VPC Connectivity — Concept
How to connect VPCs to each other, to other accounts, and to specific services privately.
VPC Peering
- 1:1 connection between two VPCs (same or different accounts/regions).
- Non-transitive — A↔B and B↔C does NOT give A↔C.
- CIDR ranges must not overlap.
- Update route tables in both VPCs to reach the peer.
- Cheap, point-to-point. Becomes a mess at scale.
Transit Gateway (TGW)
- Regional hub that connects many VPCs, VPNs, Direct Connect Gateways, and even peer TGWs in other regions.
- Transitive routing — every attachment can reach others via TGW route tables.
- Use when you have 10+ VPCs or hub-and-spoke topology.
- TGW route table per attachment lets you segment (e.g. prod / dev / shared services).
PrivateLink (Interface VPC Endpoint)
- Exposes a service (yours or AWS's) as an ENI with private IP in your VPC.
- Traffic stays on AWS backbone (no internet).
- Producer side: NLB-backed VPC Endpoint Service.
- Consumer side: Interface Endpoint that connects to the service.
- Used by SaaS vendors to expose to customer VPCs without VPC peering / IP-overlap pain.
Gateway Endpoint
- Free, route-table-based.
- Only for S3 and DynamoDB.
- Lets private subnets reach those services without NAT.
Comparison (very common exam question)
| Need | Choice |
|---|---|
| 2 VPCs talking, simple | VPC Peering |
| Many VPCs + on-prem in a region | Transit Gateway |
| Cross-region many-VPC mesh | TGW peering (or Cloud WAN) |
| One service consumed from many VPCs | PrivateLink (Interface Endpoint) |
| Private access to S3 / DynamoDB | Gateway Endpoint |
| Private access to most AWS APIs | Interface Endpoint (PrivateLink) |
VPN (Site-to-Site VPN)
- IPsec tunnel from on-prem Customer Gateway (CGW) → AWS Virtual Private Gateway (VGW) or TGW.
- Two tunnels per connection (HA).
- Encrypted over public internet. Throughput ~1.25 Gbps per tunnel.
- Quick to set up, but limited bandwidth and unpredictable internet latency.
AWS Direct Connect (DX)
- Dedicated physical link (1/10/100 Gbps) from your DC/colo to an AWS DX location.
- Private connectivity, predictable latency, often cheaper at scale.
- Sub-types:
- Dedicated = your own physical port.
- Hosted = partner-provided slice.
- Takes weeks to provision (cable install).
- Two VIFs:
- Private VIF → reach VPCs (via VGW or DX Gateway).
- Public VIF → reach AWS public services (S3, DynamoDB) over private link.
- Transit VIF → connect to a TGW via DX Gateway (reach many VPCs / regions).
- Add an IPsec VPN over DX for encryption.
DX Gateway
- Lets one Direct Connect reach multiple VPCs in multiple regions through their VGWs or a TGW.
Hybrid pattern (memorize)
DX as primary for bandwidth + predictability, VPN as failover over the internet.
Common exam scenarios
- "15 VPCs across 3 accounts must communicate" → Transit Gateway.
- "On-prem app needs 10 Gbps consistent link to AWS" → Direct Connect.
- "Set up hybrid in 1 hour while DX is being provisioned" → Site-to-Site VPN as interim.
- "DX is not encrypted by default — meet compliance" → run IPsec VPN over DX.
- "SaaS vendor wants to expose API into customer VPCs without IP overlap concerns" → PrivateLink.
- "Avoid NAT data charges for S3 traffic from private subnet" → Gateway Endpoint for S3.
- "Two VPCs in same region, simple low-cost connection" → VPC Peering.
Exam tip
- Transitive routing = TGW (peering is not transitive).
- Encrypted hybrid by default = VPN (DX is not encrypted unless you add VPN on top).
- Private access to AWS service from a VPC → first try Gateway Endpoint (S3/DDB), else Interface Endpoint (PrivateLink).