AWS Virtual Private Gateway vs Direct Connect Gateway vs Transit Gateway

AWS Virtual Private Gateway vs Direct Connect Gateway vs Transit Gateway

By Gary Taylor, Solutions Architect

We compare the three AWS network gateways to help you choose the best option for your business.

In November 2018, AWS launched the newest version of its native network routing service: Transit Gateway (TGW). This cloud-based network gateway allows customers to connect Virtual Private Clouds (VPCs) across different accounts in a hub and spoke topology, and is the third evolution in this feature set.

The release was preceded by Direct Connect Gateway (DGW), which was announced in 2017, and prior to that, Virtual Private Gateway (VGW).

Navigating these options and figuring out which fits your use case can be tricky. In this blog post, we’ll demystify each service so you can easily determine which solution is right for your business.

To start, it’s best to consider the requirements of your workloads as each service offers certain features but not others. The table below provides a quick overview.

 VGWDGWTGW
Multiple Regions
Multiple Accounts
S2S VPN
Direct Connect
Transitive Routing
Globally Available
Route Segmentation

Let’s break down the specific benefits of each gateway and explore how they have changed over time.

Virtual Private Gateway (VGW) in AWS

 VGW
Multiple Regions
Multiple Accounts
S2S VPN
Direct Connect
Transitive Routing
Globally Available
Route Segmentation

A Virtual Private Gateway (VGW) provides an efficient way for AWS customers to connect multiple Virtual Private Clouds (VPCs) to on-premises resources via AWS Direct Connect or Site-to-Site VPN. It solves many of the limitations and scalability challenges previously faced when using Direct Connect.

Below, we delve into the advantages and the functionality of VGW:

Key Features of Virtual Private Gateway

  • Cost Efficiency:
    Before VGW, AWS customers needed to create a Direct Connect Private Virtual Interface (VIF) for each VPC, leading to a 1:1 mapping between VPCs and Direct Connect circuits. This setup not only increased costs but also added administrative complexity. VGW enables multiple VPCs in the same region and account to share a single Direct Connect VIF, dramatically reducing the need for multiple circuits.
  • Simplified Network Management:
    VGW minimizes administrative overhead by allowing multiple VPCs to be attached to a single Direct Connect or Site-to-Site VPN connection. This means fewer configurations, easier management of network resources, and a streamlined connection setup for inter-region and cross-account communication.
  • Scalability:
    The introduction of Virtual Private Gateway allows AWS users to scale their Direct Connect or VPN connections by eliminating the need to establish a separate connection for each VPC. As long as the VPCs are in the same region and account, they can utilize the shared connection, making it easier to scale networking resources for growing infrastructure.
  • Support for Hybrid Cloud Architectures:
    VGW is a key component when extending on-premises data centers into AWS, facilitating hybrid cloud architectures. Whether using AWS Direct Connect for a dedicated, high-bandwidth connection or a Site-to-Site VPN for encrypted traffic over the internet, VGW enables seamless communication between on-premises resources and VPCs in AWS.

VGW in Action with Direct Connect and Site-to-Site VPN

  • Direct Connect Integration:
    When using VGW with AWS Direct Connect, it enables private connectivity between AWS and on-premises networks, reducing latency and providing a more stable and reliable connection. By sharing a single Direct Connect connection among multiple VPCs, organizations can avoid the expense and operational complexity of managing separate connections for each VPC.
  • Site-to-Site VPN Integration:
    VGW can also be used with AWS Site-to-Site VPN to connect on-premises environments securely to AWS. This option is beneficial for organizations that may not need the dedicated bandwidth of Direct Connect but still require a secure, encrypted link to AWS resources.

Use Cases for VGW

  • Enterprise Cloud Migrations:
    VGW is ideal for enterprises migrating workloads to AWS, as it simplifies the process of connecting multiple VPCs to on-premises environments without the need for redundant Direct Connect or VPN setups.
  • Hybrid Cloud Environments:
    For companies running hybrid cloud setups, VGW provides a cost-effective way to interconnect multiple AWS VPCs with on-premises resources through a single Direct Connect or VPN connection.
  • Cost-Conscious Networking:
    Organizations looking to optimize costs can take advantage of VGW to reduce the number of connections required for multi-VPC environments, minimizing expenses associated with Direct Connect circuits.
This construct can be used with either Direct Connect or the Site-to-Site VPN
Use case: multiple VPCs in the same region sharing the same Direct Connect

Direct Connect Gateway (DGW) in AWS

 DGW
Multiple Regions
Multiple Accounts
S2S VPN
Direct Connect
Transitive Routing
Globally Available
Route Segmentation

AWS Direct Connect Gateway (DGW) expands upon the capabilities of the Virtual Private Gateway (VGW), offering greater flexibility by enabling connectivity across different AWS regions. With DGW, you can connect Virtual Private Clouds (VPCs) in one AWS region to a Direct Connect connection that terminates in a different region. This helps simplify cross-region networking while keeping costs and complexity in check.

