AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN

With AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN, you can enable end-to-end IPsec-encrypted connections between your networks and a regional centralized router for Amazon VPCs over a private dedicated connection.

You can use AWS Direct Connect public VIFs to first establish a dedicated network connection between your network to public AWS resources, such as AWS Site-to-Site VPN endpoints. Once this connection is established, you can create an IPsec connection to AWS Transit Gateway. The following figure illustrates this option.

A diagram showing creating an IPsec connection.

AWS Direct Connect, AWS Transit Gateway, and AWS Site-to-Site VPN (public VIF)

A diagram showing Direct Connect, Transit Gateway, and Site-to-Site VPN.

AWS Direct Connect, AWS Transit Gateway, and AWS Site-to-Site VPN (transit VIF)

Consider taking this approach when you want to simplify management and minimize the cost of IPsec VPN connections to multiple Amazon VPCs in the same region, with the low latency and consistent network experience benefits of a private dedicated connection over an internet-based VPN. A BGP session is established between AWS Direct Connect and your router using either the public or the transit VIF. Another BGP session or a static route will be established between AWS Transit Gateway and your router on the IPsec VPN tunnel.

Additional resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Direct Connect + AWS Site-to-Site VPN

AWS VPN CloudHub