Cargando...
Cargando...
Choose the right AWS network path — performance, security, cost, and compliance decoded
Private dedicated fiber vs encrypted tunnel vs public internet — know exactly when each wins
| Feature | Direct Connect Dedicated private fiber to AWS | VPN Encrypted IPsec tunnel over internet | Internet Standard public internet access |
|---|---|---|---|
Connection Type DX never touches the public internet — this is its defining characteristic | Dedicated private physical connection via colocation or partner | Encrypted IPsec/IKE tunnel over the public internet | Standard public internet routing via IGW or NAT Gateway |
Encryption In Transit CRITICAL TRAP: DX is private but NOT encrypted. For compliance requiring encryption in transit, you must layer VPN over DX or use MACsec. | NOT encrypted by default — must add MACsec or IPsec VPN over DX for encryption | Always encrypted — AES-128 or AES-256 IPsec by default | Not encrypted by default — application-layer TLS required (HTTPS) |
Bandwidth / Throughput DX wins on raw, consistent bandwidth. VPN is capped per tunnel but ECMP can aggregate. Internet is unpredictable. | Dedicated connections: 1 Gbps, 10 Gbps, 100 Gbps. Hosted connections: 50 Mbps–10 Gbps (partner-provisioned) | Up to 1.25 Gbps per tunnel; ECMP across multiple tunnels for higher aggregate throughput | Variable — no guaranteed bandwidth; subject to ISP congestion |
Latency Exam scenario: 'consistent low latency' = Direct Connect. 'variable latency acceptable' = VPN or Internet. | Low and consistent — dedicated path bypasses public internet hops | Higher and variable — traverses public internet; adds IPsec overhead | Variable — dependent on routing, congestion, and geography |
Reliability / SLA A single DX connection has NO SLA — you need two connections to different DX locations for an SLA-backed HA architecture. | High — dedicated physical link; use redundant connections across locations for HA. AWS recommends two DX connections. | High availability with dual tunnels per VPN connection (active/passive or active/active with ECMP) | No SLA — best-effort delivery; subject to ISP outages |
Setup Time Exam scenario: 'need connectivity TODAY' or 'temporary' = VPN. 'long-term, dedicated, consistent' = DX. | Weeks to months — requires physical cross-connect at colocation facility or partner provisioning | Minutes — fully software-defined, deployed via console or CLI | Immediate — IGW attached to VPC, route table updated |
Cost Model For HIGH data egress volumes, DX has lower data transfer rates than internet. VPN is cheapest for low-volume or temporary use. | Port-hour charges + data transfer out (lower egress rate than internet). Dedicated: $0.30/hr (1G) to $2.25/hr (100G) typical. Hosted: varies by partner. | VPN connection-hour charge (~$0.05/hr per connection) + standard data transfer out rates | No connection charge — pay standard data transfer out rates (highest egress cost) |
Data Transfer Pricing VPN does NOT get reduced data transfer rates — only DX does. This is a common exam cost-optimization trap. | Reduced data transfer out rates compared to internet — tiered by region and volume | Standard AWS data transfer out rates apply (same as internet egress) | Standard AWS data transfer out rates — highest cost for large volumes |
BGP Routing DX always uses BGP. VPN can use static OR dynamic BGP. Know the difference for architecture questions. | Required — BGP session mandatory between customer router and DX router. Supports private and public VIFs. | Optional — supports static routes or dynamic BGP routing with Virtual Private Gateway | Not applicable — public internet routing is managed by ISPs |
Virtual Interfaces (VIFs) Private VIF = access to VPC resources. Public VIF = access to S3, DynamoDB public endpoints, etc. over DX without traversing internet. | Private VIF (VPC access), Public VIF (AWS public services), Transit VIF (Transit Gateway). Each DX connection can host multiple VIFs. | Not applicable — connects to Virtual Private Gateway or Transit Gateway directly | Not applicable |
Transit Gateway Integration Direct Connect Gateway (DXGW) allows one DX connection to reach VPCs in multiple AWS regions — critical for multi-region architectures. | Yes — via Transit VIF + Direct Connect Gateway. Enables hub-and-spoke to multiple VPCs/regions. | Yes — attach VPN to Transit Gateway for centralized connectivity | Not applicable |
Direct Connect Gateway DXGW is NOT a router — it does not route between VPCs. It only connects DX to VGWs/TGWs. | Supported — DXGW allows single DX to connect to VPCs across multiple regions and accounts | Not applicable (VPN uses VGW or TGW) | Not applicable |
Compliance & Regulatory Exam scenario: 'compliance', 'regulated', 'financial', 'healthcare' data = Direct Connect (with encryption layer). | Preferred for regulated workloads (PCI-DSS, HIPAA) — private path, no internet exposure. Add encryption for full compliance. | Acceptable for many compliance frameworks — encrypted in transit | Generally not acceptable for sensitive regulated workloads without additional controls |
Failover / Redundancy Pattern The DX + VPN backup pattern is extremely common on SAA-C03 and SAP-C02. Know this architecture cold. | Primary DX + backup VPN is the AWS recommended HA pattern for cost-effective resilience | Used as backup to DX, or standalone with dual tunnels for HA | Last resort fallback; not recommended for production hybrid connectivity |