Key Features of DGW

  • Cross-Region Connectivity:
    DGW allows VPCs located in multiple AWS regions to share the same Direct Connect connection. This is a significant advancement over VGW, which restricts connectivity to VPCs within the same region. With DGW, enterprises can interconnect their AWS workloads spread across various regions using a single Direct Connect connection, improving efficiency and reducing operational overhead.

  • Non-Overlapping CIDR Blocks:
    One crucial requirement when using DGW is that the CIDR blocks of the connected VPCs must not overlap. If CIDR blocks overlap, routing conflicts can occur, leading to network communication issues. Ensuring unique address spaces across VPCs is essential for DGW to work properly.

  • Hub-and-Spoke Routing Model:
    Unlike traditional routing where traffic can flow directly between VPCs, DGW enforces a hub-and-spoke model. Traffic from one VPC (VPC-A) will not route directly to another VPC (VPC-B) via the DGW. Instead, the traffic follows this path:

    VPC-A > Direct Connect > Data Center Router > Direct Connect > VPC-B.

    This model ensures that inter-VPC communication via Direct Connect is controlled through your data center, providing an extra layer of security and routing control.

Benefits of Using DGW

  • Simplified Cross-Region Networking:
    DGW eliminates the need for setting up and managing multiple Direct Connect connections in each AWS region where you have VPCs. Instead, a single Direct Connect connection can serve VPCs across various regions, simplifying the architecture while lowering costs.
  • Centralized Network Control:
    By routing traffic through your on-premises data center, DGW allows you to maintain centralized control over the routing and security of your network. This enables more granular control over traffic flows and security policies for workloads distributed across multiple AWS regions.
  • Cost Savings:
    The ability to connect multiple VPCs across regions to a single Direct Connect connection reduces the need for redundant networking infrastructure. This leads to significant cost savings, especially for organizations with a global AWS footprint.

DGW Use Cases

  • Multi-Region Architectures:
    DGW is ideal for organizations that run workloads in multiple AWS regions and want to streamline their network infrastructure. With DGW, you can create a unified, cost-efficient network architecture where all your VPCs across regions are connected to a single Direct Connect connection.
  • Hybrid Cloud Environments:
    For hybrid cloud setups, DGW allows businesses to extend their on-premises data center into multiple AWS regions using a single connection. This ensures consistent performance and security, while minimizing the complexity of managing connections in each region.
  • Disaster Recovery and Failover:
    DGW is also useful for disaster recovery architectures. With VPCs in different regions, you can easily failover workloads between regions while maintaining a reliable connection to your on-premises infrastructure through DGW.

How Traffic Flows with DGW

In a DGW setup, traffic follows a specific route when connecting VPCs across regions:

  • Step 1: Traffic from VPC-A travels over Direct Connect to your on-premises Data Center Router.
  • Step 2: The data center routes the traffic back through Direct Connect to VPC-B in the target region.

This hub-and-spoke design provides centralized control over inter-VPC communication and ensures traffic routing is managed securely through your on-premises network.

DGW plays a crucial role in simplifying multi-region networking and optimizing costs, making it a valuable solution for businesses with workloads distributed across multiple AWS regions.

Multiple VPCs spread across multiple regions sharing the same Direct Connect
Use case: multiple VPCs spread across multiple regions sharing the same Direct Connect

Transit Gateway (TGW) in AWS

 DGW
Multiple Regions
Multiple Accounts
S2S VPN
Direct Connect
Transitive Routing
Globally Available
Route Segmentation

AWS Transit Gateway (TGW) is a highly scalable and flexible networking solution that simplifies the process of connecting multiple VPCs and on-premises networks. TGW builds on the capabilities of previous AWS offerings, such as Virtual Private Gateway (VGW) and Direct Connect Gateway (DGW), by providing centralized routing and improved network management, making it ideal for large-scale AWS environments.

Key Features of Transit Gateway

  • Centralized Routing Hub:
    TGW acts as a central hub for routing traffic between multiple VPCs and on-premises environments. Instead of managing peering connections between each VPC, TGW allows you to create a hub-and-spoke model where VPCs connect to a single Transit Gateway, simplifying routing and reducing network complexity.
  • Scalable Bandwidth with VPN Connections:
    Each Site-to-Site VPN connection in TGW is limited to 1.25 Gbps of throughput. If your network traffic exceeds this threshold, TGW allows you to scale by adding multiple VPN connections. Using Equal-Cost Multi-Path (ECMP) routing, TGW can distribute traffic across multiple VPN connections, providing greater aggregate bandwidth beyond 1.25 Gbps and improving the overall performance of your network.
  • Support for AWS Direct Connect:
    Initially, TGW didn’t support AWS Direct Connect, but this limitation has been removed. Now, TGW can integrate with Direct Connect, enabling high-bandwidth, low-latency connections between on-premises networks and AWS environments, while benefiting from TGW’s centralized routing capabilities.
  • AWS Resource Access Manager (RAM) Integration:
    TGW can be shared across multiple AWS accounts using AWS Resource Access Manager (RAM). This is especially useful for organizations with multi-account strategies, as it allows centralized routing management across accounts while keeping security and segmentation intact.
  • Inter-Region Peering:
    TGW now supports Inter-Region Peering, enabling VPCs in different AWS regions to communicate directly with each other without having to go through the public internet or back through an on-premises data center. This feature is ideal for multi-region deployments, reducing latency and improving performance in cross-region traffic.

