# Connectivity options for Local Zones
<a name="local-zones-connectivity"></a>

There are many ways to connect users and applications to resources running in a Local Zone.

You build Local Zones into your network architecture in the same way you choose an Availability Zone. Your workloads use the same application programming interfaces (APIs), security models, and toolsets. You can extend any VPC from a parent Region into a Local Zone by creating a new subnet and assigning it to the Local Zone. When you create a subnet in AWS Local Zones, we extend your VPC to that Local Zone and your VPC treats the subnet the same as any subnet in any other Availability Zone and automatically adjusts any relevant gateways and route tables.

The following diagram shows a network with resources running in two Availability Zones and in a Local Zone within an AWS Region. The Local Zone network can have public or private subnets, internet gateways, and Direct Connect gateways (DXGW). Workloads running in the Local Zone can directly access workloads or AWS services that live in any AWS Region.

![\[An AWS Region with a VPC. The VPC contains two Availability Zones and a Local Zone. Each zone has a public subnet and a private subnet. The VPC also has an internet gateway and an AWS Direct Connect gateway.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zones-direct-connect-internet-gateway.png)


The following sections explain the different ways to connect to resources in a Local Zone.

**Topics**
+ [Internet gateway](local-zones-connectivity-igw.md)
+ [NAT gateway](local-zones-connectivity-nat.md)
+ [VPN](local-zones-connectivity-ec2-vpn.md)
+ [Direct Connect](local-zones-connectivity-direct-connect.md)
+ [Transit gateway between Local Zones](local-zones-connectivity-transit-gateway-lzs.md)
+ [Transit gateway to data center](local-zones-connectivity-transit-gateway-dc.md)

# Internet gateway connection in Local Zones
<a name="local-zones-connectivity-igw"></a>

Internet gateways provide two-way public connectivity to applications running in AWS Regions and/or in Local Zones. For more information, see [Internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.

In the following diagram, end users access a public-facing application in Local Zone 1. Traffic goes directly to the internet gateway in Local Zone 1 without going through the parent AWS Region. Use this type of connectivity for low-latency use-cases where you want your public-facing applications to be closer to end users than an AWS Region can provide.

![\[An AWS Region with a VPC. The VPC contains two Availability Zones and a Local Zone. Each zone has a public subnet and a private subnet. The VPC also has an internet gateway through which traffic passes between an application in the public subnet of the Local Zone and the end user.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zones-internet-gateway.png)


For your private applications that require outbound-only connectivity to the internet, use a NAT gateway.

# NAT gateway connection in Local Zones
<a name="local-zones-connectivity-nat"></a>

A NAT gateway is a Network Address Translation (NAT) service. It allows your Amazon VPC resources in your private subnets to securely access services outside the subnet, including the internet, while keeping those private resources inaccessible to any unsolicited traffic. For a list of Local Zones that support NAT gateways, see [AWS Local Zones features](https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/).

To use NAT gateway to access the internet from your private resources, instantiate your NAT gateway in the public subnet and then route your internet traffic (`0.0.0.0/0` or `::/0`) from the private subnet to the NAT gateway. The NAT gateway translates the private IP address of the traffic coming from your private subnet to the EIP associated with it so that your private resources can access the internet securely.

The NAT gateway only accepts the response traffic from the destinations that are accessed and drops any unsolicited inbound connections. This keeps your private resources inaccessible from the internet.

For more information, see [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the *Amazon VPC User Guide*.

The following image shows the traffic flow from a private subnet in a Local Zone to a NAT gateway in a public subnet in the same Local Zone, then to an internet gateway, and to the internet.

![\[An AWS Region with a VPC. The VPC contains two Availability Zones and a Local Zone. Each zone has a public subnet and a private subnet. The public subnet in the Local Zone shows a NAT gateway. Traffic flows from the private subnet in the Local Zone to the NAT gateway, then internet gateway, and to the internet.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/nat-gateway.png)


# VPN connection in Local Zones
<a name="local-zones-connectivity-ec2-vpn"></a>

A VPN connection can provide secure, two-way communication between workloads running in an on-premises data center and a Local Zone. For Local Zones, you must deploy a software-based VPN solution on an Amazon EC2 instance. Visit the [AWS Marketplace](https://aws.amazon.com/marketplace/search/results/ref=brs_navgno_search_box?searchTerms=vpn) and find VPN solutions that are ready to run on an Amazon EC2 instance. You’ll also need to deploy an internet gateway so that you can establish your VPN connection.

The following diagram shows a data center connected to Local Zone 1 by a software-based VPN solution running on an Amazon EC2 instance in Local Zone 1. This allows for encrypted connectivity from the data center directly into the Local Zone without traffic going through the parent Region.