Speed Options Hosted connections give sub-1Gbps options — useful when you need DX but don't require full 1G/10G dedicated port. | Dedicated: 1 Gbps, 10 Gbps, 100 Gbps. Hosted: 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps | Up to 1.25 Gbps per tunnel; use multiple tunnels with ECMP for higher throughput | No defined speed — depends on customer ISP and AWS region capacity |
MACsec Support MACsec = Layer 2 encryption for DX. IPsec VPN = Layer 3 encryption. MACsec is the modern way to encrypt DX without VPN overhead. | Supported on dedicated connections (10 Gbps and 100 Gbps) — provides Layer 2 encryption on the wire | Not applicable — VPN uses IPsec (Layer 3/4 encryption) | Not applicable |
Use Case: Large Data Migration Petabyte-scale ongoing replication = DX. One-time petabyte migration = consider AWS Snow family instead. | Best — high throughput, consistent speed, lower egress cost for sustained large transfers | Acceptable for moderate volumes but slower and more expensive per GB than DX | Avoid for large migrations — highest cost, variable speed |
Use Case: Backup / DR For aggressive RPO/RTO with large data volumes, DX is preferred. VPN works for cost-sensitive DR scenarios. | Ideal for ongoing replication to AWS — consistent bandwidth for RPO targets | Good for DR with moderate data volumes — quick setup, lower cost | Viable for small DR workloads with application-layer encryption (HTTPS) |
IPv6 Support All three support IPv6 — this is rarely a differentiator on exams. | Supported — IPv6 BGP peering available on private and public VIFs | Supported — IPv6 inside tunnels and for tunnel endpoints | Supported — dual-stack VPC with IPv6 IGW |
Summary
Use Direct Connect when you need consistent high bandwidth, low latency, regulatory compliance, or cost-effective high-volume data transfer — it is the premium, long-term enterprise connectivity choice. Use Site-to-Site VPN when you need encrypted connectivity quickly, at low cost, or as a backup to Direct Connect — it is ideal for temporary, lower-volume, or budget-constrained scenarios. Use the public internet only for non-sensitive workloads, development environments, or as a last-resort failover path.
🎯 Decision Tree
Need private path (no internet exposure)? → Direct Connect or VPN. Need encryption in transit? → VPN (or DX + MACsec/IPsec overlay). Need it TODAY or temporarily? → VPN. Need consistent sub-millisecond latency? → Direct Connect. Need >1.25 Gbps sustained? → Direct Connect. Regulated/compliance workload (HIPAA, PCI)? → Direct Connect + encryption. Cost-sensitive with low traffic? → VPN. High egress volume long-term? → Direct Connect (lower data transfer rates). Need multi-region VPC access from one connection? → Direct Connect + Direct Connect Gateway. Primary DX down, need automatic failover? → VPN as backup with BGP.
Direct Connect is PRIVATE but NOT ENCRYPTED by default. If an exam question mentions 'compliance', 'encryption in transit', 'HIPAA', or 'PCI-DSS' alongside Direct Connect, you must add either MACsec (Layer 2) or an IPsec VPN tunnel over the DX link. Choosing DX alone for an encrypted-in-transit requirement is WRONG.
The canonical AWS hybrid connectivity HA pattern is: Direct Connect as primary + Site-to-Site VPN as backup. This appears constantly on SAA-C03 and SAP-C02. The VPN backup activates automatically via BGP route failover when DX goes down. Know this architecture and why it is preferred over two DX connections when cost is a constraint.
VPN throughput is capped at 1.25 Gbps per tunnel. To exceed this with VPN, you need multiple VPN connections with ECMP enabled on a Transit Gateway (NOT a Virtual Private Gateway — VGW does not support ECMP). If the scenario requires >1.25 Gbps guaranteed bandwidth, Direct Connect is the correct answer.
Direct Connect Gateway (DXGW) enables one DX connection to reach VPCs in MULTIPLE AWS regions — but it does NOT route traffic between those VPCs. It is a connectivity hub to VGWs/TGWs only. For VPC-to-VPC routing, you still need Transit Gateway or VPC Peering.
For high-volume data egress (e.g., ongoing replication, analytics data export), Direct Connect has LOWER data transfer out rates than internet or VPN. On cost-optimization questions with large sustained data volumes, DX often becomes more cost-effective than VPN despite higher port-hour charges.
Hosted DX connections (via AWS Partner Network partners) support sub-1Gbps speeds (as low as 50 Mbps) — useful when a customer needs DX benefits but cannot justify a full 1G/10G dedicated port. Dedicated connections only come in 1G, 10G, and 100G.
Setup time is a valid exam discriminator: VPN can be provisioned in minutes; Direct Connect takes weeks to months due to physical cross-connect provisioning. Any scenario mentioning 'immediate', 'temporary', 'proof of concept', or 'urgent' connectivity points to VPN.
Assuming Direct Connect provides encryption in transit because it is a 'private' connection. On exam questions requiring both private connectivity AND encryption in transit (HIPAA, PCI-DSS, financial data), the correct answer is Direct Connect PLUS an IPsec VPN overlay or MACsec — not Direct Connect alone. Candidates who conflate 'private' with 'encrypted' will choose DX-only and get the question wrong.
CertAI Tutor · CLF-C02, SAA-C03, SCS-C02, SAP-C02, DOP-C02 · 2026-02-22
Services
Comparisons
Guides & Patterns