# Network-to-Amazon VPC connectivity options
This section provides design patterns for connecting remote networks with your Amazon VPC environment. These options are useful for integrating AWS resources with your existing on-site services (for example, monitoring, authentication, security, data or other systems) by extending your internal networks into the AWS Cloud. This network extension also allows your internal users to seamlessly connect to resources hosted on AWS just like any other internally facing resource.
VPC connectivity to remote customer networks is best achieved when using non-overlapping IP ranges for each network being connected. For example, if you’d like to connect one or more VPCs to your corporate network, make sure they are configured with unique Classless Inter-Domain Routing (CIDR) ranges. We recommend allocating a single, contiguous, non-overlapping CIDR block to be used by each VPC. For additional information about Amazon VPC routing and constraints, see the [Amazon VPC Frequently Asked Questions](https://aws.amazon.com/vpc/faqs/).
| Option | Use Case | Advantages | Limitations |
| --- | --- | --- | --- |
| [AWS Site-to-Site VPN](aws-site-to-site-vpn.md) | AWS managed IPsec VPN connection over the internet to individual VPC | Reuse existing VPN equipment and processes Reuse existing internet connections AWS managed high availability VPN service Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies | Network latency, variability, and availability are dependent on internet conditions You are responsible for implementing redundancy and failover (if required) Remote device must support single-hop BGP (when leveraging BGP for dynamic routing) |
| [AWS Transit Gateway \$1 AWS Site-to-Site VPN](aws-transit-gateway-vpn.md) | AWS managed IPsec VPN connection over the internet to regional router for multiple VPCs | Same as the previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as the previous option |
| [AWS Direct Connect](aws-direct-connect.md) | Dedicated network connection over private lines | More predictable network performance Reduced bandwidth costs Supports BGP peering and routing policies | Might require additional telecom and hosting provider relationships or new network circuits to be provisioned |
| [AWS Direct Connect \$1 AWS Transit Gateway](aws-direct-connect-aws-transit-gateway.md) | Dedicated network connection over private lines to regional router for multiple VPCs | Same as the previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as previous option |
| [AWS Direct Connect \$1 AWS Site-to-Site VPN](aws-direct-connect-site-to-site-vpn.md) | IPsec VPN connection over private lines | More predictable network performance Reduced bandwidth costs Supports BGP peering and routing policies on AWS Direct Connect Reuse existing VPN equipment and processes AWS managed high availability VPN service Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies on VPN connection | May require additional telecom and hosting provider relationships or new network circuits to be provisioned You are responsible for implementing redundancy and failover (if required) Remote device must support single-hop BGP (when leveraging BGP for dynamic routing) |
| [AWS Direct Connect \$1 AWS Transit Gateway \$1 AWS Site-to-Site VPN](aws-direct-connect-aws-transit-gateway-vpn.md) | IPsec VPN connection over private lines to regional router for multiple VPCs | Same as previous option AWS managed high availability and scalability regional network hub for up to 5,000 attachments | Same as previous option |
| [Site-to-Site VPN CloudHub](aws-vpn-cloudhub.md) | Connect remote branch offices in a hub-and-spoke model for primary or backup connectivity | Reuse existing internet connections and Site-to-Site VPN connections AWS managed high availability VPN service Supports BGP for exchanging routes and routing priorities | Network latency, variability, and availability are dependent on the internet User managed branch office endpoints are responsible for implementing redundancy and failover (if required) |
| [AWS Transit Gateway \$1 SD-WAN solutions](aws-transit-gateway-sd-wan.md) | Connect remote branches and offices with a software-defined wide area network by using the AWS backbone or the internet as a transit network. | Supports a wider array of SD-WAN vendors, products, and protocols Some vendor solutions have integration with AWS native services. | You are responsible for implementing HA (high availability) of the SD-WAN appliances if they are placed in an Amazon VPC. |
| [Software VPN](software-vpn.md) | Software appliance-based VPN connection over the internet | Supports a wider array of VPN vendors, products, and protocols Fully customer-managed solution | You are responsible for implementing HA (high availability) solutions for all VPN endpoints (if required) |
# AWS Site-to-Site VPN
Amazon VPC provides the option of creating an IPsec VPN connection between your remote networks and Amazon VPC over the internet, as shown in the following figure.