Advanced Routing Capabilities

  • CIDR Overlap Support:
    Unlike earlier solutions such as VGW and DGW, TGW allows CIDR block overlap. This is made possible by the ability to use multiple route tables. Each VPC connected to TGW can be associated with its own route table, enabling you to isolate and segment traffic between VPCs. This feature provides a Virtual Routing and Forwarding (VRF)-like capability, which is useful for creating multiple isolated routing domains, improving security and traffic management.
  • Avoiding Hairpin Routing:
    A major advantage of TGW over VGW and DGW is the elimination of hairpin routing. In VGW and DGW, traffic between VPCs often needed to traverse through an on-premises data center before returning to AWS, resulting in added latency and complexity. With TGW, VPCs can communicate directly with each other through the Transit Gateway without needing to route traffic back to the on-premises router, significantly reducing latency and improving the performance of VPC-to-VPC communication.

Use Cases for Transit Gateway

  • Multi-VPC Environments:
    TGW is ideal for enterprises with a large number of VPCs spread across multiple accounts. It simplifies the network architecture by acting as a centralized hub, eliminating the need for complex VPC peering setups and reducing management overhead.
  • Hybrid Cloud Architectures:
    For organizations that use a hybrid cloud approach, TGW provides seamless integration between on-premises data centers and AWS environments. With the support of Direct Connect and VPN, TGW enables secure and scalable connections between on-premises infrastructure and AWS VPCs.
  • Global Workloads with Inter-Region Traffic:
    TGW’s inter-region peering feature makes it an excellent choice for organizations running workloads across multiple AWS regions. By enabling direct, secure communication between regions, TGW ensures low-latency connectivity and improved performance for global applications.
  • Traffic Segmentation and Isolation:
    With the ability to leverage multiple route tables, TGW is perfect for scenarios where traffic segmentation is crucial. For example, you can create isolated routing domains for different business units or teams within your organization, ensuring that traffic is securely segmented and properly managed.

VPN Bandwidth Scaling with ECMP

  • Step 1: If your VPN throughput requirements exceed 1.25 Gbps, you can add multiple VPN connections to Transit Gateway.
  • Step 2: TGW will use ECMP to balance the traffic load across all available VPN connections, allowing you to aggregate the bandwidth and scale your network’s capacity.

This approach allows organizations to scale their VPN performance cost-effectively without needing to invest in dedicated high-throughput solutions.

AWS Transit Gateway (TGW) is a powerful networking service that simplifies and enhances network connectivity across VPCs, regions, and on-premises environments. Its ability to support advanced routing capabilities, coupled with features like ECMP, inter-region peering, and centralized routing management, makes TGW an essential tool for modern, scalable AWS cloud architectures.

Multiple VPCs in the same region sharing the same Direct Connect
Use case: multiple VPCs in the same region, across different AWS accounts using the same Direct Connect

AWS and Megaport

By using Megaport’s Software Defined Network (SDN), you can streamline your AWS connectivity for on-demand provisioning, tighter security, and improved network performance.

When you use Megaport’s SDN, you can also connect your AWS instances to other cloud providers with Megaport Cloud Router (MCR), and achieve branch-to-cloud AWS connectivity with one of our SD-WAN integration partners on Megaport Virtual Edge (MVE).

For more information on connecting to AWS via Megaport and designing the right network architecture for your business, get in touch with our team here.

Related Posts

Megaport Success Stories: Mylene Dupaya

Megaport Success Stories: Mylene Dupaya

One of the masterminds behind Megaport’s industry-leading solutions has shared how she’s helping the company scale up and scale out – and loving every moment.

Read More
Connectivity Simplified: 5 IT Challenges Made Easier with Megaport

Connectivity Simplified: 5 IT Challenges Made Easier with Megaport

Building connections to and between the services that power your business should be easy.

Read More
Automate Your Multicloud with the Megaport Terraform Provider

Automate Your Multicloud with the Megaport Terraform Provider

With Megaport’s Terraform Provider, you can now easily automate the provisioning and management of your Megaport resources, lowering deployment costs and reducing provisioning time by using Infrastructure as Code (IaC).

Read More