AWS Network Architecture – Multi-VPC Patterns

AWS Network Architecture Patterns

📋 Last Updated: June 2026. Includes Cross-Region PrivateLink (Nov 2025), NAT Gateway Regional Availability Mode (Nov 2025), Direct Connect VIF Rate Limiters (June 2026), Transit Gateway Flow Logs & Flexible Cost Allocation, AWS Cloud WAN Direct Connect integration, and VPC Lattice Resource Gateway updates.

On-premises -> S3 Private Link -> S3 (Without Internet Gateway or S3 Gateway Endpoint)

 Data flow diagram shows access from on-premises and in-VPC apps to S3 using an interface endpoint and AWS PrivateLink.
  • Interface endpoints in the VPC can route both in-VPC applications and on-premises applications to S3 over the Amazon network.
  • On-premises network uses Direct Connect or AWS VPN to connect to VPC.
  • On-premises applications in VPC A use endpoint-specific DNS names to access S3 through the S3 interface endpoint.
  • On-premises applications send data to the interface endpoint in the VPC through AWS Direct Connect (or AWS VPN). AWS PrivateLink moves the data from the interface endpoint to S3 over the AWS network.
  • VPC applications can also send traffic to the interface endpoint. AWS PrivateLink moves the data from the interface endpoint to S3 over the AWS network.
  • (New – Nov 2025) With Cross-Region PrivateLink, interface VPC endpoints can now connect to S3 (and other AWS services) in other AWS Regions within the same partition, removing the previous “VPC endpoints are regional” limitation.
  • (New – Nov 2025) S3 gateway and interface VPC endpoints now support IPv6, enabling dual-stack connectivity at no additional cost.

On-premises -> Proxy -> Gateway Endpoint -> S3

On-premises + VPC Endpoint + S3

  • VPC endpoints are only accessible from EC2 instances inside a VPC, a local instance must proxy all remote requests before they can
    utilize a VPC endpoint connection.
  • Proxy farm proxies S3 traffic to the VPC endpoint. Configure an Auto Scaling group to manage the proxy servers and automatically grow or shrink the number of required instances based on proxy server load.
  • Note: With the availability of AWS PrivateLink for S3 (interface endpoints), this proxy-based pattern is largely superseded. Interface endpoints are directly accessible from on-premises over Direct Connect or VPN without requiring a proxy.

Direct Connect Gateway + Transit Gateway

AWS Direct Connect Gateway + Transit Gateway

  • AWS Direct Connect Gateway does not support transitive routing and has limits on the number of VGWs that can be connected.
  • AWS Direct Connect Gateway can be combined with AWS Transit Gateway using transit VIF attachment which enables your network to connect up to three regional centralized routers over a private dedicated connection.
  • DX Gateway + TGW simplifies the management of connections between a VPC and the on-premises networks over a private connection that can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
  • With AWS Transit Gateway connected to VPCs, full or partial mesh connectivity can be achieved between the VPCs.
  • (New – Nov 2024) AWS Cloud WAN now supports direct integration with Direct Connect Gateway, eliminating the need for an intermediary Transit Gateway for global hybrid connectivity.
  • (New – Nov 2024) Transit Gateway and Cloud WAN now support Path MTU Discovery (PMTUD) for both IPv4 and IPv6, improving performance for large packet workloads.

AWS Direct Connect with VPN as Backup

  • Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC.
  • If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN.
  • If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface.
  • If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always preferred, regardless of AS path prepending.

AWS Direct Connect + VPN

AWS Direct Connect + VPN

  • AWS Direct Connect + VPN combines the benefits of the end-to-end secure IPSec connection with low latency and increased bandwidth of the AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections.
  • AWS Direct Connect public VIF establishes a dedicated network connection between the on-premises network to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint.
  • A BGP connection is established between the AWS Direct Connect and your router on the public VIF.
  • Another BGP session or a static router will be established between the virtual private gateway and your router on the IPSec VPN tunnel.

AWS Direct Connect VIF Rate Limiters

  • (New – June 2026) AWS Direct Connect now supports Virtual Interface (VIF) Rate Limiters on dedicated connections to help prevent network congestion caused by unexpected traffic spikes.
  • VIF Rate Limiters allow you to set a maximum bandwidth allocation for up to 10 VIFs on a dedicated connection.
  • Capacity increments range from 50 Mbps to 1.6 Tbps when using a Link Aggregation Group (LAG).
  • Rate limiting applies to traffic both ingressing and egressing the AWS network.
  • If traffic exceeds the configured capacity, excess packets are dropped, protecting other VIFs sharing the same connection.
  • Prevents a single VIF from consuming all available bandwidth, impacting workloads on other VIFs on the same connection.