![\[Diagram showing how to create an IPsec VPN connection between your remote networks and Amazon VPC over the internet.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-managed-vpn.png)
Consider taking this approach when you want to take advantage of an AWS-managed VPN endpoint that includes automated redundancy and failover built into the AWS side of the VPN connection.
The virtual private gateway also supports and encourages multiple user gateway connections so that you can implement redundancy and failover on your side of the VPN connection, as shown in the following figure.
![\[Diagram showing multiple user gateway connections.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/redundant-aws-site-to-site-vpn-connections.png)
Both dynamic and static routing options are provided to give you flexibility in your routing configuration. Dynamic routing uses BGP peering to exchange routing information between AWS and these remote endpoints. With dynamic routing, you can also specify routing priorities, policies, and weights (metrics) in your BGP advertisements and influence the network path between your networks and AWS. It’s important to note that when you use BGP, both the IPsec and the BGP sessions must be terminated on the same user gateway device, so it must be capable of terminating both IPsec and BGP sessions.
## Additional resources
+ [AWS Site-to-Site VPN User Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
+ [Requirements for customer gateway devices](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CGRequirements)
+ [Customer gateway devices tested with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested)
# AWS Transit Gateway \$1 AWS Site-to-Site VPN
[AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) is an AWS managed high availability and scalability regional network transit hub used to interconnect VPCs and customer networks. AWS Transit Gateway \$1 VPN, using the [Transit Gateway VPN attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html), provides the option of creating an IPsec VPN connection between your remote network and the Transit Gateway over the internet, as shown in the following figure.
![\[Diagram showing a managed IPsec VPN connection between your remote network and the Transit Gateway.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/transit-gateway-and-site-to-site-vpn.png)
Consider using this approach when you want to take advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPsec VPN connections to multiple Amazon VPCs.
AWS Transit Gateway also supports and encourages multiple user gateway connections so that you can implement redundancy and failover on your side of the VPN connection as shown in the following figure.
![\[Diagram showing redundancy and failover.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/transit-gateway-and-redundant-vpn.png)
Both dynamic and static routing options are provided to give you flexibility in your routing configuration on the Transit Gateway VPN IPsec attachment. Dynamic routing uses BGP peering to exchange routing information between AWS and these remote endpoints. With dynamic routing, you can also specify routing priorities, policies, and weights (metrics) in your BGP advertisements and influence the network path between your networks and AWS. It’s important to note that when you use BGP, both the IPsec and the BGP sessions must be terminated on the same user gateway device, so it must be capable of terminating both IPsec and BGP sessions.
Per VPN connection, you can achieve 1.25 Gbps of throughput and 140,000 packets per second. When terminating the VPN connections in the Transit Gateway, you can use Equal Cost Multi-Path (ECMP) routing to get a higher VPN bandwidth by aggregating multiple VPN tunnels. To use ECMP, you need to configure dynamic routing in the VPN connections – ECMP is not supported using static routing.
In addition, you can enable acceleration in your AWS Site-to-Site VPN connections. An accelerated VPN connection uses [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html) to route traffic from your network to an AWS edge location that is closest to your customer gateway device. You can use this option to avoid network disruptions that might occur when the traffic is routed over the public internet. Acceleration is only supported for VPN connections that are attached to a Transit Gateway, as shown in the following figure:
![\[Diagram that shows acceleration on VPN connections that are attached to a Transit Gateway.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/accelerated-site-to-site-vpn.png)
Last, regarding IP addressing, Site-to-Site VPN connections on an AWS Transit Gateway support both IPv4 and IPv6 traffic. The following rules apply:
+ IPv6 is only supported for the inside IP addresses of the VPN tunnel. The outside IP address for the AWS endpoints are public IPv4 addresses. The customer gateway IP address should be a public IPv4 address.
