This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

# Connectivity models
<a name="connectivity-models"></a>

## Definition
<a name="definition-con"></a>

 The connectivity model refers to the communication pattern between on-premises network(s) and the cloud resources in AWS. You can deploy cloud resources within an Amazon VPC within a single AWS Region or multiple VPCs across multiple Regions, as well as AWS services which have a public endpoint in a single or multiple AWS Regions, such as Amazon S3 and DynamoDB. 

## Key questions
<a name="key-questions-con"></a>
+  Is there a requirement for inter-VPC communication within a Region and across Regions? 
+  Is there any requirement to access AWS public endpoints directly from on-premises? 
+  Is there a requirement to access AWS services using VPC endpoints from on-premises? 

## Capabilities to consider
<a name="capabilities-to-consider-con"></a>

 The following are some of the most common connectivity model scenarios. Each connectivity model covers requirements, attributes, and considerations. 

 Note: as highlighted earlier, this whitepaper is focused on the hybrid connectivity between on-premises networks and AWS. For further details on the design to interconnect VPCs, refer to the [Building a Scalable and Secure Multi-VPC AWS Network Infrastructure](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/welcome.html) whitepaper. 

**Topics**
+ [Definition](#definition-con)
+ [Key questions](#key-questions-con)
+ [Capabilities to consider](#capabilities-to-consider-con)
+ [AWS Accelerated Site-to-Site VPN – AWS Transit Gateway, Single AWS Region](aws-accelerated-site-to-site-vpn-aws-transit-gateway-single-aws-region.md)
+ [AWS DX – DXGW with VGW, Single Region](aws-dx-dxgw-with-vgw-single-region.md)
+ [AWS DX – DXGW with VGW, Multi-Regions, and AWS Public Peering](aws-dx-dxgw-with-vgw-multi-regions-and-aws-public-peering.md)
+ [AWS DX – DXGW with AWS Transit Gateway, Multi-Regions, and AWS Public Peering](aws-dx-dxgw-with-aws-transit-gateway-multi-regions-and-aws-public-peering.md)
+ [AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than 3)](aws-dx-dxgw-with-aws-transit-gateway-multi-regions-more-than-3.md)

# AWS Accelerated Site-to-Site VPN – AWS Transit Gateway, Single AWS Region
<a name="aws-accelerated-site-to-site-vpn-aws-transit-gateway-single-aws-region"></a>

 **This model is constructed of:** 
+  Single AWS Region. 
+  AWS Managed Site-to-Site VPN connection with AWS Transit Gateway. 
+  Accelerated VPN enabled. 

![\[Diagram showing AWS Managed VPN – AWS Transit Gateway, Single AWS Region\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/managed-vpn-tg-single-region.png)


 **Connectivity model attributes:** 
+  Provide the ability to establish optimized VPN connections over the public internet by using [AWS Accelerated Site-to-Site VPN connections](https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html). 
+  Provide the ability to achieve higher VPN connection bandwidth by configuring multiple VPN tunnels with ECMP. 
+  Can be used for connection from multiple of remote sites. 
+  Offers automated failover with dynamic routing (BGP). 
+  With AWS Transit Gateway connected to VPCs, all the connected VPCs can use the same VPN connections. You can also control the desired communication model among the VPCs, for more information refer to [How Transit Gateways Work](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html). 
+  Offers flexible design options to integrate third-party security and SD-WAN virtual appliances with AWS Transit Gateway. See [Centralized network security for VPC-to-VPC and on-premises to VPC traffic](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-network-security-for-vpc-to-vpc-and-on-premises-to-vpc-traffic.html). 

 **Scale considerations:** 
+  Up 50 Gbps of bandwidth with multiple IPsec tunnels and ECMP configured (each traffic flow will be limited to the maximum bandwidth per VPN tunnel). 
+  [Thousands](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html) of VPCs can be connected per AWS Transit Gateway. 
+  Refer to the [Site-to-Site VPN quotas](https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html) for other scale limits, such as number of routes. 

 **Other considerations:** 
+  The additional AWS Transit Gateway processing costs for data transfer between the on-premises data center and AWS. 
+  Security groups of a remote VPC cannot be referenced in AWS Transit Gateway – this is supported by VPC peering, however. 

# AWS DX – DXGW with VGW, Single Region
<a name="aws-dx-dxgw-with-vgw-single-region"></a>

 **This model is constructed of:** 
+  Single AWS Region. 
+  Dual AWS Direct Connect Connections to independent DX locations. 
+  AWS DXGW directly attached to the VPCs using VGW. 
+  Optional usage of AWS Transit Gateway for Inter-VPC communication. 

