This chapter covers cloud connectivity options for securely and reliably connecting on-premises networks to cloud service providers, specifically contrasting VPN (Virtual Private Network) and Direct Connect (dedicated private network connections). Understanding the trade-offs between these two approaches is critical for the N10-009 exam, as questions on cloud connectivity appear in roughly 5-8% of the exam, often testing your ability to select the appropriate solution based on requirements like bandwidth, latency, security, and cost. By the end of this chapter, you will be able to explain how each technology works, compare their characteristics, and identify the correct exam answers on scenario-based questions.
Jump to a section
Imagine your company's main office is a high-rise building in downtown Manhattan, and your cloud data center is a massive warehouse in New Jersey. You need to move data between them securely and reliably.
VPN is like driving over public highways. You get in your car (your data), lock the doors (encryption), and travel on the same roads everyone else uses (the public internet). You might hit traffic jams (latency spikes), road closures (ISP outages), or detours (BGP path changes). The trip is secure because your car is locked, but you can't control the road conditions. It's relatively cheap and quick to set up—you just need a map (configuration) and a key (tunnel credentials).
Direct Connect is like building a private railroad spur. You negotiate with the railroad company (the cloud provider and a partner like Equinix) to lay tracks directly from your building's basement to the warehouse's loading dock. No one else uses those tracks. Your trains (data) travel without traffic, on a fixed schedule (dedicated bandwidth), and you have a service-level agreement guaranteeing transit time (latency). The cost is much higher—construction fees (setup), monthly track maintenance (port hours), and long-term lease—and it takes weeks or months to build. But once it's running, it's predictable, fast, and isolated from public internet issues.
The key difference: VPN uses existing public infrastructure with encryption for security; Direct Connect uses dedicated private infrastructure for performance and reliability. Both get your data to the cloud, but the choice depends on whether you prioritize cost and speed of deployment (VPN) or consistent performance and compliance (Direct Connect).
What Are Cloud Connectivity Options and Why Do They Exist?
Cloud connectivity refers to the methods used to extend an on-premises network into a cloud provider's virtual private cloud (VPC) or virtual network. The two primary options are: - Site-to-Site VPN: Uses the public internet to create an encrypted tunnel between a customer gateway (on-premises router/firewall) and a virtual private gateway (VPG) in the cloud. - Direct Connect (DX): A dedicated physical connection from your on-premises data center to the cloud provider via a colocation facility or partner network, bypassing the public internet entirely.
The need arises because on-premises resources (servers, databases) often need to communicate with cloud resources (compute instances, storage) with higher reliability, lower latency, or regulatory compliance than the public internet can guarantee. The exam expects you to understand when each is appropriate.
How Site-to-Site VPN Works
A site-to-site VPN creates an encrypted tunnel over the internet. The most common implementation uses IPsec (Internet Protocol Security) in tunnel mode.
Components: - Customer Gateway (CGW): The on-premises device (router, firewall, or VPN appliance) that initiates and terminates the VPN tunnel. It must have a public IP address. - Virtual Private Gateway (VPG): The AWS-side (or Azure VPN Gateway, Google Cloud VPN Gateway) endpoint that terminates the VPN tunnel. It is attached to the VPC. - Tunnel: Two IPsec tunnels are typically created (for redundancy) between the CGW and VPG. - Security Association (SA): Defines encryption and authentication parameters (e.g., AES-256, SHA-256).
Step-by-step packet flow: 1. On-premises host sends a packet destined for a cloud instance (e.g., 10.0.0.5). 2. The packet reaches the CGW, which checks its routing table. The route for the cloud CIDR (e.g., 10.0.0.0/16) points to the VPN tunnel. 3. The CGW encapsulates the original IP packet inside an IPsec packet. The outer IP header has source = CGW public IP, destination = VPG public IP. 4. The packet is encrypted (ESP protocol, protocol number 50) and sent over the internet. 5. The VPG receives the packet, decrypts it, and forwards the original inner packet to the cloud instance via the VPC's routing table. 6. Return traffic follows the reverse path.
Key parameters: - IKE (Internet Key Exchange): Uses UDP port 500 for phase 1 (establishing secure channel) and phase 2 (negotiating IPsec SAs). - Perfect Forward Secrecy (PFS): Ensures that if one key is compromised, previous keys are not. Typically uses Diffie-Hellman groups (e.g., DH group 14). - Dead Peer Detection (DPD): Sends keepalives every 10 seconds (default) to detect tunnel failure. If no response after 3 retries, tunnel is considered down. - MTU: The tunnel overhead (approx. 50-60 bytes for IPsec) can cause fragmentation. The typical MTU for VPN traffic is 1400 bytes or less to avoid fragmentation.