+ A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic. If your hybrid connectivity requires dual-stack communication, you should create different VPN tunnels for the IPv4 and IPv6 traffic.
## Additional resources
+ [Transit gateway VPN attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html)
+ [ Customer gateway](https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html)
+ [Working with Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/working-with-site-site.html)
+ [Accelerated Site-to-Site VPN connections](https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html)
# AWS Direct Connect
[AWS Direct Connect](https://aws.amazon.com/directconnect/) makes it easy to establish a dedicated connection from an on-premises network to one or more VPCs. Direct Connect can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. It uses industry-standard 802.1Q VLANs to connect to Amazon VPC using private IP addresses. The VLANs are configured using [virtual interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html) (VIFs), and you can configure three different types of VIFs:
+ **Public virtual interface** - Establish connectivity between AWS public endpoints and your data center, office, or colocation environment.
+ **Transit virtual interface** - Establish private connectivity between AWS Transit Gateway and your data center, office, or colocation environment. This connectivity option is covered in the section [AWS Direct Connect \$1 AWS Transit Gateway](aws-direct-connect-aws-transit-gateway.md).
+ **Private virtual interface** - Establish private connectivity between Amazon VPC resources and your data center, office, or colocation environment. The use of private VIFs is shown in the following figure.
![\[Diagram showing AWS Direct Connect.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect.png)
You can establish connectivity to the AWS backbone using AWS Direct Connect by establishing a cross-connect to AWS devices in a [Direct Connect location](https://aws.amazon.com/directconnect/locations/). You can access any AWS Region from any of our Direct Connect locations (except China). If you don’t have equipment at a location, you can choose from an ecosystem of [WAN service providers](https://aws.amazon.com/directconnect/partners/) for integrating your AWS Direct Connect endpoint in an AWS Direct Connect location with your remote networks.
With AWS Direct Connect, you have two types of connection:
+ **Dedicated connections**, where a physical ethernet connection is associated with a single customer. You can order port speeds of 1, 10, or 100 Gbps. You might need to work with a partner in the AWS Direct Connect Partner Program to help you establish network circuits between an AWS Direct Connect connection and your data center, office, or colocation environment.
+ **Hosted connections**, where a physical ethernet connection is provisioned by an AWS Direct Connect Partner and shared with you. You can order port speeds between 50 Mbps and 10 Gbps. Your work with the Partner in both the Direct Connect connection they established and the network circuits between an AWS Direct Connect connection and your data center, office, or colocation environment.
For dedicated connections, you can also use a link aggregation group (LAG) to aggregate multiple connections at a single AWS Direct Connect endpoint. You treat them as a single, managed connection. You can aggregate up to four 1- or 10-Gbps connections, and up to two 100-Gbps connections.
When discussing high availability in AWS Direct Connect, we recommend using additional Direct Connect connections. The [Direct Connect Resiliency Toolkit](https://docs.aws.amazon.com/directconnect/latest/UserGuide/resiliency_toolkit.html) offers guidance in building highly resilient network connections between AWS and your data center, office, or colocation environment. The following figure shows you an example of a high-resiliency connectivity option, with two Direct Connect connections terminated in two different Direct Connect locations.
![\[A diagram example that shows a high-resiliency connectivity option.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/redundant-aws-direct-connect.png)
AWS Direct Connect is not encrypted by default. For dedicated connections of 10 or 100 Gbps, you can use MAC security (MACsec) as an encryption option. For connections of 1 Gbps or less, you can create VPN tunnels on top of the connection – this option is covered in [AWS Direct Connect \$1 AWS Site-to-Site VPN](aws-direct-connect-site-to-site-vpn.md) and [AWS Direct Connect \$1 AWS Transit Gateway \$1 AWS Site-to-Site VPN](aws-direct-connect-aws-transit-gateway-vpn.md) sections.
