Can someone help me understand the basic difference between AWS direct connect and VPC peering.
AWS VPC Peering is connection between two AWS VPC networks (even between accounts) . Easy as that. https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
AWS Direct Connect is used to connect on-premise datacenter through dedicated line (you can imagine it as private internet). As far I understod AWS has separate connections to number of partner providers around their datacenters.
https://aws.amazon.com/directconnect/partners/
Related
I have VPC with couple of subnets containing EC2 instances.
The EC2 instances have code that invokes various AWS services like dybamodb.
Is the connection from EC2 to AWS Service (like dynamodb) happening within the AWS Network, or via public internet?
Is there any way to control this?
Is the connection from EC2 to AWS Service (like dynamodb) happening within the AWS Network, or via public internet?
Technically the process on EC2 would be hitting the AWS DynamoDB public API which is on the Internet. The traffic would be routed through the Internet Gateway you have attached to the VPC. I think if it is all in the same region it may not actually leave the AWS data center, and you could try testing that via tools like traceroute, but I don't think there are any guarantees of that.
Is there any way to control this?
Yes, add a VPC Endpoint to your VPC for the service you want to connect to. Then the DNS server in your VPC will route all traffic to that service over the VPC Endpoint, instead of routing it to your VPC's Internet Gateway. The traffic will then be guaranteed to stay within the AWS network.
I understand VPC Peering is used to establish connection between 2 VPCs. And to connect to another Application/Service in another VPC, VPC Endpoint Service is used. But can't a VPC Endpoint Service be connected via VPC peering?
A use-case/scenario will help
You can find a lot of info on VPC peering here:
https://docs.aws.amazon.com/de_de/vpc/latest/peering/what-is-vpc-peering.html
It is, like you already said - a (network) connection of two VPCs.
A VPC Endpoint gives you some more options - you could say it is build on top of the VPC peering idea.
Here is a short articel about it:
https://catalog.workshops.aws/networking/en-US/intermediate/5-vpc-endpoint-services/10-vpc-endpoint-services-overview
It also menntions some use cases, like
Application in a VPC that has no VPN or TGW access to other VPCS.
Application in a VPC which has overlapping IP addresses with the VPC you want to share it with
Sharing an application with external consumers in other AWS accounts (even via MarketPlace)
Limit the firewall rules for access to an on premise application by using Privatelink as a single point of access for all VPCs in a region
I've two VPCs network connected via VPC Network Peering. How can I connect another VPC which is not within GCP? I reckon I have to use Cloud VPN to connect the three?
Do I have to disable the existing VPC Network Peering before I can set up Cloud VPN? Is there a better way to connect the three?
To connect to an on-premise network, you have to use Interconnect or Cloud VPN.
These services are totally compatible with the VPC Peering that you've already created, and if you define the routing correctly, you'll be able to reach from the on-premise the two VPCs and vice-versa.
I have done a clean sweep of AWS docs but couldn't find answer to my scenario. I'm looking for a solution wherein I will have private connectivity(no data flows through Internet but within AWS network) between my two VPCs and VPC to On-premise connectivity. I'm aware of AWS PrivateLink and Direct Connect but they have some limitations e.g. a RDS Instance cannot be exposed as an Endpoint service to be consumed and things like that.
Is there any way I can achieve the above ?
AWS Transit Gateway allows you to setup direct networking between VPCs and your on premises environment. It supports both VPN and Direct Connect for the on premises leg of the connection.
https://aws.amazon.com/transit-gateway/
let say I wanted to connect my IBM cloud to an aws vpc so that you could talk to machines on both ends via private IPs. I know you'd have to deal with routing and what not, but how would one do that? Would you have to use a virtual private gateway or something?
Use a software VPN appliance to join the two networks.
This will involve running VPN software, such as Openswan, in publicly-accessible subnets of both networks.
Alternatively, you could use an Amazon VPC virtual gateway on one end and a software appliance on the other end.
See the Software VPN section of this whitepaper for some examples: Amazon VPC Connectivity Options