Configuration example (AWS CLI to create VPN connection):
aws ec2 create-vpn-connection \
--customer-gateway-id cgw-12345678 \
--vpn-gateway-id vgw-12345678 \
--type ipsec.1 \
--options "{\"TunnelOptions\":[{\"TunnelInsideCidr\":\"169.254.10.0/30\"}]}"Verification commands (on-premises Cisco router):
show crypto isakmp sa # Shows IKE phase 1 status
show crypto ipsec sa # Shows IPsec phase 2 status
show crypto session # Summary of active VPN sessionsHow Direct Connect Works
Direct Connect provides a dedicated, private physical connection between your network and the cloud provider. It does not use the internet; instead, it uses cross-connects in colocation facilities (e.g., Equinix, Digital Realty) or through partner networks (e.g., AT&T, Verizon).
Components: - Direct Connect Location: A facility where the cloud provider has a presence (e.g., an AWS Direct Connect location). - Cross-Connect: A physical cable from your colocation cage/rack to the cloud provider's router. - Virtual Interface (VIF): A logical interface created on top of the physical connection. There are two types: - Private VIF: Connects to a VPC (via a Virtual Private Gateway). - Public VIF: Connects to public cloud services (e.g., AWS S3, DynamoDB) but still uses the private connection (traffic does not go over the internet). - Virtual Private Gateway (VPG): Same as VPN, but used with a private VIF. - Direct Connect Gateway: A global resource that allows a single Direct Connect connection to reach multiple VPCs in different regions.
Step-by-step packet flow: 1. On-premises host sends a packet to a cloud instance (e.g., 10.0.0.5). 2. The packet reaches the on-premises router, which has a static route or BGP-learned route pointing to the Direct Connect interface. 3. The packet is forwarded over the cross-connect to the cloud provider's router. 4. The cloud provider's router forwards the packet to the VPG, which then forwards it to the cloud instance via the VPC routing table. 5. Return traffic takes the same path.
Key parameters: - Bandwidth: Available in increments: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 10 Gbps. (AWS also offers 100 Gbps via partner connections.) - Latency: Typically 1-5 ms lower than internet-based connections for the same geographic distance. - BGP: Both private and public VIFs use BGP (Border Gateway Protocol) for routing. The customer must run BGP with the cloud provider. The cloud provider assigns a private ASN (e.g., 64512) and expects the customer to use a public or private ASN. - VLAN: Each VIF is assigned a unique 802.1Q VLAN ID (1-4094) to separate traffic on the same physical connection. - Jumbo Frames: Direct Connect supports jumbo frames (MTU 9001 bytes) for private VIFs, reducing overhead for large data transfers.
Configuration example (AWS CLI to create a private VIF):
aws directconnect create-private-virtual-interface \
--connection-id dxcon-12345678 \
--new-private-virtual-interface "{\"virtualInterfaceName\":\"MyPrivateVIF\",\"vlan\":100,\"asn\":65000,\"authKey\":\"ciscocisco\",\"amazonAddress\":\"169.254.10.1/30\",\"customerAddress\":\"169.254.10.2/30\",\"virtualGatewayId\":\"vgw-12345678\"}"Verification commands (on-premises Cisco router):
show ip bgp summary # Shows BGP neighbor status
show interfaces # Shows interface status (up/up)
show etherchannel summary # If using link aggregation (LAG)Interaction with Related Technologies
VPN as Backup for Direct Connect: Many enterprises use Direct Connect as the primary connection and a site-to-site VPN as a backup (failover). BGP metrics (e.g., AS path prepend) can be adjusted to prefer the Direct Connect path.
Transit Gateway / Cloud Router: Cloud providers offer transit gateways (AWS Transit Gateway, Azure Virtual WAN, Google Cloud Router) that can integrate both VPN and Direct Connect connections, allowing centralized routing.
SD-WAN: Software-defined WAN can use both VPN and Direct Connect links, load-balancing traffic based on policy.
Latency and Throughput Considerations: VPN adds encryption overhead (5-15% CPU load on the gateway), reducing throughput. Direct Connect has no encryption overhead (though you can add IPsec on top for extra security).
Security Considerations
VPN: Encryption is mandatory (IPsec). The tunnel is secure, but the underlying internet path is vulnerable to DDoS attacks and ISP issues.