One important resource in AWS Direct Connect is the Direct Connect gateway, which is a globally available resource to enable connections to multiple Amazon VPCs or Transit Gateways across different Regions or AWS accounts. This resource also allows you to connect to any participating VPC or Transit Gateway from one private VIF or transit VIF, reducing AWS Direct Connect management, as shown in the following figure.
![\[Diagram that shows connecting to any participating VPC or Transit Gateway from one private VIF or transit VIF.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect-gateway.png)
Regarding IP addressing, AWS Direct Connect virtual interfaces support both IPv4 and IPv6 BGP sessions for dual-stack operation.
+ Private and transit VIFs IPv4 configuration make use of either AWS-generated IPv4 addresses or addresses configured by you. For public VIFs IPv4 BGP peering, you must specify an unique public /31 IPv4 CIDR that you own (or submit a request to have a CIDR block assigned).
+ For all types of VIFs IPv6 BGP peering, AWS assigns a /125 CIDR, which is not configurable.
## Additional resources
+ [AWS Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)
+ [AWS Direct Connect virtual interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html)
+ [AWS Direct Connect gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html)
+ [AWS Direct Connect Resiliency Toolkit](https://docs.aws.amazon.com/directconnect/latest/UserGuide/resiliency_toolkit.html)
+ [AWS Direct Connect MAC Security](https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html)
+ [AWS Direct Connect locations](https://aws.amazon.com/directconnect/locations/)
+ [AWS Direct Connect Delivery Partners](https://aws.amazon.com/directconnect/partners/)
# AWS Direct Connect \$1 AWS Transit Gateway
[AWS Direct Connect](https://aws.amazon.com/directconnect/) \$1 [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html), using [transit VIF attachment to Direct Connect gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html), enables your network to connect several regional centralized routers over a private dedicated connection. The following diagram shows connecting to two routers.
![\[Diagram that shows connecting to three routers.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect-and-aws-transit-gateway.png)
Each AWS Transit Gateway is a network transit hub to interconnect VPCs in the same region, consolidating Amazon VPC routing configuration in one place. This solution simplifies management of connections between an Amazon VPC and your networks over a private connection that can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
## Additional resources
+ [AWS Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)
+ [Link aggregation groups in AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html)
+ Blog post: [Integrating sub-1 Gbps hosted connections with AWS Transit Gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-sub-1-gbps-hosted-connections-with-aws-transit-gateway/)
# AWS Direct Connect \$1 AWS Site-to-Site VPN
With [AWS Direct Connect](https://aws.amazon.com/directconnect/) \$1 [AWS Site-to-Site VPN](https://aws.amazon.com/vpn/site-to-site-vpn/), you can combine AWS Direct Connect connections with an AWS-managed VPN solution. AWS Direct Connect public VIFs establish a dedicated network connection between your network and public AWS resources such as an AWS Site-to-Site VPN endpoint. Once you establish the connection to the service, you can create IPsec connections to the corresponding Amazon VPC virtual private gateways. The following figure illustrates this option.
![\[Diagram that shows establishing a connection to the service, then creating IPsec connections.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect-and-aws-site-to-site-vpn.png)
This solution combines the benefits of the end-to-end secure IPsec connection with low latency and increased bandwidth of the AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections. A BGP connection session is established between AWS Direct Connect and your router on the public VIF. Another BGP session or a static route will be established between the virtual private gateway and your router on the IPsec VPN tunnels.