![\[An AWS Region with a VPC. The VPC contains two Availability Zones and a Local Zone. Each zone has a public subnet and a private subnet. The diagram also shows an on-premise data center with a customer gateway outside the AWS Region. The public subnet in the Local Zone includes a software-based VPN solution. The VPC has an internet gateway through which traffic flows between the public subnet in the Local Zone to a customer data center.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zone-on-premise-vpn.png)


# Direct Connect in Local Zones
<a name="local-zones-connectivity-direct-connect"></a>

With Direct Connect, you transfer data privately and directly from your data center into and out of Local Zones using a Public Virtual Interface (VIF) or Private VIF. Direct Connect provides similar benefits to using a software-based VPN on Amazon EC2, but bypasses the public internet and reduces the overheard required to manage the connection to Local Zones.

For more information, see the [Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html).

The following diagram shows a Direct Connect connection between a Local Zones and data center.

![\[An AWS Region with a VPC. The VPC contains an Availability Zone and a Local Zone. Each zone has a private subnet. The diagram also shows an on-premise data center with a customer gateway outside the AWS Region. A Direct Connect connection facilitates traffic between the Local Zone and the data center.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zones-direct-connect.png)


During a hybrid cloud migration, you can migrate your applications to Local Zones while using Direct Connect to communicate back to other parts of your applications in the data center. An example is migrating the front end of an application to Amazon EC2, Amazon ECS, or Amazon EKS in a Local Zone and having the back-end database remain in the data center. Eventually, you can migrate the database to the Local Zone and the entire application to an AWS Region.

# Transit gateway connection between Local Zones
<a name="local-zones-connectivity-transit-gateway-lzs"></a>

A transit gateway can be used to connect one Local Zone to another within the same parent Region. For more information about transit gateways, see [Connect your VPC to other VPCs and networks using a transit gateway](https://docs.aws.amazon.com/vpc/latest/userguide/extend-tgw.html) in the *Amazon VPC User Guide*.

A transit gateway connection between Local Zones is useful when you have workloads in different Local Zones and also require network connectivity between them.

The following diagram shows the transit gateway connection between two Local Zones in the same Region.

![\[An AWS Region with two VPCs. Each VPC contains an Availability Zone and a Local Zone. Each zone has a private subnet. A transit gateway connection facilitates traffic between the two Local Zones.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zones-same-region.png)


**Considerations**
+ You must create a transit gateway attachment in the parent zone.
+ You can't connect a Local Zone to another Local Zone or Outpost that is within the same VPC.

**Parent zone**  
You can use the AWS Global View console or the command line interface to get the parent zone details for a Local Zone.

------
#### [ AWS Global View console ]

**To get the parent zone details for a Local Zone**

1. Sign in to the [AWS Global View console](https://console.aws.amazon.com/ec2globalview/home#RegionsAndZones).

1. From the navigation pane, choose **Regions and Zones**.

1. Choose the **Local Zones** tab.

1. Find the Local Zone.

1. Scroll to see the **Parent Zone name** and **Parent Zone ID** for the Local Zone.

------
#### [ AWS CLI ]

**To get the parent zone details for a Local Zone**  
Use the [describe-availability-zones](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-availability-zones.html) command. The following example uses a Local Zone in Los Angeles.

```
aws ec2 describe-availability-zones \
  --zone-names us-west-2-lax-1a \
  --query 'AvailabilityZones[0].ParentZoneName' \
  --region us-west-2 \
  --output text
```

------

# Transit gateway connection in Local Zones
<a name="local-zones-connectivity-transit-gateway-dc"></a>

A transit gateway connects your Amazon Virtual Private Cloud and on-premises networks through a central hub. Transit gateways live in AWS Regions. While you can use a transit gateway to connect data centers to a Local Zone, this is not a direct connection.

For more information about transit gateways, see [Connect your VPC to other VPCs and networks using a transit gateway](https://docs.aws.amazon.com/vpc/latest/userguide/extend-tgw.html) in the *Amazon VPC User Guide*.

The following diagram shows the connection from the customer gateway over the Direct Connect into the transit gateway in the AWS Region using a Transit VIF. From there, it connects to the VPC to enable traffic to the Local Zone.

![\[An AWS Region with a VPC. The VPC contains an Availability Zone and a Local Zone. Each zone has a private subnet. The diagram also shows an on-premise data center with a customer gateway outside the AWS Region. Traffic between the private subnet in the Local Zone and the customer gateway traverses through a transit gateway in the AWS Region, a Transit VIF, the Direct Connect connection.\]](http://docs.aws.amazon.com/local-zones/latest/ug/images/local-zones-internet-gateway2.png)


When you use this connectivity option for Local Zones, all traffic from the data center to the Local Zone will first go to the parent Region (also known as “hairpinning”) of the destination Local Zone and then to the Local Zone. Using a transit gateway to connect to a Local Zone from your premises is not an ideal path since your data must travel to the Region first, increasing latency.