Case study


Comparison: AWS Direct Connect vs. VPN

In this article, you will learn:

AWS (Amazon Web Services) provides you with a variety of services to connect your on-premises infrastructure to the Amazon VPC (Virtual Private Cloud), which also offers a route to creating a hybrid cloud. You can utilize AWS Site-to-Site VPN (Virtual Private Network) or AWS Direct Connect services to do this. Although both are useful options, you may find that one or both of them are more suitable for your business needs.

In this blog post, you will learn more about the differences and benefits of AWS Site-to-Site VPN and AWS Direct Connect, so you can decide on which service is useful to you or if you need to combine them.

We also have a video about this topic.

AWS Direct Connect vs. AWS Site-to-Site VPN

Before comparing these two services, it is necessary to understand what they do.

What AWS Direct Connect and AWS Site-to-Site VPN are

AWS Direct Connect

AWS Direct Connect is a high-speed, low-latency connection that allows you to access public and private AWS Cloud services from your local (on-premises) infrastructure. The connection is enabled via dedicated lines and bypasses the public Internet to help reduce network unpredictability and congestion.


In one of our previous blog posts, we looked at the AWS Direct Connect and its benefits, how it works and how you can establish it. Learn more here: What is AWS Direct Connect?

AWS Site-to-Site VPN

Sometimes called AWS-managed VPN, AWS Site-to-Site VPN is a hardware IPsec VPN that enables you to create an encrypted connection between Amazon VPC and your private IT infrastructure over the public Internet. VPN connections allow you to extend existing on-premises networks to your VPC as if they were running in your infrastructure.


The key differences between AWS Direct Connect and VPN

Here are the key differences between AWS Direct Connect and AWS Site-to-Site VPN:

The key differences between AWS Direct Connect and VPN

1. Connection and network:

  • Compared with Direct Connect, AWS VPN performance can reach 4 Gbps or less. The performance of Direct Connect starts from 50 Mbps and expands to 100 Gbps.
  • In AWS Direct Connect, the network is not fluctuating and provides a consistent experience, while in AWS VPN the VPN is connected with shared and public networks, so the bandwidth and latency fluctuate.

2. Pricing:

  • Compared with AWS Direct Connect, the cost of an AWS VPN is lower. In addition, there is a VPN option priced by connection hour, which is not available in AWS Direct Connect.

3. Security:

  • AWS Direct Connect does not encrypt your traffic in transit by default. In AWS Site-to-Site VPN, the connection is encrypted between the customer network and the AWS VPC.
  • AWS Direct Connect provides higher security and is the first choice for companies that require higher security standards. VPN brings up more security concerns because the traffic is sent via the public Internet network instead of a private dedicated network.

4. Time to establish

  • Companies that are new to AWS Cloud can use VPN as it is easy to set up and faster to install than AWS Direct Connect. Companies that need higher security and stable network performance can use AWS Direct Connect. Installation requires an experienced team, and setup is not as easy as AWS VPN.

AWS Direct Connect advantages over AWS Site-to-Site VPN

AWS VPN offers encrypted connectivity, but what it doesn’t usually offer is low latency or a consistent network experience, since the public Internet is a shared network, and therefore unpredictable.

AWS VPN connectivity isn’t very scalable since VPN tunnels are limited to a maximum bandwidth of 1.25 Gbps.

This is where AWS Direct Connect helps. You can get high scalability connections up to 100 Gbps. Since the connections are dedicated, you get higher and more consistent network performance and greater inherent security in accessing your AWS resources.

AWS Site-to-Site VPN advantages over AWS Direct Connect

AWS Site-to-Site VPN provides high availability by default by using two tunnels that span multiple availability zones within the AWS global network. You can stream the main traffic through the first tunnel and use the second tunnel as redundancy meaning if one tunnel fails, the traffic will continue to flow. If you need to achieve this when using AWS Direct Connect, you need to create two or more AWS Direct Connect connections or create a failover backup connection using AWS VPN.

Deployment of AWS Site-to-Site VPN is easy and doesn’t take as much time as AWS Direct Connect. It also uses IP security (IPsec) to establish secure and private sessions.

AWS Direct Connect vs. AWS Site-to-Site VPN use cases

Let’s look at which service is useful for specific use cases, but don’t forget that you can combine them.

  • AWS Direct Connect is an excellent choice for businesses seeking a secure, ultra-low latency, and high bandwidth connection to AWS. Although configuring AWS Direct Connect may sometimes take more time, once a connection is established, it is worth it because the network performance is easy to predict, and you can save on data transfer costs.
  • AWS Site-to-Site VPN is a great connection option for businesses that are just starting to use AWS. It is quick and easy to set up. But keep in mind that the VPN connection normally uses the public Internet, which may have unpredictable performance, and although it is encrypted, there may still be security concerns.

Whether you're looking to improve productivity or increase business agility, StormIT and AWS have a set of tools and resources to help you accelerate your cloud migration. When you migrate to the AWS Cloud with StormIT, you get the support you need for a successful, streamlined migration.

Learn more

AWS Direct Connect + AWS Site-to-Site VPN

Secure your AWS Direct Connect connection with AWS VPN

You can combine AWS Direct Connect connections with the AWS Site-to-Site VPN. This solution combines the advantages of the end-to-end AWS VPN IPSec connection of the secure encryption of data flowing through the network with the low latency and increased bandwidth of AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections.


Visit this official AWS article to get started with AWS Direct Connect and AWS VPN.

Lower cost backup

Another option is to combine AWS Direct Connect and AWS Site-to-Site VPN to achieve high availability and resiliency of your network by leveraging the benefits of AWS Direct Connect connections for your primary connectivity to AWS, coupled with a lower-cost backup connection. To achieve this, you can establish AWS Direct Connect connections with an AWS VPN backup. But make sure that your AWS VPN connection can handle the failover traffic from AWS Direct Connect.


Visit official AWS VPN connection as a backup to AWS DX connection example for more information.)


As businesses migrate to the cloud, strong connectivity between their on-premises network and AWS Cloud is often an early consideration. AWS Direct Connect provides a more consistent network experience for accessing your AWS resources, usually with greater bandwidth and lower network costs. However, AWS Site-to-Site VPN can be a very quick and easy way to secure your network and create this type of connection.

Similar blog posts

See all posts
CategoryCase Studies

Windy - The Extraordinary Tool for Weather Forecast Visualization

StormIT helps Windy optimize their Amazon CloudFront CDN costs to accommodate for the rapid growth.

Find out more
CategoryCase Studies

AWS Well-Architected Review Series: Healthcare Industry Client

Transforming healthcare AWS operations with StormIT using our expertise and the AWS Well-Architected Framework. Learn more.

Find out more
CategoryCase Studies - Breaking the Legacy Monolith into Serverless Microservices in AWS Cloud

The StormIT team helps with the creation of the AWS Cloud infrastructure with serverless services.

Find out more
CategoryCase Studies

AWS Well-Architected Review Series: Renewable Energy Industry Client

See how StormIT optimized a renewable energy client's AWS infrastructure through the Well-Architected Framework. Explore now...

Find out more
CategoryCase Studies

Microsoft Windows in AWS - Enhancing Kemper Technology Client Solutions with StormIT

StormIT helped Kemper Technology Consulting enhance its technical capabilities in AWS.

Find out more

Introducing FlashEdge: CDN from StormIT

Let’s look into some features of this new CDN created and recently launched by the StormIT team.

Find out more