logo

The integrations between AWS and on-premise networks

Deep dive in how to implement on-premises to AWS Cloud via Site-to-Site VPN, Direct Connect, and Transit Gateway.

Published Dec 27, 2023

Technology world is evolving, and so the networking world. But where do we stand as network developers contributing to this environment? As already mentioned, this world is changing, but it’s more digitalized due to the cloud. Some say it’s replacing the entire telco networks, which I disagree. The cloud is not targeting to eliminate the current legacy networks. Contrary, it has a crucial role for enterprises and carriers for being connected to other network branches easily and alternatively. So in this post, I will cover more about the future of the legacy networks, and its potential integrations with the cloud – also named as hybrid cloud in this case. Also a real-life use case with AWS Networking products will be discussed.

I assume that everyone reading this knows what the cloud is. If not, please look at the detailed explanations from AWS here. Hybrid cloud is basically a concept that you connect both your network components and cloud services together. In hybrid cloud, you get the advantages of cloud, such as scalability, redundancy, and high performance. Plus you do not need to worry about the cloud-based infrastructure.
Hybrid cloud has also other perks. On the one hand, let’s assume that you have a small-sized company, and want to reach your clients accross the continent with low latency. With the help of AWS Networking products, such as Transit Gateway, Direct Connect or Site-to-Site VPN, you have the chance to realize it with the minimum effort. You only need to configure and maintain the right routes between the tenants. On the other hand, hybrid cloud gives the opportunity to scale up with less operational expenses (OPEX). So it can be said that OPEX can be reduced due to the easily-managed and flexible architecture. The cloud itself has this pay-per-use model. Therefore as long as you have predictable plans for AWS usage, you will pay only what you use. And in this case, the bills will probably much lower since there is no hardware, commissioning, and maintenance responsibilities – also look at the AWS Shared Responsibility Model.

Cloud migration and the adoption of cloud-native functions are more important than ever for telecommunications companies. Integrating legacy networks with cloud services, like AWS Transit Gateway or Direct Connect, ensures seamless connectivity across corporate branches, enabling low-latency client reach and scalability. This approach aligns with cost-efficient payment models while guaranteeing adaptability and cost-effectiveness in meeting diverse consumer demands. For more info about this topic, I have written more about CNFs and cloud migration concept in the previous blog post.
Let’s dive in to the related AWS Networking products.
AWS offers many services in various fields, from serverless computing to storage, and from database to machine learning. But in my humble opinion, the core products will always be networking related ones itemized below.

First and foremost, it depends on your scenario. First two of above listed products are the alternative AWS solutions that can interconnect your on-premises to the cloud.
AWS Site-to-Site VPN establishes an encrypted communication channel, also called as IPsec tunnel, between your on-premises data center or branch network and the virtual private cloud (VPC). It’s similar to setting up a private, virtual highway over the internet. This allows seamless and protected data flow between your local infrastructure and AWS resources to ensure a resilient and secure connection.
Figure 1 shows a simple implementation of AWS Site-to-Site VPN with a customer edge router in a local data center. It’s mostly used to establish a connection between an individual VPC and other networks.
Figure 2 shows a more redundant version of the above basic architecture. With the backup links between VPC and Site-to-Site VPN, the high-availability has been set up. There is also the customer side of this diagram, which offers more than one IPsec tunnels providing the redundancy on this cluster.
Who said that AWS Site-to-Site VPN is only used for individual VPCs? On Figure 3, the implementation of Transit Gateway to a simple Site-to-Site VPN – CE connection is shown.
Here, AWS Transit Gateway functions as a scalable and centralized hub that consolidates connectivity between multiple VPCs and on-premises. It operates as a high-performance router, efficiently managing traffic between various VPCs and the local infrastructure. So it’s an agile solution for interconnecting different networks, providing a unified and manageable way to handle data flow within and across the cloud and on-premises environments.
Even though Site-to-Site VPN offers critical features such as high availability, advanced routing policies, and support for static routes/dynamic BGP peering, it has also some limits, like possible network latency, or necessity for on-prem device’s BGP routing policies.
AWS Direct Connect establishes a dedicated, high-speed link between the on-premises data center and AWS infrastructure. It operates as a private connection, bypassing the public internet to provide secure, consistent, and low latency access to AWS resources. This direct physical link ensures reliable and efficient data transmission, ideal for large-scale data transfer and critical workloads.
Figure 4 shows a simple implementation of AWS Direct Connect with a customer edge router. The most important part of this interconnection is the private, dedicated, and high-speed link between multiple VPCs and customer edge infrastructure. A private virtual interface (VIF) and a proper VLAN configuration need to be arranged on related services.
Figure 5 shows a redundant version of Direct Connect usage. Multiple private VIFs and a link-aggregation group (LAG) with multiple links are used to establish this solution. As it is seen on below diagram, Direct Connect Gateway (DXGW) acts as a central point for managing these connections while providing a more efficient and simplified approach to handle failover scenarios.
As already mentioned in the previous section, AWS Transit Gateway is used for managing the flow of information between different locations within AWS and the local infrastructure. With the power of Direct Connect, Transit Gateway enhances the abilities of global interconnections between AWS Regions and on-premises. In this architecture, you need to configure TGW association to DX Gateway, and a Transit VIF for the traffic forwarding through DX. The rest is same as always.
Direct Connect has many pros, such as low latency, high throughput, and a LAG support. It’s especially the best option for large-scaled enterprise and carrier grade networks. On the other hand, it is a bit more expensive than AWS VPN solution.

In this example, a simple data collector solution is demonstrated. Let’s say that you require to collect particular information from network gears installed in your data centers and branches, and train these data in multiple AWS regions. Then you need to use a solution like below Figure 7. The important part on this diagram is the usage of Direct Connect across AWS and ISP network. For a dedicated private line, I prefer to choose Direct Connect here instead of Site-to-Site VPN. If I had a low budget for this solution, VPN solution may be a better choice though. On the other side, two Transit Gateways are used to transit the necessary data through DX to VPCs. The communication between these TGWs are handled via TGW peering. If there is a chance to set up another VPC in an existing region, that region’s TGW is available to use for it too.
Please note that the services inside VPCs can be changed according to the requirements. Here, several EC2 instances and S3 buckets are shown as an example.
Figure 7 – AWS VPC & ISP Network integration via TGW and DX

To sum everything up, AWS has very powerful cloud networking products to build a stable communication between on-prem networks and the cloud. Until this point, hybrid cloud, cloud migration, and several products that help to build these future networks have been explained.
Since you are here, thank you for reading! If you have questions, please hit me up in the comments section below.