AWS Direct Connect SiteLink

  • AWS Direct Connect SiteLink enables direct data transfer between Direct Connect locations, bypassing AWS Regions.
  • SiteLink interconnects locations worldwide and offers built-in redundancy and resiliency.
  • Ensures uninterrupted connectivity even during public internet outages or high-traffic periods.
  • Useful for site-to-site traffic that doesn’t need to traverse an AWS Region (e.g., on-premises to on-premises via AWS backbone).
  • SiteLink is enabled on a per-VIF basis and charges apply for data transferred between SiteLink-enabled VIFs.

AWS Private Link -> NLB -> ALB

AWS Private Link + NLB + ALB

  • AWS PrivateLink for ALB allows customers to utilize PrivateLink on NLB and route this traffic to a target ALB to utilize the layer 7 benefits.
  • Static NLB IP Addresses for ALB – with one static IP per AZ on NLB allows full control over the IP addresses and enables various use cases as follows:
    • Allow listing of IP addresses for firewall rules.
    • Pointing a DNS Zone apex to an application fronted by an ALB. Utilizing ALB as a target of NLB, a DNS A-record type can be used to resolve your zone apex to the NLB static IP addresses.
    • When legacy clients cannot utilize DNS resulting in a need for hard-coded IP addresses.
  • (New – Oct 2024) AWS PrivateLink now supports UDP protocol on NLB over IPv4 and IPv6, and dual-stack NLB UDP support for real-time gaming, VoIP, and media streaming workloads.
  • (New – Nov 2025) NLB now supports weighted target groups, allowing users to configure static weights among multiple target groups for canary and blue/green deployments.

Alternative: API Gateway Direct ALB Integration (Nov 2025)

  • Amazon API Gateway REST APIs now support direct private integration with ALB without requiring an intermediate NLB.
  • This removes the NLB hop for API Gateway use cases, reducing latency and simplifying architecture.
  • Enables inter-VPC connectivity to internal ALBs using VPC Link V2.
  • For PrivateLink endpoint services, NLB (or Gateway Load Balancer) is still required as the front end.

Alternative: VPC Lattice Resource Gateway (Dec 2024)

  • Amazon VPC Lattice Resource Configurations and Resource Gateways (GA at re:Invent 2024) enable access to resources like RDS instances, domain names, or IP targets across VPCs and accounts without needing an NLB.
  • VPC Lattice provides application-layer routing, service discovery, authentication, and observability without complex network configurations.
  • Supports TCP, TLS, HTTP, and HTTPS protocols.
  • Resource owners can share resources directly using AWS RAM without deploying Network Load Balancers.
  • Learn More: VPC Lattice Resource Gateway Documentation

Cross-Region PrivateLink (XRPL)

  • (New – Nov 2024/2025) AWS PrivateLink now supports native cross-region connectivity, breaking the previous limitation that VPC endpoints are regional.
  • Enables private access to VPC endpoint services hosted in other AWS Regions within the same partition.
  • Cross-region connectivity extends to AWS services (GA Nov 2025), allowing interface VPC endpoints to reach select AWS services in other Regions.
  • Eliminates the need for Transit Gateway peering, VPN tunnels, or proxy architectures for cross-region private access.
  • Service providers can offer SaaS solutions privately to a global audience from a single Region.
  • Supports multi-Region failover for PrivateLink-backed services without customer coordination.
  • Learn More: Cross-Region PrivateLink Announcement

Centralized Egress: Transit Gateway + NAT Gateway

Centralized Egress with Transit Gateway & NAT Gateway

  • A separate egress VPC in the network services account can be created to route all egress traffic from the spoke VPCs via a NAT gateway sitting in this VPC using Transit Gateway.
  • As the NAT gateway has an hourly charge, deploying a NAT gateway in every spoke VPC can become cost prohibitive and centralizing NAT can provide cost benefits.
  • In some edge cases when huge amounts of data is sent through the NAT gateway from a VPC, keeping the NAT local in the VPC to avoid the Transit Gateway data processing charge might be a more cost-effective option.
  • Two NAT gateways (one in each AZ) provide High Availability.