![\[Diagram showing AWS DX – DXGW with VGW, Single AWS Region\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/dxgw-with-vgw-single-region.png)


 **Connectivity model attributes:** 
+  Provides the ability to connect to VPCs and DX connections in other Regions in the future. 
+  Offers automated failover with dynamic routing (BGP). 
+  With AWS Transit Gateway you can control the desired communication model among the VPCs. For more information, refer to [How transit gateways work](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html). 

 **Scale considerations:** 

 Reference [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html) for more information about other scale limits, such as such number of supported prefixes, number of VIFs per DX connection type (Dedicated, hosted). Some key considerations: 
+  The BGP session for a private VIF may advertise up to 100 routes each for IPv4 and IPv6. 
+  Up to 20 VPCs can be connected per DXGW over a single BGP session. If more than 20 VPCs are needed, additional DXGWs can be added to facilitate the connectivity at scale, or consider using Transit Gateway integration.
+  Additional AWS Direct Connects can be added as desired. 

 **Other considerations:** 
+  Does not incur AWS Transit Gateway related processing cost for data transfer between AWS and on-premises networks. 
+  Security groups of a remote VPC cannot be referenced over AWS Transit Gateway (need VPC peering). 
+  VPC peering can be used instead of AWS Transit Gateway to facilitate the communication between the VPCs, however, this adds operational complexity to build and manage large number VPC point-to-point peering at scale. 
+  If Inter-VPC communication is not required, neither AWS Transit Gateway nor VPC peering is required in this connectivity model. 

# AWS DX – DXGW with VGW, Multi-Regions, and AWS Public Peering
<a name="aws-dx-dxgw-with-vgw-multi-regions-and-aws-public-peering"></a>

** This model is constructed of: **
+ Multiple on-premises data centers with dual connections to AWS.
+  Dual AWS Direct Connect Connections to independent DX locations. 
+  AWS DXGW directly attached to more than 10 VPCs using VGW, up to 20 VPCs using VGW. 
+  Optional usage of AWS Transit Gateway for Inter-VPC and Inter-Region communication. 

![\[Diagram showing AWS DX – DXGW with VGW, Multi-Regions, and Public VIF\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/dxgw-with-vgw-multi-region-public-vif.png)


 **Connectivity model attributes:** 
+ AWS DXGW directly attached to more than 10 VPCs using VGW up to 20 VPCs using VGW.
+  AWS DX public VIF is used to access AWS public services, such as Amazon S3, directly over the AWS DX connections. 
+  Provide the ability to connect to VPCs and DX connections in other Regions in the future. 
+  Inter-VPC and Inter-Region VPC communication facilitated by AWS Transit Gateway and Transit Gateway peering. 

 **Scale considerations:** 

 Reference [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html) for more information about other scale limits, such as such number of supported prefixes, number of VIFs per DX connection type (dedicated, hosted). Some key considerations: 
+  The BGP session for a private VIF can advertise up to 100 routes each for IPv4 and IPv6. 
+  Up to 20 VPCs can be connected per DXGW over a single BGP session on each private VIF, up to 30 private VIFs per DXGW.
+  Additional AWS Direct Connects can be added as desired. 

 **Other considerations:** 
+  Does not incur AWS Transit Gateway related processing cost for data transfer between AWS and on-premises networks. 
+  Security groups of a remote VPC cannot be referenced by AWS Transit Gateway (need VPC peering). 
+  VPC peering can be use instead of AWS Transit Gateway to facilitate the communication between the VPCs, however, this will add operational complexity to build and manage large number VPC point-to-point peering at scale. 
+  If Inter-VPC communication is not required, neither AWS Transit Gateway nor VPC peering is required in this connectivity model. 

# AWS DX – DXGW with AWS Transit Gateway, Multi-Regions, and AWS Public Peering
<a name="aws-dx-dxgw-with-aws-transit-gateway-multi-regions-and-aws-public-peering"></a>

** This model is constructed of: **
+  Multiple AWS Regions. 
+  Dual AWS Direct Connect Connections to independent DX locations. 
+  Single on-premises data center with dual connections to AWS. 
+  AWS DXGW with AWS Transit Gateway. 
+  High scale of VPCs per Region. 

