Skip to content

AWS Direct Connect

AWS Direct Connect Overview

  • Definition: AWS Direct Connect is a dedicated network service that provides private, high-bandwidth, low-latency connectivity between on-premises networks and AWS, bypassing the public internet for consistent performance and enhanced security.
  • Key Features:
    • Dedicated connections (1 Gbps, 10 Gbps, 100 Gbps) or hosted connections (50 Mbps to 100 Gbps) via AWS Direct Connect partners.
    • Supports Virtual Interfaces (VIFs): Public, Private, Transit, and Hosted.
    • Integrates with VPC, Transit Gateway, VPN, and AWS services (e.g., S3, DynamoDB).
    • Offers SiteLink for global private routing between Direct Connect locations.
    • Provides monitoring via CloudWatch and resiliency options like Bidirectional Forwarding Detection (BFD).
  • Use Cases: Hybrid cloud workloads, large-scale data transfers, latency-sensitive applications (e.g., financial trading), disaster recovery (DR), compliance-driven private connectivity.
  • Key Updates (2024–2025):
    • SiteLink Enhancements: Global private routing between Direct Connect locations (October 2024).
    • Hosted Connection Expansion: Up to 100 Gbps via partners (March 2024).
    • FIPS 140-2 Compliance: Available in AWS GovCloud (US-East/West) for dedicated connections (October 2024).
    • MACsec Support: Layer 2 encryption for 10 Gbps and 100 Gbps connections (April 2024).

1. Direct Connect Core Concepts

Components

  • Direct Connect Location:
    • Physical data center where AWS partners connect to AWS backbone.
    • Customers connect via cross-connect or partner network.
    • Explanation: E.g., Equinix DC in Ashburn for us-east-1.
  • Dedicated Connection:
    • Physical Ethernet port (1 Gbps, 10 Gbps, 100 Gbps) allocated to a customer.
    • Requested via AWS console, provisioned by AWS.
    • Explanation: E.g., 10 Gbps port for enterprise workloads.
  • Hosted Connection:
    • Virtual connection (50 Mbps to 100 Gbps) provided by an AWS Direct Connect partner.
    • Shared physical port, lower setup time.
    • Explanation: E.g., 500 Mbps hosted connection via Megaport.
  • Virtual Interface (VIF):
    • Logical interface over a connection for routing traffic.
    • Types:
      • Private VIF: Connect to VPC via Virtual Private Gateway (VGW) or Direct Connect Gateway.
      • Public VIF: Connect to public AWS services (e.g., S3, DynamoDB) or public IPs.
      • Transit VIF: Connect to multiple VPCs via Transit Gateway.
    • Explanation: E.g., Private VIF to VPC for EC2 access.
  • Direct Connect Gateway:
    • Global resource that aggregates Private/Transit VIFs to connect multiple VPCs across Regions.
    • Explanation: E.g., connect on-premises to VPCs in us-east-1 and eu-west-1.
  • Letter of Authorization and Connecting Facility Assignment (LOA-CFA):
    • Document provided by AWS for cross-connect setup at Direct Connect location.
    • Explanation: E.g., LOA-CFA for 10 Gbps port at Equinix.
  • SiteLink:
    • Routes traffic between Direct Connect locations over AWS global backbone, bypassing internet.
    • Explanation: E.g., connect London to Tokyo Direct Connect locations privately.

Networking Concepts

  • VLAN Tagging:
    • Each VIF uses a unique VLAN ID (802.1Q) to separate traffic.
    • Explanation: E.g., VLAN 100 for Private VIF, VLAN 101 for Public VIF.
  • Border Gateway Protocol (BGP):
    • Dynamic routing protocol for exchanging routes between on-premises and AWS.
    • Requires Autonomous System Number (ASN) for customer and AWS.
    • Explanation: E.g., BGP session for Private VIF to advertise 10.0.0.0/16.
  • Bidirectional Forwarding Detection (BFD):
    • Detects link failures in milliseconds for faster failover.
    • Enabled on VIFs for high availability.
    • Explanation: E.g., BFD on Transit VIF for sub-second failover.