Direct Connect: Traffic does not traverse the internet, so it is not exposed to internet-based threats. However, the physical connection must be physically secured. Direct Connect alone does not encrypt traffic; if encryption is required, you must implement IPsec on top (e.g., using a VPN over Direct Connect).
Cost and Deployment Time
VPN: Low cost (only the gateway and internet bandwidth). Deployment time: minutes to hours.
Direct Connect: High cost (port-hour charges, data transfer out fees, colocation cross-connect fees). Deployment time: weeks to months (requires physical setup).
Exam Tip: When to Choose Which
The N10-009 exam will present scenarios and ask you to select the appropriate connectivity method. Key decision factors: - Bandwidth > 1 Gbps: Direct Connect is preferred (VPN gateways have throughput limits; e.g., AWS VPN gateway maxes out at 1.25 Gbps per tunnel). - Consistent latency required: Direct Connect (VPN latency varies with internet congestion). - Regulatory compliance (e.g., HIPAA, PCI-DSS): Direct Connect may be required to avoid internet exposure. - Quick setup / low cost: VPN. - Hybrid scenario: Both (Direct Connect primary, VPN backup).
VPN Tunnel Establishment
The VPN tunnel establishment begins when the customer gateway initiates IKE phase 1. It sends a UDP packet to port 500 of the virtual private gateway's public IP. The two devices negotiate encryption algorithms (e.g., AES-256), hash functions (SHA-256), authentication method (pre-shared key or certificates), and Diffie-Hellman group (e.g., group 14). This phase creates an ISAKMP security association (SA). Phase 2 then negotiates the IPsec SA, defining the encryption and authentication for data traffic (ESP). Two tunnels are typically created for redundancy. The entire process takes a few seconds. A network engineer can verify phase 1 with `show crypto isakmp sa` and phase 2 with `show crypto ipsec sa`.
VPN Data Transmission
Once the tunnel is up, data packets are encapsulated. The original IP packet is encrypted and placed inside an outer IP packet with a new header (source = CGW public IP, destination = VPG public IP). The ESP protocol (IP protocol 50) is used. The packet is then sent over the internet. The virtual private gateway decrypts the packet and forwards the original packet to the destination in the VPC. The MTU is reduced to about 1400 bytes due to overhead. If a packet exceeds the MTU, fragmentation occurs, which can cause performance issues. The tunnel's security associations are periodically rekeyed (every 1 hour or after 100 MB of traffic, whichever comes first).
Direct Connect Physical Setup
The customer orders a Direct Connect connection from a cloud provider, specifying bandwidth (e.g., 1 Gbps) and location (e.g., Equinix NY5). The cloud provider provisions a port on their router. The customer must arrange a cross-connect from their colocation cage to the cloud provider's port. This can take weeks. Once the physical cable is in place and the port is declared 'available', the customer creates a virtual interface (VIF) on the connection. The VIF is assigned a VLAN ID and BGP parameters. The customer must run BGP with the cloud provider to exchange routes. The link is verified with `show interfaces` showing up/up status.
Direct Connect BGP Route Exchange
After the VIF is created, BGP peering is established between the customer's router and the cloud provider's router. The customer advertises their on-premises CIDR blocks (e.g., 192.168.0.0/16) to the cloud provider. The cloud provider advertises the VPC CIDR (e.g., 10.0.0.0/16) to the customer. BGP keepalives are sent every 60 seconds (default). If the BGP session goes down, the route is withdrawn, and traffic stops. The customer can influence path selection using BGP attributes like AS path prepend or local preference. The cloud provider typically uses a private ASN (64512-65535) for the VPG side.
Failover and Redundancy
For high availability, both VPN and Direct Connect support redundancy. VPNs typically have two tunnels (primary and secondary) to different endpoints. Direct Connect can have multiple connections to different locations, or a backup VPN. BGP route selection ensures that the preferred path is used. For example, if Direct Connect is primary and VPN is backup, the Direct Connect route can have a shorter AS path or higher local preference. When the primary fails, BGP withdraws the route, and the backup route becomes active. The failover time depends on BGP timers (default hold time 180 seconds, but can be tuned to 30 seconds for faster convergence).
Enterprise Scenario 1: Large-Scale Data Migration
A financial services firm needs to migrate 500 TB of historical trading data from their on-premises data center to AWS. They have a 1 Gbps internet connection. At full 1 Gbps, the migration would take about 46 days. They also need low latency for real-time analytics during the cutover. They choose AWS Direct Connect with a 10 Gbps connection. The migration completes in about 5 days. They also set up a backup site-to-site VPN for administrative access. During the migration, they monitor the Direct Connect link using CloudWatch metrics (e.g., ConnectionState, VirtualInterfaceBpsEgress). A misconfigured VLAN ID caused traffic to be dropped initially, but after correcting the VLAN tag (changed from 100 to 200 to avoid conflict with another VIF), traffic flowed correctly.