## Additional resources
+ [AWS Direct Connect](https://aws.amazon.com/directconnect/)
+ [AWS Direct Connect virtual interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html)
+ [AWS Site-to-Site VPN User Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
# AWS Direct Connect \$1 AWS Transit Gateway \$1 AWS Site-to-Site VPN
With [AWS Direct Connect](https://aws.amazon.com/directconnect/) \$1 [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) \$1 [AWS Site-to-Site VPN](https://aws.amazon.com/vpn/site-to-site-vpn/), you can enable end-to-end IPsec-encrypted connections between your networks and a regional centralized router for Amazon VPCs over a private dedicated connection.
You can use AWS Direct Connect public VIFs to first establish a dedicated network connection between your network to public AWS resources, such as AWS Site-to-Site VPN endpoints. Once this connection is established, you can create an IPsec connection to AWS Transit Gateway. The following figure illustrates this option.
![\[A diagram showing creating an IPsec connection.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect-transit-gateway-site-to-site-vpn-public-vif.png)
![\[A diagram showing Direct Connect, Transit Gateway, and Site-to-Site VPN.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-direct-connect-and-aws-transit-gateway-and-vpn-with-transit-vif.png)
Consider taking this approach when you want to simplify management and minimize the cost of IPsec VPN connections to multiple Amazon VPCs in the same region, with the low latency and consistent network experience benefits of a private dedicated connection over an internet-based VPN. A BGP session is established between AWS Direct Connect and your router using either the public or the transit VIF. Another BGP session or a static route will be established between AWS Transit Gateway and your router on the IPsec VPN tunnel.
## Additional resources
+ [AWS Direct Connect virtual interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html)
+ [Transit gateway VPN attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html)
+ [Requirements for customer gateway devices](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CGRequirements)
+ [Customer gateway devices tested with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested)
+ [AWS Site-to-Site VPN – Private IP VPN with AWS Direct Connect](https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html)
# Site-to-Site VPN CloudHub
Building on the AWS managed VPN options described previously, you can securely communicate from one site to another using the Site-to-Site VPN CloudHub. The Site-to-Site VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. Use this approach if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.
The following figure shows the Site-to-Site VPN CloudHub architecture, with lines indicating network traffic between remote sites being routed over their Site-to-Site VPN connections.
![\[Site-to-Site VPN CloudHub architecture showing connections between AWS Cloud and multiple customer networks via IPsec VPN.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/aws-vpn-cloudhub.png)
* Site-to-Site VPN CloudHub *
Site-to-Site VPN CloudHub uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs). The remote sites must not have overlapping IP ranges. Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing advertisements are received and re-advertised to each BGP peer so that each site can send data to and receive data from the other sites.
## Additional resources
+ [Providing secure communication between sites using VPN CloudHub](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html)
+ [AWS Site-to-Site VPN User Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
+ [Requirements for customer gateway devices](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CGRequirements)
+ [Customer gateway devices tested with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested)
# AWS Transit Gateway \$1 SD-WAN solutions
Software Defined Wide Area Networks (SD-WANs) are used to connect your data centers, offices, or colocation environments over different transit networks (such as the public internet, MPLS networks, or the AWS backbone using AWS Direct Connect), managing the traffic automatically and dynamically across the most appropriate and efficient path based on network conditions, application type or quality of service (QoS) requirements.
Use this approach if you have a complex network topology, with several data centers, offices, or colocation environments that need to communicate between themselves and with AWS. SD-WAN solutions can help you to efficiently manage this type of network.
When talking about the connection of an SD-WAN network to AWS, AWS Transit Gateway provides a managed highly-available and scalable regional network transit hub to interconnect VPCs and your SD-WAN network. [Transit Gateway connect attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html) provide a native way to connect your SD-WAN infrastructure and appliances with AWS. This makes it easy to extend your SD-WAN into AWS without having to set up IPsec VPNs.
