# Internetwork traffic privacy
<a name="inter-network-traffic-privacy"></a>

Connections are protected both between Amazon RDS and on-premises applications and between Amazon RDS and other Amazon resources within the same Amazon Region.

## Traffic between service and on-premises clients and applications
<a name="inter-network-traffic-privacy-on-prem"></a>

You have two connectivity options between your private network and Amazon: 
+ An Amazon Site-to-Site VPN connection. For more information, see [What is Amazon Site-to-Site VPN?](https://docs.amazonaws.cn/vpn/latest/s2svpn/VPC_VPN.html) 
+ An Amazon Direct Connect connection. For more information, see [What is Amazon Direct Connect?](https://docs.amazonaws.cn/directconnect/latest/UserGuide/Welcome.html) 

You get access to Amazon RDS through the network by using Amazon-published API operations. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [Amazon Security Token Service](https://docs.amazonaws.cn/STS/latest/APIReference/Welcome.html) (Amazon STS) to generate temporary security credentials to sign requests.