VPN vs Direct Connect vs Interconnect: Hybrid Connectivity Guide

Connecting on-premise data centers to cloud requires careful planning. VPN is quick to deploy but has limitations; Direct Connect provides dedicated bandwidth but takes months to provision. This guide compares all options across AWS, Azure, and GCP.

Connectivity Options Overview

Characteristic	VPN	Direct Connect / ExpressRoute / Interconnect
Setup time	Minutes to hours	Weeks to months
Bandwidth	Up to 1.25 Gbps per tunnel	1 Gbps to 100 Gbps
Latency	Variable (internet path)	Consistent (dedicated path)
Reliability	Internet-dependent	SLA-backed (99.9-99.99%)
Cost	Per-hour VPN gateway + egress	Port fee + egress (usually lower rate)
Security	Encrypted over internet	Private network (can add encryption)

VPN Connectivity

How VPN Works

On-Premise Gateway          Cloud VPN Gateway
       │                            │
       │←──── IPSec Tunnel ────────►│
       │    (over public internet)  │
       │                            │
[Data Center]                     [VPC]

Encrypted tunnel over public internet
Uses IPSec (IKEv1 or IKEv2)
Two tunnels for redundancy (active/passive or active/active)

AWS Site-to-Site VPN

Virtual Private Gateway: Managed VPN endpoint in VPC
Transit Gateway: Centralized VPN for multiple VPCs
Bandwidth: 1.25 Gbps per tunnel (ECMP for more)
Cost: $0.05/hour per connection + egress

Azure VPN Gateway

SKUs: Basic to VpnGw5 (10 Gbps aggregate)
Active-Active: Two tunnels to different gateways
Zone redundant: Available for higher SKUs

GCP Cloud VPN

HA VPN: 99.99% SLA with two interfaces
Bandwidth: 3 Gbps per tunnel
Dynamic routing: BGP with Cloud Router

When to Use VPN

Quick setup needed (proof of concept, development)
Low bandwidth requirements (<1 Gbps)
Variable/intermittent traffic patterns
Backup connectivity for dedicated connection
Cost-sensitive workloads

Dedicated Connectivity

AWS Direct Connect

On-Premise Router
        │
        │ (physical cross-connect)
        ▼
Direct Connect Location (colocation)
        │
        │ (AWS network)
        ▼
Direct Connect Gateway → VPCs (multiple regions)

Port speeds: 1 Gbps, 10 Gbps, 100 Gbps
Virtual interfaces: Private VIF (VPCs), Public VIF (AWS services), Transit VIF (Transit Gateway)
LAG: Link Aggregation for higher bandwidth

Azure ExpressRoute

Circuit sizes: 50 Mbps to 100 Gbps
Peering: Microsoft (M365, public services), Private (VNets)
Global Reach: Connect on-prem sites via Microsoft backbone
FastPath: Bypass gateway for ultra-low latency

GCP Cloud Interconnect

Dedicated: 10 Gbps or 100 Gbps physical connection
Partner: Via service provider (50 Mbps - 50 Gbps)
Cross-Cloud: Direct connection to AWS/Azure

Partner/Hosted Connectivity

Not in a colocation facility? Use a partner:

How Partner Connectivity Works

On-Premise
    │
    │ (WAN provider network)
    ▼
Partner Location (Equinix, Megaport, etc.)
    │
    │ (cross-connect to cloud)
    ▼
Cloud Network

Options

AWS Direct Connect Partners: Equinix, Megaport, etc.
Azure ExpressRoute Partners: Equinix, AT&T, Verizon, etc.
GCP Partner Interconnect: Same ecosystem

Virtual Connectivity Providers

Megaport: Software-defined networking across clouds
Equinix Fabric: Multi-cloud interconnect
PacketFabric: Automated provisioning

Redundancy Patterns

VPN Redundancy

Two tunnels from single customer gateway (AWS default)
Two customer gateways to different ISPs
Active-active for higher throughput (ECMP)

Direct Connect Redundancy

High Availability:
- Two connections at same DX location (different routers)

Maximum Resiliency:
- Two connections at different DX locations
- Example: Equinix DC1 + CoreSite DC2

Hybrid: Primary Direct Connect, VPN Backup

Direct Connect as primary path
VPN as automatic failover
BGP prefers Direct Connect (lower MED, shorter AS path)
VPN activates within seconds of Direct Connect failure

Routing with BGP

Both VPN (optional) and Direct Connect use BGP for dynamic routing:

BGP Considerations

ASN: Use private ASN (64512-65534) if you don't have public
Prefix limits: Cloud providers limit advertisements (100-200 typical)
Route manipulation: AS-path prepending, local preference for traffic engineering

See our BGP best practices guide for detailed configuration.

Cost Comparison

VPN Cost

AWS VPN:
- VPN connection: $0.05/hour (~$36/month)
- Data transfer: Standard egress rates

Monthly for 500 GB transfer:
Connection: $36 + Egress: ~$45 = ~$81/month

Direct Connect Cost

AWS Direct Connect (1 Gbps):
- Port fee: $0.30/hour (~$220/month)
- Outbound: $0.02/GB (vs $0.09 internet egress)

Monthly for 5 TB transfer:
Port: $220 + Egress: $100 = $320/month
(vs $220 + $450 = $670 via internet)

Direct Connect often cheaper at scale due to lower egress rates.

Decision Framework

Choose VPN When:

✅ Bandwidth < 1 Gbps
✅ Quick setup required
✅ Variable/bursty traffic
✅ Backup for dedicated connection
✅ Budget is primary constraint

Choose Direct Connect When:

✅ Bandwidth > 1 Gbps
✅ Consistent latency required
✅ High data transfer volumes
✅ SLA requirements
✅ Compliance (private network)

Key Takeaways

VPN is fast to deploy, Direct Connect takes weeks/months
Direct Connect provides consistent latency and higher bandwidth
Partner/hosted options available if you're not in colocation
Best practice: Direct Connect primary, VPN backup
Direct Connect egress rates often make it cost-effective at scale

Need Hybrid Connectivity Design?

We design resilient hybrid network architectures. Contact us for a consultation.