Connecting the Datacenter to AWS: IPSec VPN or AWS Direct Connect?

When looking at ways to connect the corporate datacenter to your AWS deployment, which should you use: AWS Direct Connect or IPSec VPN?

Both AWS Direct Connect and an IPSec VPN provide secure connectivity between your datacenter and AWS. The AWS Direct Connect service provides a mechanism for customers to establish a dedicated network from their on-premises private cloud or datacenter to AWS.

This provides dedicated connectivity with the performance levels granted by the customer's service provider. The dedicated connection terminates on customer-managed hardware located in an AWS Direct Connect location. From that point, one or more 802.1q VLANs complete the connection into the customer VPCs.

In contrast, an IPsec VPN provides an encrypted tunnel from the datacenter all the way into the customer VPC – even when Direct Connect is used. This provides an extra layer of security for network traffic and also allows customers to extend their IP address schema into their AWS VPC. In this scenario, the hybrid cloud solution looks no different from the perspective of the VM-Series firewall than if the internet was used instead of Direct Connect.  This also simplifies routing, and in the case of a failure, a dynamic routing protocol like OSPF or BGP can quickly reconverge with minimal downtime.

For maximum security and flexibility in a Hybrid Cloud architecture, IPSec tunnels terminating on the VM-Series firewall is recommended, even  when Direct Connect is used. More information about this service can be found here:
https://aws.amazon.com/directconnect/