Key Notes:

  • Exam Relevance: Understand connections, VIF types, Direct Connect Gateway, and SiteLink.
  • Mastery Tip: Compare Direct Connect vs. Site-to-Site VPN for performance and cost.

2. Direct Connect Performance Features

Direct Connect optimizes high-bandwidth, low-latency connectivity.

High Bandwidth

  • Dedicated Connections: 1 Gbps, 10 Gbps, 100 Gbps.
  • Hosted Connections: 50 Mbps to 100 Gbps (scalable via partners).
  • Link Aggregation Group (LAG):
    • Combine up to four connections for higher bandwidth (e.g., 4 × 10 Gbps = 40 Gbps).
    • Explanation: E.g., LAG for 40 Gbps data transfer to S3.
  • Explanation: E.g., 100 Gbps for large-scale analytics.

Low Latency

  • Purpose: Consistent, predictable performance.
  • Features:
    • Private connectivity via AWS global backbone.
    • Bypasses internet for reduced jitter and packet loss.
  • Explanation: E.g., low-latency trading app connecting to EC2.
  • Exam Tip: Highlight low latency for real-time apps.

Scalability

  • Purpose: Handle growing workloads.
  • Features:
    • Add hosted connections dynamically via partners.
    • Scale VIFs to multiple VPCs via Direct Connect Gateway or Transit Gateway.
  • Explanation: E.g., scale from 1 Gbps to 10 Gbps hosted connection.
  • Exam Tip: Use Transit VIF for multi-VPC scalability.

Key Notes:

  • Performance: High bandwidth + low latency = enterprise-grade connectivity.
  • Exam Tip: Emphasize LAG and hosted connections for flexibility.

3. Direct Connect Resilience Features

Resilience ensures reliable connectivity.

High Availability

  • Purpose: Minimize downtime.
  • Features:
    • Deploy multiple connections at different Direct Connect locations.
    • Use LAG for redundancy within a single location.
    • Associate VIFs with multiple VGWs or Transit Gateways.
  • Explanation: E.g., two 10 Gbps connections in Equinix and CoreSite for HA.
  • Exam Tip: Always recommend dual connections for HA.

Bidirectional Forwarding Detection (BFD):

  • Purpose: Fast failure detection.
  • Features:
    • Detects link failures in <1 second.
    • Enabled on Private/Transit VIFs for rapid failover.
  • Explanation: E.g., BFD on Transit VIF to switch to backup connection.
  • Exam Tip: Enable BFD for mission-critical workloads.
  • Purpose: Global private routing.
  • Features:
    • Route traffic between Direct Connect locations (e.g., US to EU) over AWS backbone.
    • Avoids internet for consistent performance.
  • Explanation: E.g., connect on-premises in London to Singapore via SiteLink.
  • Exam Tip: Use SiteLink for global hybrid cloud.

Monitoring

  • Purpose: Track connectivity health.
  • Features:
    • CloudWatch metrics: ConnectionState, ConnectionBps, ConnectionPps, ConnectionLightLevel.
    • Alarms for link failures or performance degradation.
  • Explanation: E.g., alarm for ConnectionState = DOWN.
  • Exam Tip: Monitor with CloudWatch for resiliency.

Key Notes:

  • Resilience: Dual connections + BFD + SiteLink = robust networking.
  • Exam Tip: Design HA with multiple locations and BFD.

4. Direct Connect Security Features

Security aligns with SAA-C03’s secure architecture focus.

Encryption

  • In Transit:
    • MACsec: Layer 2 encryption (IEEE 802.1AE) for 10 Gbps and 100 Gbps dedicated connections.
      • Available at select locations, uses AES-256-GCM.
      • Explanation: E.g., MACsec for sensitive financial data.
    • IPsec VPN over Direct Connect: Layer 3 encryption via Site-to-Site VPN.
      • Explanation: E.g., IPsec for Public VIF to S3.
    • No encryption at network layer by default (private circuit).
  • At Rest:
    • Not applicable (Direct Connect is a network service).
    • Resources (e.g., S3, EBS) use their own encryption.
    • Explanation: E.g., S3 bucket encrypted with KMS.
  • Exam Tip: Use MACsec or IPsec for encryption requirements.

