Direct connect is mainly used to establish a dedicated private connection between an on-premises network and AWS network. This could provide a higher bandwidth than your standard ISP. Storage Gateway on the other hand is for hybrid cloud storage. This service can help you in situations where you want to save on storage costs by moving some/most of your data to AWS Cloud with low-latency access (just as though you’re accessing them within the same disk).
AWS Direct Connect
- AWS Direct Connect is a networking service that provides an alternative to using the internet to connect to AWS.
- Using AWS Direct Connect, data that would have previously been transported over the internet is delivered through a private network connection between your facilities and AWS
- AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your datacenter, office, or colocation environment. This can increase bandwidth throughput and provide a more consistent network experience than internet-based connections.
AWS Direct Connect is compatible with all AWS services accessible over the Internet, and is available in speeds starting at 50 Mbps and scaling up to 100 Gbps.
- Supports only 802.1Q VLAN encapsulation
- Direct connect collocation
- Contract with Direct connect partner (LOA-CFA): that will help you connect a router from your data center, office, or colocation environment to an AWS Direct Connect location.
- Connect directly at an AWS Direct Connect Location : using 1 Gbps, 10 Gbps,100 Gbps
- Supports IPV4 & IPV6
- Actual physical set up required
- Pricing : Port hours and data transfer
AWS Storage Gateway
AWS Storage Gateway is a set of hybrid cloud services that gives you on-premises access to virtually unlimited cloud storage. AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure
AWS Storage Gateway offers following
- File-based file gateways (Amazon S3 File and Amazon FSx File),
- Amazon S3 File Gateway supports a file interface into Amazon S3. You can store and retrieve objects in Amazon S3 using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB).
- Amazon FSx File Gateway (FSx File) is a new file gateway type that provides low latency, and efficient access to in-cloud Amazon FSx for Windows File Server file shares from your on-premises facility
- Volume-based (Cached and Stored)
- Volume Gateway – A volume gateway provides cloud-backed storage volumes that you can mount as Internet Small Computer System Interface (iSCSI) devices from your on-premises application servers.
- The volume gateway is deployed into your on-premises environment as a VM running on VMware ESXi, KVM, or Microsoft Hyper-V hypervisor
- Cached volumes – You store your data in Amazon Simple Storage Service (Amazon S3) and retain a copy of frequently accessed data subsets locally.
- Stored volumes – If you need low-latency access to your entire dataset, first configure your on-premises gateway to store all your data locally. Then asynchronously back up point-in-time snapshots of this data to Amazon S3.
- Tape-based storage solutions
- Tape Gateway – A tape gateway provides cloud-backed virtual tape storage. The tape gateway is deployed into your on-premises environment as a VM running on VMware ESXi, KVM, or Microsoft Hyper-V hypervisor
AWS Site-to-Site VPN
Although the term VPN connection is a general term, in AWS terms, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.
- VPN connection: A secure connection between your on-premises equipment and your VPCs.
- VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.
- Customer gateway: An AWS resource which provides information to AWS about your customer gateway device.
- Customer gateway device: A physical device or software application on your side of the Site-to-Site VPN connection.
- Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
- Transit gateway: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
Your Site-to-Site VPN connection is either an AWS Classic VPN or an AWS VPN.
- Each Site-to-Site VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy. When one tunnel becomes unavailable (for example, down for maintenance), network traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection.
How it works
A Site-to-Site VPN connection offers two VPN tunnels between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway (which represents a VPN device) on the remote (on-premises) side.
A transit gateway is a transit hub that you can use to interconnect your virtual private clouds (VPC) and on-premises networks.
Multiple Site-to-Site VPN connections with a transit gateway The VPC has an attached transit gateway, and you have multiple Site-to-Site VPN connections to multiple on-premises locations.
- Your Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the VPN tunnels.
- AWS-managed VPN is a hardware IPsec VPN that enables you to create an encrypted connection over the public Internet between your Amazon VPC and your private IT infrastructure. The VPN connection lets you extend your existing security and management policies to your VPC as if they were running within your own infrastructure.
VPN is a great connectivity option for businesses that are just getting started with AWS. It is quick and easy to setup. Keep in mind, however, that VPN connectivity utilizes the public Internet, which can have unpredictable performance and despite being encrypted, can present security concerns.
- You can monitor VPN tunnels using CloudWatch, which collects and processes raw data from the VPN service into readable, near real-time metrics.
AWS Direct Connect Gateway
- AWS Direct Connect gateway is a relatively new service from AWS. Connecting from a single Direct Connect location to multiple AWS VPCs wasn’t so straight forward. AWS Direct Connect gateway is aimed at making it easier to connect from a single Direct Connect location to multiple AWS regions or VPCs
- An AWS Direct Connect gateway is a grouping of virtual private gateways and private virtual interfaces that belong to the same AWS account.
- A Direct Connect gateway is a grouping of virtual private gateways (VGWs) and private virtual interfaces (VIFs). A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions.
- AWS Direct Connect Gateway is a service built on top of the AWS Direct Connect. It allows AWS Direct Connect users to connect multiple VPCs in the same or different AWS regions to their Direct Connect connection.
Virtual private gateway associations In the following diagram, the Direct Connect gateway enables you to use your AWS Direct Connect connection in the US East (N. Virginia) Region to access VPCs in your account in both the US East (N. Virginia) and US West (N. California) Regions.
Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the AWS Direct Connect location. There is an AWS Direct Connect connection from the location to the customer data center.
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A’s virtual private gateway or Account B’s virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.