Setup time | Minutes (software configuration) |
| Bandwidth | Up to 1.25 Gbps per tunnel (2 tunnels per connection) |
| Latency | Variable (internet routing) |
| Cost | $0.05/hour per VPN connection + data transfer |
| HA | Two tunnels to different AZs |
Connectivity Comparison
| Feature | VPC Peering | Transit Gateway | Direct Connect | Site-to-Site VPN |
|---|---|---|---|---|
| Type | VPC-to-VPC | Hub-and-spoke | Dedicated link | IPsec over internet |
| Transitive | No | Yes | N/A | N/A |
| Bandwidth | Unlimited | 50 Gbps/attachment | 1-100 Gbps | 1.25 Gbps/tunnel |
| Setup | Minutes | Minutes | Weeks-months | Minutes |
| Encrypted | Yes (in-transit) | Yes (in-transit) | No (add VPN) | Yes (IPsec) |
| Cost | Data transfer only | Per attachment + data | Port fee + data | Per hour + data |
On the Exam: "Connect 50 VPCs and on-premises with centralized routing" → Transit Gateway. "Dedicated private connection with consistent latency" → Direct Connect. "Quick encrypted connection to AWS" → Site-to-Site VPN.
A company has 20 VPCs that all need to communicate with each other and with an on-premises data center. Which networking solution provides the SIMPLEST architecture?
A company needs a dedicated, private network connection from their data center to AWS with consistent low latency. What should they use?
AWS Direct Connect does NOT provide encryption by default. How can you add encryption to a Direct Connect connection?