# Networking integration
<a name="networking"></a>

Most enterprises  require connectivity between accounts in their AWS Control Tower–managed environment. This often extends to connecting corporate offices and on-premises data centers. AWS Virtual Private Network (Site-to-Site VPN) and AWS Direct Connect are used as network paths to provide that hybrid connectivity for workloads.
+ [Site-to-Site VPN](https://aws.amazon.com/vpn/)** **establishes a secure and private tunnel from your network or device to the AWS Cloud over the internet. It allows you to securely connect your on-premises network or branch office site to your VPC.
+ [AWS Direct Connect](https://aws.amazon.com/directconnect/) makes it easy to establish a dedicated network connection from your on-premises environment to AWS. It provides a more consistent network experience than internet-based connections.
+ [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/) connects VPCs and on-premises networks through a central hub and enables various routing scenarios. It controls how traffic is routed among the connected networks.

The easiest way to get started with hybrid connectivity is to establish site-to-site VPN over the internet. This extends your data center or branch office to the cloud by using IPsec tunnels. You can configure routing by using Border Gateway Protocol (BGP) or configure static routes. Each AWS Site-to-Site VPN connection consists of two VPN tunnel endpoints for redundancy. Each tunnel terminates in a different Availability Zone within the AWS global network, for high availability.

AWS Site-to-Site VPN supports terminating IPsec tunnels on both virtual private gateways and AWS Transit Gateway at the AWS end. When you terminate a VPN on a virtual private gateway, you can access the VPC that the gateway is attached to. However, if you use Transit Gateway, you gain connectivity to thousands of VPCs over a pair of VPN tunnels. Additionally, Transit Gateway supports equal-cost multipath (ECMP) routing, which enables you to load-balance traffic across multiple VPN tunnels for high availability and bandwidth aggregation.

In summary, terminating a VPN at a transit gateway is a default starting point for hybrid architectures, because it provides more flexibility in the number of VPCs you can connect to, and added functionality such as ECMP.

The following diagram shows how you can connect an on-premises environment to your VPCs on AWS by using AWS Site-to-Site VPN.

![\[Connecting on-premises environment to VPCs by using AWS Site-to-Site VPN.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/images/networking-s2s.png)


For end-to-end network performance, you can use Direct Connect to enable consistent, low-latency, high-bandwidth, dedicated fiber connectivity between your on-premises data centers and AWS. Direct Connect provides dedicated connections at bandwidths of 1 Gbps, 10 Gbps, 100 Gbps, and 400 Gbps. Hosted connections provided by Direct Connect Partners use pre-established network links and are available from 50 Mbps up to 25 Gbps.

Direct Connect provides three types of virtual interfaces (VIFs):
+ Public VIFs** **provide global connectivity to public AWS resources, including AWS public service endpoints, public Amazon EC2 IP addresses, and public Elastic Load Balancing addresses.
+ Private VIFs** **provide connectivity to the private IP range of your VPC.
+ Transit VIFs enable connectivity to transit gateways.

The following sections provide examples of these connectivity options.

**Topics**
+ [Direct Connect with private VIF over virtual private gateway](private-vif.md)
+ [Direct Connect with AWS Transit Gateway over transit VIF](transit-vif.md)
+ [Inter-VPC connectivity through AWS Transit Gateway](inter-vpc.md)
+ [Direct Connect SiteLink](sitelink.md)
+ [AWS Cloud WAN](cloud-wan.md)

# Direct Connect with private VIF over virtual private gateway
<a name="private-vif"></a>

The following diagram shows how you can connect VPCs and on-premises environments through a virtual private gateway over a private VIF by using Direct Connect.

![\[Connecting VPCs and on-premises through virtual private gateway over private VIF\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/images/networking-dc-private-vif.png)


Most large enterprise customers deploy resources within a large number of VPCs across multiple AWS Regions and require connectivity from data centers that are spread across geographies. By using an Direct Connect gateway, which is a global construct, you can use existing Direct Connect connections to connect to resources in VPCs across AWS Regions. You can associate up to 20 virtual private gateways (each attached to a VPC) in different AWS Regions, directly to an Direct Connect gateway. Alternatively, you can use Transit Gateway to attach to thousands of VPCs. For more information, see the [next section](transit-vif.md). 

# Direct Connect with AWS Transit Gateway over transit VIF
<a name="transit-vif"></a>

The following diagram shows how you can connect VPCs from multiple AWS Regions to an on-premises environment by using Direct Connect and AWS Transit Gateway over a transit VIF.

![\[Connecting VPCs from multiple Regions to on premises.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/images/networking-dc-transit-vif.png)


The transit gateway routes traffic through the centralized Direct Connect gateway for all AWS Regions. A transit VIF attachment to the Direct Connect gateway enables your network to connect up to six Regional, centralized transit gateways over a private, dedicated connection.

# Inter-VPC connectivity through AWS Transit Gateway
<a name="inter-vpc"></a>

The following diagram shows how you can interconnect VPCs through a transit gateway in the same AWS Region.

![\[Connecting VPCs in the same Region\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/images/networking-inter-vpc.png)


A transit gateway is a network transit hub that you can use to connect your VPCs and on-premises networks. As your organization grows, you can peer transit gateways from different AWS Regions to allow connectivity between them.

# Direct Connect SiteLink
<a name="sitelink"></a>

If your requirements include sending or routing traffic directly between Direct Connect locations, you can use Direct Connect SiteLink. This feature of Direct Connect sends traffic between different Direct Connect locations over the shortest path on the AWS network without entering AWS Regions.



![\[Connecting different Direct Connect locations.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/images/networking-sitelink.png)


# AWS Cloud WAN
<a name="cloud-wan"></a>

Although you can create your own global network by interconnecting multiple transit gateways across Regions, you can also take advantage of [AWS Cloud WAN](https://aws.amazon.com/cloud-wan/).  This service provides built-in automation, segmentation, and configuration management features that are designed specifically for building and operating global networks, based on your core network policy.

Both AWS Transit Gateway and AWS Cloud WAN allow centralized connectivity between VPCs and on-premises locations. Transit Gateway is a Regional network connectivity hub and is optimal if you operate in a few AWS Regions and want to manage your own peering and routing configuration. AWS Cloud WAN is optimal for users who want to define their global network through policy and have the service implement the underlying components automatically.