So, you want to have private access to your EC2 instances within your VPC. How does one accomplish this? Today, I’ll be going over three options:
- Bastion/Jump Hosts
- Direct Connects.
Each can serve as options to access your instances/services. However, some options may be better for certain use cases.
Bastion Hosts/Jump Host
A bastion host (sometimes called a jump box or jump host) is a security hardened EC2 host sitting in a public subnet of your VPC. When a user logs in to the host, they can use that host to login to private hosts within your VPC. This is usually accomplished through SSH (for Linux) or RDP (for Windows). Each host that you access through your private network must have security group rules to allow the jump host to access the private instance.
Is this the solution for you?
This solution would be ideal if you do not require direct, private access to resources in your VPC, if you don’t require large sets of data to be transferred to or from your instances, or if you don’t have a need for a dedicated connection for site-to-site connectivity. It can be a potentially low-cost solution because the only charges incurred for this option are for the bastion hosts that are deployed, as well as the small amount of data transfer back to your local computer. However, keep in mind that you will need to manage high availability of your bastion instances.
VPNs create a private, encrypted tunnel over the internet to your VPC. These can be AWS managed or software VPNs. VPNs are a good option if network traffic needs to be routed from your corporate data center to your VPC. You can utilize static routes or dynamic routing protocols to establish network paths.
Because VPNs use the public internet, you will pay data transfer charges that are classified as internet traffic coming out of your VPC (charged at $0.09/GB). VPNs are also subject to variability in network latency as routing of these connections is at the mercy of the world’s ISPs.
AWS Managed VPNs
AWS provides a hardware VPN service that utilizes IPsec tunnels. This service is already highly available on the AWS side, and provides redundant IPsec tunnels to the customer. This allows you to implement HA in your corporate data center. All you need to worry about is managing your side of the tunnel. AWS managed VPNs will automatically scale up to accommodate larger bandwidth on the AWS side of the connection. These tunnels support static routes or dynamic routing through Border Gateway Protocol (BGP).
The only charges for utilizing AWS managed VPNs are for the time your VPN tunnels are connected ($0.05/hour per VPN) and for the data transfer out of your VPC to the internet. Setup of managed VPNs is accomplished through the console and is a very similar process to configuring Direct Connect connections.
Is this solution for you?
AWS managed VPNs may be a good option for you if you require your VPC and corporate networks to be able to route to each other, don’t plan on transferring too much data back to your corporate data center, or don’t want to manage both ends of the VPN tunnels. Managed VPNs may also be a good option if you are planning to utilize a Direct Connect in the future because management of VPNs and Direct Connects in the AWS console are closely related.
As an alternative to a managed VPN service, you can configure EC2 instances to manage the AWS side of a VPN tunnel. This gives you the flexibility of utilizing different VPN options (LT2P, IPsec, IKEv2, SSTP, OpenVPN, etc.) and routing protocols (BGP, OSPF, etc.). While you can build your own VPN servers by creating a custom AMI with preconfigured software, you can also utilize AWS Marketplace AMIs made by Cisco, Juniper, Palo Alto, and others to implement your VPN solution. These AMIs will have a similar feel to the hardware appliances provided by these vendors.
You will be charged for the cost of the EC2 instances that are running the VPNs, data transfer out of your VPC to the internet, and licensing costs (if using an applicable AWS Marketplace AMI). You will also need to manage the high availability of both ends of the VPN tunnels (AWS and the data centers). You will need to size your VPN instances appropriately to handle your desired max throughput. However, you will be granted greater flexibility to utilize the VPN and routing protocols of your choice.
Is this solution for you?
If having the ability to choose the VPN and routing protocols of your choice is required, or if running a virtual appliance provided by the same vendor as your on-premises hardware is desirable, then running a software VPN solution may be a good option over an AWS managed VPN. While this may be a slightly more expensive option (especially if licensing costs are factored in), it allows for greater flexibility.
Direct Connect is a service provided by AWS that allows you to run a dedicated connection from your corporate data center directly into AWS through an AWS Direct Connect location or through a partner in the AWS Partner Network. Available link speeds range between 50Mbps and 10Gbps. You can utilize multiple Direct Connect links in an active-active configuration to achieve even greater speeds. Direct Connect connections allow for low-latency and reliable throughput into your VPC. You can even utilize a Direct Connect to access all of your VPCs in different regions through Direct Connect Gateway.
Pricing is based on port-hour and data transfer. Data transfer charges are offered at potentially lower prices, depending on the region data is coming from and the location of the Direct Connect partner you are using (see here for more details). There is also the process of requesting a Direct Connect, signing contracts, and establishing a cross-connect to your data center. This process can potentially take weeks or months.
Here’s just one example on cost savings of a Direct Connect versus a VPN:
- If I had a VPN connection from my VPC in the Oregon region to my data center based in Denver and transferred 5TB of data out of my VPC in a month, I would be charged $450 for data transfer ($0.09/GB) and $36 for the VPN connection time ($0.05/connection-hour), so $486 total.
- In contrast, if I had a 1Gbps Direct Connect connection from my data center to the Oregon region and transferred the same amount of data out, I would be charged $100 for the 5TB of data transfer ($0.02/GB) and $216 for the port-hour charged ($0.30/port-hr), so $316 total. The result is $170 lower costs per month by utilizing a Direct Connect connection!
Earlier I mentioned that data transfer charges are potentially lower with Direct Connect. Depending on the region you are establishing a connection to, data transfer may cost more. Take the example above, but let’s say I want to establish my Direct Connect to the Sydney region instead of Oregon. The same 5TB of data transfer would cost me $650 ($0.13/hr) plus the $216 port-hour charge. Thus, making the total bill for the month $866 for Denver to Sydney versus $486 total for a VPN solution to the same region (although with much higher latency).
Is this solution for you?
Are you in need of low-latency connections to your VPC? Are you planning on transferring large amounts of data into and out of your VPC? Are you willing to wait a few weeks or months to establish a connection? If so, then a Direct Connect might be a good solution for you to help reduce overall costs.
Keep in mind that these three connection options are building blocks. You can combine methods to create additional security and/or more highly available connections. Here are just a few examples: Primary Direct Connect with a backup VPN for failover, Direct Connect coupled with bastion hosts for regulatory requirements, a combination of managed and software VPNs to create a transit VPC, and more!
Bastion hosts, VPNs, and Direct Connects are all ways to connect to your VPCs. Depending on your use case, you may choose one solution above another (e.g., high data transfer out would be cheaper using a Direct Connect instead of a VPN). Whatever you choose, make sure to think about your potential requirements as you scale in the next few years.
Do you need help connecting your data center to your VPCs? 1Strategy can help! Please feel free to contact us or shoot us an email at info@1Strategy.com to get more information.