There are a few ways to connect to a VPC, and the right one for you depends on your use case and preferences. You can use the following protocols or services to connect to a VPC:

VPN

A virtual private network (VPN) connection is established to an AWS-managed virtual private gateway (VPG).

A virtual private gateway is the VPN device on the AWS side of the VPN connection. After you have created your VPN, you can download the IPsec VPN configuration from the Amazon VPC console to configure the firewall or device in your local network that will connect to the VPN. For more information, see

AWS offers a managed VPN service, but you can also use a third-party software VPN solution. The latter is suitable if you need to have full access and management of the AWS side of your connection.

For more information about VPN connections, see VPN Connections.

AWS Direct Connect

Direct Connect creates a direct, private connection from your on-premises data center to AWS, letting you establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable. For more information, see What is Direct Connect?

Direct Connect is priced per port-hour, with additional data transfer rates that vary by region. For more detailed pricing information, see the Direct Connect pricing page.

VPC peering

VPC peering allows you to connect two VPCs using each VPC's private IP address. This makes it appear as if the 2 VPCs are on the same network.

This option is recommended for connecting VPCs within a region or across AWS accounts. Because these connections do not rely on physical hardware, they are not subject to issues with single-point of failure or network bandwidth bottlenecks. You can find out more at VPC Peering.

VPC endpoints

VPC endpoints enable you to create a private connection between your VPC and another AWS service, without the need for Internet access. A VPC endpoint enables instances in your VPC to use private IP addresses to communicate with resources in other services. For more information, see VPC Endpoints.

EC2 ClassicLink

ClassicLink allows you to link an EC2-Classic instance to a VPC in your account within same region, without using public IP addresses or Elastic IP addresses to enable communication between instances. You can associate VPC security groups with the EC2-Classic instance and enable a connection between the EC2-Classic instance and instances in your VPC by using a private IP address.

This option is available to users with accounts that support the EC2-Classic platform and can be used with any EC2-Classic instance. For more information, see ClassicLink.

Internet Gateway

An Internet gateway allows communication between instances in your VPC and the Internet. To enable Internet access for instances in a VPC subnet, follow these steps:

1. Attach an Internet gateway to your VPC.
2. Add a route to the Internet gateway in the route table of the VPC subnet.
3. Ensure that instances in your subnet have public IP addresses or Elastic IP addresses.
4. Verify that your network ACL and security group rules allow the relevant traffic to flow to and from your instance.

You can scope the route to all destinations that are not explicitly known to the route table, or you can scope the route to a narrower range of IP addresses. For more information, see Internet Gateways.

NAT Gateway

A network address translation (NAT) gateway enables instances in a private subnet to connect to the Internet or other AWS services, but it prevents those sources from initiating a connection with those instances. To create a NAT gateway, you must specify the public subnet inside the VPC that contains the NAT gateway. For more information, see NAT Gateways.