![\[Diagram showing AWS DX – DXGW with AWS Transit Gateway, Multi-Regions, and AWS Public VIF\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/dxgw-with-tg-multi-region-public-peering.png)


 **Connectivity model attributes:** 
+  AWS DX public VIF is used to access AWS public resources such as S3 directly over the AWS DX connections. 
+  Provide the ability to connect to VPCs and/or DX connections in other Regions in the future. 
+  With AWS Transit Gateway connected to VPCs, full or partial mesh connectivity can be achieved between the VPCs. 
+  Inter-VPC and Inter-Region VPC communication facilitated by AWS Transit Gateway peering. 
+  Offers flexible design options to integrate third-party security and SDWAN virtual appliances with AWS Transit Gateway. See: [Centralized network security for VPC-to-VPC and on-premises to VPC traffic](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-network-security-for-vpc-to-vpc-and-on-premises-to-vpc-traffic.html). 

 **Scale considerations:** 
+  The number of routes to and from AWS Transit Gateway is limited to the maximum supported number of routes over a Transit VIF (inbound and outbound numbers vary). Refer to the [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html) for more information about the scale limits and supported number of routes and VIFs. 
+  Scale up to thousands of VPCs per AWS Transit Gateway over a single BGP session. 
+  Single Transit VIF per AWS DX. 
+  Additional AWS DX connections can be added as desired. 

 **Other considerations:** 
+  Incurs additional AWS Transit Gateway processing costs for data transfer between AWS and on-premises site. 
+  Security groups of a remote VPC cannot be referenced by AWS Transit Gateway (need VPC peering). 
+  VPC peering can be use instead of AWS Transit Gateway to facilitate the communication between the VPCs, however, this will add operational complexity to build and manage large number VPC point-to-point peering at scale. 

# AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than 3)
<a name="aws-dx-dxgw-with-aws-transit-gateway-multi-regions-more-than-3"></a>

 **This model is constructed of:** 
+  Multiple AWS Regions (more than 3). 
+  Dual on-premises data centers. 
+  Dual AWS Direct Connect Connections across to independent DX locations per Region. 
+  AWS DXGW with AWS Transit Gateway. 
+  High scale of VPCs per Region. 
+  Full mesh of peering between AWS Transit Gateways. 

![\[Diagram showing AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than three)\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/dxgw-with-tg-multi-region.png)




 **Connectivity model attributes:** 
+  Lowest operational overhead. 
+  AWS DX public VIF is used to access AWS public resources, such as S3, directly over the AWS DX connections. 
+  Provide the ability to connect to VPCs and DX connections in other Regions in the future. 
+  With AWS Transit Gateway connected to VPCs, full or partial mesh connectivity can be achieved between the VPCs. 
+  Inter-Region VPC communication is facilitated by AWS Transit Gateway peering. 
+  Offers flexible design options to integrate third-party security and SDWAN virtual appliances with AWS Transit Gateway. See: [Centralized network security for VPC-to-VPC and on-premises to VPC traffic](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-network-security-for-vpc-to-vpc-and-on-premises-to-vpc-traffic.html). 

 **Scale considerations:** 
+  The number of routes to and from AWS Transit Gateway is limited to the maximum supported number of routes over a Transit VIF (inbound and outbound numbers vary). Refer to the [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html) for more information about the scale limits. Consider route summarization if needed to reduce the number of routes. 
+  Scale up to thousands of VPCs per AWS Transit Gateway over a single BGP session per DXGW (assuming the provided performance by the provisioned AWS DX connections is sufficient). 
+  Up to six AWS Transit Gateways can be connected per DXGW. 
+  If more than three Regions need to be connected using AWS Transit Gateway, then additional DXGWs are required. 
+  Single Transit VIF per AWS DX. 
+  Additional AWS DX connections can be added as desired. 

 **Other considerations:** 
+  Incurs additional AWS Transit Gateway processing cost for data transfer between the on-premises site and AWS. 
+  Security groups of a remote VPC cannot be referenced by AWS Transit Gateway (need VPC peering). 
+  VPC peering can be used instead of AWS Transit Gateway to facilitate the communication between the VPCs, however, this will add operational complexity to build and manage large number VPC point-to-point peering at scale. 

 The following decision tree covers the scalability and communication model considerations: 

![\[Diagram showing scalability and communication model decision tree\]](http://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/images/scalability-communication-model-decision-tree.png)


**Note**  
If the selected connection type is VPN, typically at the performance consideration, the decision should be made whether the VPN termination point is AWS VGW or AWS Transit Gateway AWS S2S VPN connection. If not made yet, then you can consider the required communication model between the VPC along with the number of required VPC to be connected to the VPN connection(s) to help you make the decision.