Transit Gateway connect attachments support Generic Routing Encapsulation (GRE) for higher bandwidth performance compared to a VPN connection. It supports Border Gateway Protocol (BGP) for dynamic routing, and removes the need to configure static routes. This simplifies network design and reduces the associated operational costs. In addition, its integration with [Transit Gateway Network Manager](https://docs.aws.amazon.com/vpc/latest/tgwnm/what-is-network-manager.html) provides advanced visibility through global network topology, attachment level performance metrics, and telemetry data.
When integrating your SD-WAN network to Transit Gateway using connect attachments, you have two common patterns. The first one is placing virtual appliances of the SD-WAN network in a VPC within AWS. Then, you use a VPC attachment as underlying transport for the Transit Gateway connect attachment between the virtual appliances and the Transit Gateway, as can be shown in the following figure.
![\[A diagram that shows using a VPC attachment as underlying transport.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/sd-wan-connectivity-with-transit-gateway.png)
Alternatively, you can extend and segment your SD-WAN traffic to AWS without adding extra infrastructure. You can create Transit Gateway connect attachments using an AWS Direct Connect connection as underlying transport, as can be shown in the following figure.
![\[A diagram that shows using a VPC attachment as underlying transport.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/sd-wan-connectivity-with-transit-gateway-2.png)
There are some considerations to be aware when using Transit Gateway connect attachments:
+ You can create a connect attachments on existing Transit Gateways.
+ Third-party appliances must be configured with a GRE tunnel in order to send and receive traffic from Transit Gateway using connect attachments. The appliance must be configured with BGP for dynamic route updates and health checks.
+ Connect attachments do not support static routes.
+ Transit Gateway connect attachments support a maximum bandwidth of five Gbps per GRE tunnel. Bandwidth above five Gbps can achieved by advertising the same prefixes across multiple Connect peer (GRE tunnels) for the same Connect attachment.
+ A maximum of four Connect peers are supported for each connect attachment.
+ Transit Gateway connect attachments support IPv6 and dynamic route advertisements through Multiprotocol Extensions for BGP (MBGP or MP-BGP).
## Additional resources
+ [Transit gateway peering attachments](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html)
+ [Requirements and considerations ](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
+ [Blog post: Simplify SD-WAN connectivity with AWS Transit Gateway Connect](https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-sd-wan-connectivity-with-aws-transit-gateway-connect/)
# Software VPN
Amazon VPC offers you the flexibility to fully manage both sides of your Amazon VPC connectivity by creating a VPN connection between your remote network and a software VPN appliance running in your Amazon VPC network. This option is recommended if you must manage both ends of the VPN connection, either for compliance purposes or for leveraging gateway devices that are not currently supported by Amazon VPC’s VPN solution. The following figure shows this option.
![\[AWS Cloud VPC with public and private subnets connecting to customer network via VPN.\]](http://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/images/software-site-to-site-vpn.png)
* Software Site-to-Site VPN *
You can choose from an ecosystem of multiple partners and open-source communities that have produced software VPN appliances that run on Amazon EC2. Along with this choice comes the responsibility that you must manage the software appliance, including configuration, patches, and upgrades.
Note that this design introduces a potential single point of failure into the network design because the software VPN appliance runs on a single Amazon EC2 instance. For additional information, see [Appendix A: High-Level HA architecture for software VPN instances](appendix-a-high-level-ha-architecture-for-software-vpn-instances.md) Architecture for Software VPN Instances.
## Additional resources
+ [VPN appliances available in the AWS Marketplace](https://aws.amazon.com/marketplace/search/results/ref%3Dbrs_navgno_search_box?searchTerms=vpn)
+ [Tech Brief - Connecting Cisco ASA to VPC EC2 Instance (IPsec)](https://aws.amazon.com/articles/8800869755706543)
+ [Tech Brief - Connecting Multiple VPCs with EC2 Instances (IPsec)](https://aws.amazon.com/articles/5472675506466066)
+ [Tech Brief - Connecting Multiple VPCs with EC2 Instances (SSL)](https://aws.amazon.com/articles/0639686206802544)