Compare dedicated connectivity services (Direct Connect, ExpressRoute, Interconnect, FastConnect).
Showing 20 of 20 features.
| Feature | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
Service Name Core Features | AWS PrivateLink | Azure Private Link | Private Service Connect | OCI Private Endpoint |
Connection Model Core Features | Interface VPC endpoints create ENIs in consumer VPC | Private endpoints with NIC in consumer VNet subnet | Service attachments with forwarding rules and NAT subnets | Private endpoints in customer VCN subnets |
Supported Targets Core Features | AWS services, customer services behind NLB or GWLB | Azure PaaS, customer services behind Standard LB | Google APIs, published services behind ILB | OCI services, customer services in other VCNs |
Cross-Region Support Core Features | Inter-region peering required; no native cross-region PrivateLink | Global Private Link for cross-region access via Global VNet Peering | Global access flag allows cross-region connectivity | Remote peering with DRG for cross-region private access |
Pricing Model Core Features | Per VPC endpoint per AZ per hour + data processing per GB | Per private endpoint per hour + data processing per GB | Per forwarding rule per hour + data processing per GB | Per private endpoint per hour; no data processing charge |
DNS Integration Architecture | Route 53 private hosted zones with alias records for endpoints | Azure Private DNS zones with auto-registration | Automatic DNS registration in Cloud DNS private zones | Private DNS views in VCN resolver configuration |
IP Address Management Architecture | Consumer ENIs get private IPs from VPC subnet CIDR | Private IPs allocated from subnet; static or dynamic | Consumer IP from subnet; producer sees NAT IP range | Private IP from VCN subnet; supports secondary IPs |
Multi-AZ / High Availability Architecture | Deploy endpoints in multiple AZs; AZ-affine routing | Automatically zone-redundant in supported regions | Automatic HA across zones; regional service attachments | AD-aware placement with fault domain distribution |
Bandwidth Limits Architecture | Up to 100 Gbps per endpoint (scales with ENIs) | No explicit bandwidth cap; limited by VM/NIC throughput | Up to 100 Gbps; scales with VM instance tier | Up to 25-50 Gbps depending on endpoint shape |
Service Marketplace Architecture | AWS Marketplace integrations via PrivateLink-enabled services | Private Link Partner Services for third-party SaaS | Service Directory for published Private Service Connect services | OCI Marketplace services accessible via private endpoints |
Access Control Security | VPC endpoint policies (IAM JSON) restrict API access | NSG on private endpoint subnet; RBAC for management | Consumer accept/reject lists by project; IAM roles | Security lists and NSGs; IAM policies for management |
Data Exfiltration Prevention Security | Endpoint policies deny access to unauthorized resources | NSG + UDR enforcement; data exfiltration protection flag | VPC Service Controls perimeter for Private Service Connect | Network security groups restrict egress; service gateways |
Traffic Encryption Security | TLS between consumer and service; no automatic encryption layer | TLS enforced; supports mTLS for custom services | TLS by default; optional mTLS with Certificate Authority Service | TLS enforced for all PaaS endpoints; configurable for custom |
Audit & Logging Security | VPC Flow Logs capture endpoint traffic; CloudTrail for API calls | NSG flow logs and Azure Monitor diagnostics | VPC Flow Logs and Private Service Connect audit logs | VCN Flow Logs and OCI Audit service for API events |
Terraform Support Operations | aws_vpc_endpoint, aws_vpc_endpoint_service resources | azurerm_private_endpoint, azurerm_private_link_service | google_compute_service_attachment, forwarding_rule | oci_core_private_endpoint, oci_core_service_gateway |
Service Publishing Operations | Create endpoint service backed by NLB or GWLB; share via allowlisting | Create Private Link Service backed by Standard LB | Publish via service attachment on producer ILB | Publish via private endpoint service configuration |
Connection Approval Operations | Manual or auto-accept modes per endpoint service | Manual approval or auto-approval by subscription | Accept/reject lists by consumer project number | Approval via IAM policy or manual accept in console |
Monitoring Operations | CloudWatch metrics: bytes in/out, active connections, new connections | Azure Monitor metrics: bytes in/out, NAT port allocation | Cloud Monitoring: connection count, bytes, latency metrics | OCI Monitoring: bytes transferred, connection counts |
Quota Defaults Operations | 50 Gateway + 50 Interface endpoints per VPC (adjustable) | 1000 private endpoints per subscription (adjustable) | Varies by project; adjustable via quota increase | 10 private endpoints per VCN (adjustable via SR) |
Hybrid Connectivity Operations | Accessible over VPN or Direct Connect from on-premises | Reachable via ExpressRoute or VPN Gateway from on-premises | Accessible via Cloud VPN or Interconnect from on-premises | Reachable over FastConnect or IPSec VPN from on-premises |
Dedicated private connectivity services — AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect, and OCI FastConnect — bypass the public internet to provide reliable, high-bandwidth, low-latency connections between on-premises networks and cloud environments. Each service has different bandwidth options (from 50 Mbps to 100 Gbps), pricing models, redundancy architectures, and partner ecosystems. This comparison tool helps you evaluate private connectivity options across clouds for hybrid and multi-cloud architectures, covering circuit types, peering models, failover configurations, and cost structures.
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.