Network Migration to Cloud: Connectivity, VPNs, and Direct Connect

Network migration to the cloud involves reshaping how an organization's infrastructure connects to compute, storage, and application resources as those resources move from on-premises data centers into cloud environments. This page covers the three primary connectivity models — internet-based VPN tunnels, dedicated direct connections, and hybrid combinations — along with their technical mechanisms, applicable scenarios, and the decision criteria that separate appropriate use cases. Understanding these distinctions matters because the wrong connectivity choice creates latency, compliance exposure, or cost overruns that undermine the migration's business case.

Definition and scope

Network migration to the cloud refers to the deliberate reconfiguration of an organization's wide-area and local-area network topology to route traffic to cloud-hosted workloads, replacing or supplementing data center interconnects. This encompasses IP addressing schemes, routing protocols, DNS resolution, firewall rule sets, and the physical or virtual circuits that carry data between premises and cloud regions.

The scope typically spans three connectivity layers:

Public internet with encryption — traffic traverses shared internet infrastructure secured by IPsec or TLS tunnels (VPNs).
Dedicated private circuits — physical or virtual cross-connects that bypass the public internet entirely (AWS Direct Connect, Azure ExpressRoute, Google Cloud Interconnect).
Hybrid architectures — combinations of both layers providing redundancy or tiered service levels.

Cloud migration security considerations are directly shaped by which layer an organization selects, as each carries a different threat surface. The National Institute of Standards and Technology addresses connectivity security controls for cloud environments in NIST SP 800-146, Cloud Computing Synopsis and Recommendations, which classifies network exposure as a primary risk category for cloud adoption.

How it works

VPN-based cloud connectivity

A site-to-site VPN creates an encrypted tunnel between a customer gateway (on-premises router or firewall) and a virtual private gateway or VPN concentrator hosted at the cloud provider's edge. The tunnel uses IKEv2 and IPsec protocols. Traffic is encapsulated, encrypted, and transmitted over the public internet before being decapsulated at the cloud endpoint and delivered to the virtual network.

Key characteristics:
- Bandwidth ceiling: Most managed cloud VPN services cap individual tunnels at 1.25 Gbps (AWS), though ECMP across multiple tunnels can aggregate throughput.
- Latency: Variable; dependent on public internet path and ISP peering.
- Setup time: Hours to days.
- Cost profile: Low fixed cost; charges tied to data transfer and VPN gateway hours.

Direct Connect and equivalent dedicated circuits

Dedicated connectivity — AWS Direct Connect, Azure ExpressRoute, and Google Cloud Dedicated Interconnect — provisions a physical cross-connect at a colocation facility between the customer's network equipment and the cloud provider's edge router. Traffic does not traverse the public internet.

Key characteristics:
- Bandwidth options: 1 Gbps and 10 Gbps ports are standard; 100 Gbps is available from major providers for high-volume workloads.
- Latency: Deterministic and consistently low, suitable for latency-sensitive applications.
- Setup time: Weeks to months (physical provisioning, LOA-CFA processing, BGP configuration).
- Cost profile: Higher fixed port and cross-connect fees, lower per-GB data transfer rates at scale.

BGP (Border Gateway Protocol) is the routing protocol used in both models to exchange route information between on-premises and cloud networks, as documented in RFC 4271 from the Internet Engineering Task Force (IETF).

Common scenarios

Scenario 1 — Lift-and-shift workloads with moderate bandwidth needs
Organizations executing a lift-and-shift migration of non-latency-sensitive applications (batch processing, internal portals, development environments) frequently use site-to-site VPNs during initial migration phases. The low setup cost and rapid provisioning allow network connectivity to be established before the longer lead-time circuit is available.

Scenario 2 — Regulated industries requiring private transit
Healthcare organizations subject to HIPAA and financial institutions under PCI DSS commonly mandate that protected data not traverse the public internet. In these cases, dedicated circuits become a compliance necessity rather than a performance optimization. HIPAA-compliant cloud migration practices typically require documented evidence that ePHI traverses private, not public, network paths.

Scenario 3 — Hybrid cloud with on-premises retention
Enterprises maintaining on-premises systems for latency, data sovereignty, or operational continuity reasons — a hybrid cloud migration approach — require persistent, high-availability connectivity. These deployments typically combine a primary Direct Connect circuit with a VPN as an automatic failover path, using BGP route preferences to control traffic distribution.

Scenario 4 — Multi-region or multi-cloud federation
Organizations routing traffic across more than one cloud provider or region use cloud-native transit networking services (AWS Transit Gateway, Azure Virtual WAN) to aggregate spoke VNets or VPCs behind a centralized hub, reducing the number of VPN tunnels or dedicated circuits required.

Decision boundaries

The selection between VPN and dedicated connectivity turns on five measurable criteria:

Throughput requirement: Sustained workloads exceeding 500 Mbps aggregate benefit from dedicated circuits; below that threshold, VPN aggregation is typically sufficient.
Latency tolerance: Applications with round-trip latency requirements below 10 ms — real-time financial systems, industrial control interfaces, voice-over-IP — require dedicated paths with predictable jitter profiles.
Compliance mandate: Explicit regulatory requirements (HIPAA, PCI DSS cloud migration, FedRAMP) that prohibit public internet transit resolve the decision without further analysis.
Lead time available: If the project timeline requires connectivity within days, VPN is the only viable option; dedicated circuits require physical provisioning cycles that routinely span 30–90 days.
Data transfer volume: At high monthly transfer volumes (tens of terabytes), dedicated circuit per-GB transfer pricing can be meaningfully lower than VPN data egress rates, shifting the total cost comparison in favor of the fixed-cost model.

The Federal Risk and Authorization Management Program (FedRAMP), administered by GSA, specifies baseline network controls for cloud services used by federal agencies and can be used as a structural reference for private-sector organizations evaluating what constitutes adequate network isolation.

References

NIST SP 800-146: Cloud Computing Synopsis and Recommendations — National Institute of Standards and Technology
RFC 4271: A Border Gateway Protocol 4 (BGP-4) — Internet Engineering Task Force (IETF)
FedRAMP — Federal Risk and Authorization Management Program — U.S. General Services Administration
NIST Special Publication 800-53, Rev 5: Security and Privacy Controls for Information Systems — National Institute of Standards and Technology
HHS HIPAA Security Rule — Technical Safeguards — U.S. Department of Health and Human Services

Explore This Site

Regulations & Safety Regulatory References

Topics (49)

Tools & Calculators Cloud Hosting Cost Estimator