Enterprise Scenario 2: Hybrid Cloud with Compliance Requirements
A healthcare provider must comply with HIPAA, which requires all ePHI traffic to be encrypted and not traversing the public internet. They deploy Direct Connect (1 Gbps) as the primary link for all patient data traffic. However, Direct Connect does not encrypt traffic by default, so they additionally implement an IPsec VPN tunnel over the Direct Connect link. They use a firewall at each end to encrypt/decrypt. They also configure a backup site-to-site VPN over the internet for disaster recovery. A common mistake is forgetting that Direct Connect alone is not encrypted; the exam may test this. Their BGP configuration uses AS path prepend on the VPN routes to ensure Direct Connect is preferred.
Enterprise Scenario 3: Global Retailer with Multi-Region Cloud
A retail company has offices in New York, London, and Tokyo, and uses AWS in us-east-1, eu-west-1, and ap-northeast-1. They want a single Direct Connect connection in each region to connect all offices. They use a Direct Connect Gateway to allow the New York connection to reach VPCs in all three regions. They also use Transit Gateway to centralize routing. The bandwidth per connection is 500 Mbps. They experience intermittent packet loss on the London connection due to a faulty cross-connect; after opening a support ticket with the colocation provider, the issue was resolved by reseating the fiber. They learned that monitoring BGP session state is critical; they set up alarms for BGP session down events.
What N10-009 Tests on This Topic (Objective 1.7)
The exam objective 1.7 states: 'Given a scenario, select the appropriate cloud connectivity method.' Questions will present a scenario with requirements such as bandwidth, latency, security, cost, and deployment time. You must choose between VPN and Direct Connect (and sometimes other options like internet gateway or VPC peering). The exam also tests your understanding of the characteristics of each.
Common Wrong Answers and Why Candidates Choose Them
Choosing VPN for high bandwidth (>1 Gbps): Candidates assume VPN can handle any bandwidth because it's 'just encryption.' In reality, VPN gateways have throughput limits (e.g., AWS VPN gateway max 1.25 Gbps per tunnel). Direct Connect supports up to 10 Gbps (or 100 Gbps via partners).
Assuming Direct Connect is encrypted by default: Many think 'private connection' means automatically encrypted. It is not; traffic is isolated but not encrypted. You must add IPsec if encryption is required.
Choosing Direct Connect for quick deployment: Candidates see 'dedicated' and think 'fast.' Actually, Direct Connect takes weeks to months due to physical setup. VPN can be set up in minutes.
Confusing Direct Connect with VPN in terms of internet dependency: Some think Direct Connect uses a private path over the internet. It does not; it bypasses the internet entirely.
Specific Numbers and Terms That Appear on the Exam
VPN bandwidth limit: Up to 1.25 Gbps per tunnel (AWS default).
Direct Connect bandwidth options: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 10 Gbps.
Latency reduction: Direct Connect typically reduces latency by 1-5 ms compared to internet.
Deployment time: VPN: minutes to hours; Direct Connect: weeks to months.
Encryption: VPN always encrypts (IPsec); Direct Connect does not encrypt by default.
BGP: Both use BGP for routing; Direct Connect uses VLANs (802.1Q) to separate VIFs.
Edge Cases and Exceptions the Exam Loves to Test
VPN over Direct Connect: A scenario where you need both encryption and dedicated bandwidth. The answer is to use IPsec VPN over Direct Connect.
Direct Connect public VIF: Used to access public services (S3, DynamoDB) without internet, but still private.
Redundancy: Always consider a backup VPN when using Direct Connect.
Cost: VPN is cheaper; Direct Connect is expensive but offers consistent performance.
How to Eliminate Wrong Answers
If the scenario mentions 'high bandwidth' (>1 Gbps), eliminate VPN.
If the scenario mentions 'quick setup', eliminate Direct Connect.
If the scenario mentions 'encryption required', and only Direct Connect is listed, remember that Direct Connect alone does not encrypt; you need VPN on top. So the correct answer might be 'VPN over Direct Connect' or just 'VPN' if the question doesn't mention Direct Connect.
If the scenario mentions 'consistent low latency', choose Direct Connect.
If the scenario mentions 'cost-sensitive', choose VPN.