NAT Gateway Regional Availability Mode (Nov 2025)

  • (New – Nov 2025) AWS NAT Gateway now supports regional availability mode that automatically expands and contracts across availability zones following your workload footprint.
  • A single regional NAT Gateway replaces the need for one NAT Gateway per AZ, simplifying setup and management.
  • Automatically maintains high availability without manual multi-AZ deployment.
  • Supports both Amazon-provided IP addresses and BYOIP (Bring Your Own IP).
  • Simplifies centralized egress architectures by reducing the number of NAT Gateways needed.
  • Can be combined with Amazon VPC IPAM policies for centralized public IPv4 address allocation across organizations.
  • Learn More: Regional NAT Gateway Documentation

AWS Cloud WAN + Direct Connect (Alternative to TGW)

  • (New – Nov 2024) AWS Cloud WAN now supports built-in Direct Connect gateway attachments without requiring intermediary Transit Gateways.
  • Cloud WAN is a fully managed WAN service that simplifies building, managing, and monitoring global networks connecting resources across AWS Regions and on-premises environments.
  • Think of Cloud WAN as a managed collection of Transit Gateways working behind the scenes with policy-based network management.
  • Provides greater flexibility in configuring global hybrid networks with simplified operations.
  • Supports traffic segmentation across multiple Regions using network segments (similar to TGW route tables).
  • Ideal for multi-Region environments where managing multiple Transit Gateways and peering becomes complex.
  • Learn More: AWS Cloud WAN Documentation

VPC Block Public Access (BPA)

  • (New – Nov 2024) Amazon VPC Block Public Access (BPA) is a single declarative control that authoritatively blocks internet traffic to and from VPCs.
  • BPA supersedes any existing VPC settings (including routing tables, security groups, NACLs) to block traffic through Internet Gateways and Egress-only Internet Gateways.
  • Modes: Bidirectional (blocks all ingress and egress) or Ingress-only (blocks only inbound from internet).
  • Supports exclusions for specific VPCs or subnets that require internet access.
  • Available in all commercial AWS Regions including GovCloud and China Regions.
  • Enables compliance enforcement across multiple accounts and VPCs with AWS Organizations integration.
  • Useful in centralized egress architectures where only the egress VPC should have internet access.
  • Learn More: VPC Block Public Access Documentation

Transit Gateway Monitoring and Cost Management

Transit Gateway Flow Logs

  • Transit Gateway Flow Logs enable visibility and insights into network traffic traversing Transit Gateways.
  • Captures detailed information including source/destination IPs, ports, protocol, traffic counters, timestamps, and metadata.
  • Supports publishing to Amazon S3 and CloudWatch Logs.
  • Enables proactive detection of unroutable traffic and network connectivity issues.
  • Available in all commercial Regions.

Flexible Cost Allocation (Nov 2025)

  • (New – Nov 2025) Transit Gateway Flexible Cost Allocation (FCA) provides granular control over how data processing costs are allocated across AWS accounts.
  • Previously, Transit Gateway only used a sender-pay model where the source attachment account owner paid all data usage costs.
  • FCA enables centralized metering policy with more versatile cost allocation options.
  • Works with AWS Organizations for cross-account cost distribution.

Direct Connect with High Resiliency – 99.9%

Direct Connect High Availability

  • For critical production workloads that require high resiliency, it is recommended to have one connection at multiple locations.
  • Ensures resilience to connectivity failure due to a fiber cut or a device failure as well as a complete location failure. You can use AWS Direct Connect gateway to access any AWS Region (except AWS Regions in China) from any AWS Direct Connect location.

Direct Connect with Maximum Resiliency – 99.99%

Direct Connect Maximum Availability

  • Maximum resilience is achieved by separate connections terminating on separate devices in more than one location.
  • Ensures resilience to device failure, connectivity failure, and complete location failure.
  • Use VIF Rate Limiters (June 2026) on each connection to prevent bandwidth contention across VIFs sharing the same dedicated connection.

Key Network Architecture Decision Points

Use Case Recommended Pattern When to Use
Private access to S3 from on-premises PrivateLink (Interface Endpoint) Direct Connect/VPN connectivity available
Cross-region private service access Cross-Region PrivateLink Service consumers in different Region from provider
Multi-VPC hub-and-spoke (single Region) Transit Gateway Regional connectivity with route isolation
Global multi-Region WAN AWS Cloud WAN Multi-Region with policy-based management
Service-to-service (Layer 7) VPC Lattice Application-level routing, auth, and observability
Centralized egress (simplified) Regional NAT Gateway + TGW Cost optimization with automatic multi-AZ HA
Block internet access VPC Block Public Access Compliance enforcement across organization
Site-to-site via AWS backbone Direct Connect SiteLink On-premises to on-premises without traversing a Region
Posted in AWS