Compare dedicated connectivity services (Direct Connect, ExpressRoute, Interconnect, FastConnect).
Last verified: May 2026
Showing 20 of 20 features.
| Feature | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
Service Name Core Features | AWS PrivateLink | Azure Private Link | Private Service Connect | OCI Private Endpoint |
Connection Model Core Features | Interface VPC endpoints create ENIs in consumer VPC | Private endpoints with NIC in consumer VNet subnet | Service attachments with forwarding rules and NAT subnets | Private endpoints in customer VCN subnets |
Supported Targets Core Features | AWS services, customer services behind NLB or GWLB | Azure PaaS, customer services behind Standard LB | Google APIs, published services behind ILB | OCI services, customer services in other VCNs |
Cross-Region Support Core Features | Inter-region peering required; no native cross-region PrivateLink | Global Private Link for cross-region access via Global VNet Peering | Global access flag allows cross-region connectivity | Remote peering with DRG for cross-region private access |
Pricing Model Core Features | Per VPC endpoint per AZ per hour + data processing per GB | Per private endpoint per hour + data processing per GB | Per forwarding rule per hour + data processing per GB | Per private endpoint per hour; no data processing charge |
DNS Integration Architecture | Route 53 private hosted zones with alias records for endpoints | Azure Private DNS zones with auto-registration | Automatic DNS registration in Cloud DNS private zones | Private DNS views in VCN resolver configuration |
IP Address Management Architecture | Consumer ENIs get private IPs from VPC subnet CIDR | Private IPs allocated from subnet; static or dynamic | Consumer IP from subnet; producer sees NAT IP range | Private IP from VCN subnet; supports secondary IPs |
Multi-AZ / High Availability Architecture | Deploy endpoints in multiple AZs; AZ-affine routing | Automatically zone-redundant in supported regions | Automatic HA across zones; regional service attachments | AD-aware placement with fault domain distribution |
Bandwidth Limits Architecture | Up to 100 Gbps per endpoint (scales with ENIs) | No explicit bandwidth cap; limited by VM/NIC throughput | Up to 100 Gbps; scales with VM instance tier | Up to 25-50 Gbps depending on endpoint shape |
Service Marketplace Architecture | AWS Marketplace integrations via PrivateLink-enabled services | Private Link Partner Services for third-party SaaS | Service Directory for published Private Service Connect services | OCI Marketplace services accessible via private endpoints |
Access Control Security | VPC endpoint policies (IAM JSON) restrict API access | NSG on private endpoint subnet; RBAC for management | Consumer accept/reject lists by project; IAM roles | Security lists and NSGs; IAM policies for management |
Data Exfiltration Prevention Security | Endpoint policies deny access to unauthorized resources | NSG + UDR enforcement; data exfiltration protection flag | VPC Service Controls perimeter for Private Service Connect | Network security groups restrict egress; service gateways |
Traffic Encryption Security | TLS between consumer and service; no automatic encryption layer | TLS enforced; supports mTLS for custom services | TLS by default; optional mTLS with Certificate Authority Service | TLS enforced for all PaaS endpoints; configurable for custom |
Audit & Logging Security | VPC Flow Logs capture endpoint traffic; CloudTrail for API calls | NSG flow logs and Azure Monitor diagnostics | VPC Flow Logs and Private Service Connect audit logs | VCN Flow Logs and OCI Audit service for API events |
Terraform Support Operations | aws_vpc_endpoint, aws_vpc_endpoint_service resources | azurerm_private_endpoint, azurerm_private_link_service | google_compute_service_attachment, forwarding_rule | oci_core_private_endpoint, oci_core_service_gateway |
Service Publishing Operations | Create endpoint service backed by NLB or GWLB; share via allowlisting | Create Private Link Service backed by Standard LB | Publish via service attachment on producer ILB | Publish via private endpoint service configuration |
Connection Approval Operations | Manual or auto-accept modes per endpoint service | Manual approval or auto-approval by subscription | Accept/reject lists by consumer project number | Approval via IAM policy or manual accept in console |
Monitoring Operations | CloudWatch metrics: bytes in/out, active connections, new connections | Azure Monitor metrics: bytes in/out, NAT port allocation | Cloud Monitoring: connection count, bytes, latency metrics | OCI Monitoring: bytes transferred, connection counts |
Quota Defaults Operations | 50 Gateway + 50 Interface endpoints per VPC (adjustable) | 1000 private endpoints per subscription (adjustable) | Varies by project; adjustable via quota increase | 10 private endpoints per VCN (adjustable via SR) |
Hybrid Connectivity Operations | Accessible over VPN or Direct Connect from on-premises | Reachable via ExpressRoute or VPN Gateway from on-premises | Accessible via Cloud VPN or Interconnect from on-premises | Reachable over FastConnect or IPSec VPN from on-premises |
Your team is connecting an on-premises datacenter to multi-cloud (AWS + Azure). The compare tool surfaces: AWS Direct Connect from Equinix Ashburn (1 Gbps × 2 circuits, primary + secondary) = $1,800/month + data charges, Azure ExpressRoute from same Equinix Ashburn (1 Gbps × 2) Standard SKU with metered = $1,400/month + data charges. Both providers offer Global Reach so you can use either circuit pair to reach both clouds via Microsoft's backbone. Architecture: 4 total circuits, full N+1 redundancy, all in one colo facility for operational simplicity. The compare tool surfaced the Global Reach option that saved the team from buying 4 separate cross-cloud transit links.
Dedicated private connectivity services — AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect, and OCI FastConnect — bypass the public internet to provide reliable, high-bandwidth, low-latency connections between on-premises networks and cloud environments. Each service has different bandwidth options (from 50 Mbps to 100 Gbps), pricing models, redundancy architectures, and partner ecosystems. This comparison tool helps you evaluate private connectivity options across clouds for hybrid and multi-cloud architectures, covering circuit types, peering models, failover configurations, and cost structures.
The compare tool surfaces 20+ private connectivity dimensions per cloud: bandwidth tiers, dedicated vs hosted connections, partner ecosystem (which carriers/colos), peering location count globally, BGP support, redundancy options (within-facility vs cross-facility), pricing model (port-hour + data, or all-inclusive), VLAN support, and SLA terms (99.9% vs 99.95% with redundant circuits).
OCI FastConnect's lack of data transfer charges is genuinely significant for high-egress workloads. AWS Direct Connect data charges (~$0.02/GB) on a 5 Gbps sustained link = $50K+/year. OCI FastConnect at 10 Gbps with no data charges can save five-figure sums annually for the same workload.
Always order TWO circuits, even for low-traffic workloads. The marginal cost of a second circuit (~$200-500/month at low bandwidth) is much less than a single multi-hour outage when the primary fails. SLAs only kick in with redundant circuits anyway.
Hosted Connections (sub-1Gbps) on AWS Direct Connect are dramatically cheaper than full ports for low-bandwidth workloads. A 200 Mbps hosted connection through Equinix is ~$200/month vs ~$1,500/month for a dedicated 1 Gbps port. For most enterprise hybrid scenarios, hosted connections are sufficient.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.