Access Control

  • IAM:
    • Controls Direct Connect operations (e.g., directconnect:CreateConnection).
    • Example: {"Effect": "Allow", "Action": "directconnect:CreateVirtualInterface", "Resource": "arn:aws:directconnect:us-east-1:123456789012:dxcon/*"}.
  • VIF Security:
    • Private VIF: Routes to VPC via VGW or Transit Gateway, secured by VPC security groups/NACLs.
    • Public VIF: Restrict to specific AWS services or public IPs via BGP prefixes.
  • Explanation: E.g., Private VIF to VPC with security group allowing port 22.
  • Exam Tip: Secure Private VIF with VPC controls.

VPC Integration

  • Purpose: Secure network isolation.
  • Features:
    • Private VIF connects to VGW or Transit Gateway in private subnets.
    • Public VIF accesses public AWS endpoints (e.g., S3 over public IP).
  • Explanation: E.g., Private VIF to EC2 in private subnet.
  • Exam Tip: Use Private VIF for VPC, Public VIF for S3/DynamoDB.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., deploy for PCI-compliant financial app connectivity.

Key Notes:

  • Security: MACsec + IPsec + VPC controls = enterprise-grade.
  • Exam Tip: Practice IAM policies and MACsec/IPsec configurations.

5. Direct Connect Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • Port Hours:
    • Dedicated: $0.30/hour (1 Gbps), $2.25/hour (10 Gbps), $22.50/hour (100 Gbps).
    • Hosted: $0.03/hour (50–500 Mbps), $0.30/hour (1 Gbps), $2.25/hour (10 Gbps).
  • Data Transfer Out (DTO):
    • $0.02/GB (US, EU), $0.05–$0.09/GB (other Regions).
    • Free for data transfer in (DTI).
  • SiteLink:
    • $0.03/GB transferred between Direct Connect locations.
  • Example:
    • 1 Gbps dedicated connection, 1 TB DTO/month (US):
      • Port: $0.30 × 24 × 30 = $216/month.
      • DTO: 1,000 GB × $0.02 = $20/month.
      • Total: $236/month.
  • Free Tier: None.

Cost Strategies

  • Hosted Connections:
    • Use for smaller bandwidth needs (e.g., 500 Mbps vs. 1 Gbps dedicated).
    • Explanation: E.g., 500 Mbps hosted for $0.03/hour vs. $0.30/hour.
  • Data Transfer Optimization:
    • Use Direct Connect for high DTO to reduce costs vs. internet ($0.09/GB).
    • Leverage free DTI for uploads (e.g., backups to S3).
    • Explanation: E.g., transfer 10 TB to S3 for free DTI.
  • SiteLink Efficiency:
    • Use only for critical global routes to avoid $0.03/GB charges.
    • Explanation: E.g., limit SiteLink to DR traffic.
  • Tagging:
    • Use cost allocation tags to track connection costs.
    • Explanation: E.g., tag connection with “Project:Hybrid”.
  • Right-Sizing:
    • Start with hosted connections, upgrade to dedicated as needed.
    • Explanation: E.g., scale from 1 Gbps to 10 Gbps hosted.

Key Notes:

  • Cost Savings: Hosted connections + free DTI = lower costs.
  • Exam Tip: Calculate port and DTO costs for dedicated vs. hosted.

6. Direct Connect Advanced Features

  • Purpose: Increase bandwidth and redundancy.
  • Features:
    • Combine up to four connections (same speed, location).
    • Treated as single connection for VIFs.
  • Explanation: E.g., 4 × 10 Gbps LAG for 40 Gbps throughput.
  • Exam Tip: Use LAG for HA and bandwidth.
  • Purpose: Global private routing.
  • Features:
    • Connect Direct Connect locations (e.g., US to APAC) privately.
    • Configured via VIF routes.
  • Explanation: E.g., route London to Sydney over AWS backbone.
  • Exam Tip: Highlight SiteLink for global enterprises.