Site-to-Site VPN uses IPsec over the public internet; Direct Connect is a dedicated private connection bypassing the internet.
VPN bandwidth is limited to ~1.25 Gbps per tunnel (AWS); Direct Connect supports up to 10 Gbps per connection.
Direct Connect does not encrypt traffic by default; encryption requires an additional VPN layer.
VPN can be deployed in minutes; Direct Connect takes weeks to months due to physical setup.
Direct Connect provides consistent lower latency (typically 1-5 ms less than VPN).
Both use BGP for route exchange; Direct Connect uses VLANs (802.1Q) for traffic separation.
Common exam scenario: Choose Direct Connect for high bandwidth (>1 Gbps), low latency, or compliance; choose VPN for quick, low-cost connectivity.
These come up on the exam all the time. Here's how to tell them apart.
Site-to-Site VPN
Uses public internet with IPsec encryption.
Bandwidth up to 1.25 Gbps per tunnel (AWS limit).
Deployment time: minutes to hours.
Low cost (gateway and internet bandwidth).
Latency varies with internet conditions.
Direct Connect
Uses dedicated private physical connection.
Bandwidth up to 10 Gbps (or 100 Gbps via partners).
Deployment time: weeks to months.
High cost (port hours, data transfer, cross-connect).
Consistent, low latency (typically 1-5 ms lower than VPN).
Mistake
Direct Connect is always faster than VPN.
Correct
Direct Connect typically provides lower latency because it bypasses the internet, but the actual speed depends on bandwidth. Both can have the same nominal bandwidth (e.g., 1 Gbps). The key difference is consistency and latency, not raw speed.
Mistake
VPN over Direct Connect is redundant because Direct Connect is already private.
Correct
Direct Connect is private in the sense that traffic does not traverse the public internet, but it does not encrypt the data. If encryption is required (e.g., for compliance), you must add IPsec VPN over Direct Connect.
Mistake
You can only have one Direct Connect connection per region.
Correct
You can have multiple Direct Connect connections in the same region for redundancy or higher aggregate bandwidth. Each connection is independent.
Mistake
Site-to-site VPN requires a static public IP on the customer gateway.
Correct
While a public IP is typically required, you can use a NAT device or a VPN appliance behind a NAT if the cloud provider supports NAT traversal (NAT-T). However, dynamic IPs can cause issues with IKE; static is recommended.
Mistake
Direct Connect eliminates all latency.
Correct
Direct Connect reduces latency compared to the internet but does not eliminate it. Physical distance still matters. For example, a Direct Connect from New York to us-east-1 (Virginia) will have lower latency than over the internet, but it is not zero.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
VPN uses the public internet with encryption (IPsec) to create a secure tunnel; Direct Connect uses a dedicated physical line that bypasses the internet. VPN is cheaper and faster to set up but has bandwidth limits (~1.25 Gbps per tunnel) and variable latency. Direct Connect offers higher bandwidth (up to 10 Gbps), consistent low latency, and is often required for compliance, but costs more and takes weeks to deploy.
No, Direct Connect does not encrypt traffic by default. It provides a private, isolated path but the data is sent in cleartext. If encryption is required, you must implement an additional VPN (IPsec) over the Direct Connect link. This is a common exam trap: Direct Connect alone is not encrypted.
Yes, this is a common hybrid setup. You configure a site-to-site VPN as a backup for Direct Connect. BGP routing can be tuned (e.g., using AS path prepend) to prefer the Direct Connect path. When Direct Connect fails, BGP withdraws the routes and traffic automatically uses the VPN tunnel.
Standard Direct Connect bandwidth options are 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, and 10 Gbps. Some providers offer 100 Gbps via partner connections or link aggregation (LAG). The exam expects you to know these values.
A site-to-site VPN can be set up in minutes to hours, as it only requires software configuration. Direct Connect requires physical cabling and colocation arrangements, so it typically takes weeks to months. This is a key decision factor in exam scenarios.
VPN overhead reduces the effective MTU to about 1400 bytes (due to IPsec headers). Direct Connect supports jumbo frames (MTU 9001 bytes) on private VIFs, which improves performance for large data transfers. The exam may test that jumbo frames are supported on Direct Connect but not on VPN.
Yes, using a Direct Connect Gateway. A Direct Connect Gateway allows a single connection to reach multiple VPCs in different regions. Alternatively, you can use a Transit Gateway to centralize routing. The exam may ask about Direct Connect Gateway as a way to scale.
You've just covered Cloud Connectivity: VPN vs Direct Connect — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?