AWS VPN vs Direct Connect vs Transit GW
Compare bandwidth, latency, and cost.
Comparing AWS Connectivity Options
Connecting your on-premises infrastructure to AWS is a critical architectural decision. VPN, Direct Connect, and Transit Gateway each serve different needs for bandwidth, latency, reliability, and cost. This guide helps you choose the right solution — or combination of solutions.
AWS Site-to-Site VPN
- Bandwidth: Up to 1.25 Gbps per tunnel (2.5 Gbps with ECMP)
- Latency: Variable, depends on internet path (20-100ms typical)
- Setup time: Hours
- Cost: ~$36/month per connection + data transfer
- Encryption: IPsec (always encrypted)
Best for: Quick connectivity, backup path, low-bandwidth workloads, proof of concept.
AWS Direct Connect
- Bandwidth: 1 Gbps, 10 Gbps, or 100 Gbps dedicated; 50 Mbps to 10 Gbps hosted
- Latency: Consistent and predictable (typically 1-5ms to nearest region)
- Setup time: 2-12 weeks (physical cross-connect required)
- Cost: Port fee ($220-$16,500/month) + data transfer (lower than internet rates)
- Encryption: Not encrypted by default (add MACsec or VPN overlay)
Best for: High-bandwidth workloads, latency-sensitive applications, consistent performance, large data transfers.
Transit Gateway
- Purpose: Hub-and-spoke networking for multiple VPCs, VPNs, and Direct Connect
- Bandwidth: 50 Gbps per VPC attachment
- Cost: $0.05/hour per attachment + $0.02/GB data processed
Best for: Multi-VPC architectures, centralized routing, network segmentation at scale.
Decision Matrix
| Requirement | VPN | Direct Connect | TGW + VPN | TGW + DX |
|---|---|---|---|---|
| Bandwidth <1 Gbps | ✅ | ✅ | ✅ | ✅ |
| Bandwidth >1 Gbps | ❌ | ✅ | ❌ | ✅ |
| Low latency (<5ms) | ❌ | ✅ | ❌ | ✅ |
| Quick setup | ✅ | ❌ | ✅ | ❌ |
| Multi-VPC access | ❌ | ❌ | ✅ | ✅ |
| Encryption built-in | ✅ | ❌ | ✅ | ❌ |
| Cost (low traffic) | $ | $$ | $$ | $$$ |
Common Architecture: DX + VPN Backup
The most resilient hybrid architecture combines Direct Connect (primary) with VPN (backup):
On-premises → Direct Connect → Transit Gateway → VPCs (primary path)
On-premises → Site-to-Site VPN → Transit Gateway → VPCs (backup path)BGP route preferences ensure traffic flows over Direct Connect when available, with automatic failover to VPN within 60 seconds if DX goes down.
Cost Optimization Tips
- Use hosted connections — If you don't need a full dedicated port, hosted connections from APN partners start at 50 Mbps
- Minimize data transfer — DX data transfer from AWS is cheaper than internet transfer
- Share DX with Transit Gateway — One DX connection can serve all VPCs via TGW
- Use VPN for dev/staging — Reserve Direct Connect bandwidth for production
Eazy SaaS Tip: We design hybrid connectivity with a "start with VPN, grow to Direct Connect" approach. VPN provides immediate connectivity while Direct Connect is being provisioned, and then becomes the automatic backup path.