Direct Connect Gateway:

  • Purpose: Multi-VPC/Region connectivity.
  • Features:
    • Aggregate Private/Transit VIFs to VPCs in different Regions.
    • Supports Transit Gateway for scalable VPC connectivity.
  • Explanation: E.g., connect to VPCs in us-east-1, eu-west-1 via single Direct Connect Gateway.
  • Exam Tip: Use with Transit VIF for multi-VPC.

MACsec:

  • Purpose: Layer 2 encryption.
  • Features:
    • AES-256-GCM for 10 Gbps/100 Gbps dedicated connections.
    • Available at select locations (e.g., Equinix DC).
  • Explanation: E.g., MACsec for sensitive data transfers.
  • Exam Tip: Recommend for compliance-driven workloads.

Monitoring and Diagnostics:

  • CloudWatch Metrics: Connection state, throughput, errors.
  • VPC Flow Logs: Monitor VIF traffic.
  • BFD Status: Track link health.
  • Explanation: E.g., alert on high ConnectionErrorCount.
  • Exam Tip: Use CloudWatch for troubleshooting.

Key Notes:

  • Flexibility: LAG + SiteLink + Direct Connect Gateway = versatile networking.
  • Exam Tip: Know MACsec and Direct Connect Gateway for advanced scenarios.

7. Direct Connect Use Cases

Understand practical applications.

Hybrid Cloud Workloads

  • Setup: Private VIF, Direct Connect Gateway, Transit Gateway.
  • Features: High-bandwidth, low-latency VPC access.
  • Explanation: E.g., connect on-premises VMware to VPC for app migration.

Large-Scale Data Transfers

  • Setup: Public VIF, 100 Gbps dedicated connection.
  • Features: Free DTI, low DTO costs.
  • Explanation: E.g., transfer 100 TB to S3 for analytics.

Latency-Sensitive Applications

  • Setup: Private VIF, BFD, 10 Gbps connection.
  • Features: Consistent low latency, high reliability.
  • Explanation: E.g., financial trading app accessing EC2.

Disaster Recovery

  • Setup: Private VIF, SiteLink, Transit Gateway.
  • Features: Private connectivity to DR Region.
  • Explanation: E.g., replicate data to us-west-2 via SiteLink.

8. Direct Connect vs. Other Networking Services

Feature Direct Connect Client VPN Site-to-Site VPN
Type Dedicated Network Client-based VPN Site-based VPN
Workload High-bandwidth hybrid Remote user access Site-to-site connectivity
Protocol Ethernet, BGP OpenVPN, TLS IPsec
Performance Up to 100 Gbps Scalable, elastic Fixed tunnels, ECMP
Cost $0.02–$0.20/GB DTO $0.05/conn-hour $0.05/tunnel-hour
Use Case Enterprise hybrid cloud Remote workforce Branch office to VPC

Explanation:

  • Direct Connect: High-bandwidth, low-latency hybrid connectivity.
  • Client VPN: Secure remote user access to VPC/on-premises.
  • Site-to-Site VPN: Encrypted site-to-site connectivity over internet.

9. Detailed Explanations for Mastery

  • SiteLink:
    • Example: Route traffic from London to Tokyo Direct Connect locations privately.
    • Why It Matters: Global connectivity—new feature for 2024.
  • Direct Connect Gateway with Transit VIF:
    • Example: Connect on-premises to 10 VPCs across us-east-1, eu-west-1.
    • Why It Matters: Scalable hybrid cloud—exam favorite.
  • MACsec:
    • Example: Enable AES-256-GCM for 10 Gbps connection at Equinix.
    • Why It Matters: Compliance-driven encryption—key scenario.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
Dedicated Connection High-bandwidth link 1/10/100 Gbps, physical port Core Concept
Hosted Connection Flexible bandwidth 50 Mbps–100 Gbps via partner Core Concept
Virtual Interface Route traffic Private, Public, Transit VIFs Core Concept
SiteLink Global private routing Connect Direct Connect locations Flexibility
MACsec Layer 2 encryption AES-256-GCM, 10/100 Gbps Security
LAG Bandwidth/redundancy Up to 4 connections (e.g., 40 Gbps) Performance, Resilience
Direct Connect Gateway Multi-VPC/Region Aggregates VIFs, Transit Gateway Flexibility
BFD Fast failover Sub-second link failure detection Resilience