AWS Direct Connect¶
What Is AWS Direct Connect?¶
AWS Direct Connect is a dedicated private network connection between customer infrastructure and AWS.
It bypasses the public internet to provide:
- private connectivity
- predictable performance
- lower latency
- consistent throughput
Think of Direct Connect as:
Private enterprise connectivity into AWS.
Why It Matters for Security¶
Direct Connect helps organizations:
- reduce internet exposure
- centralize connectivity
- support hybrid cloud
- isolate sensitive workloads
- improve network predictability
Security teams use Direct Connect for:
- regulated environments
- hybrid architectures
- private application access
- centralized ingress
Core Concepts¶
- dedicated connectivity
- private networking
- hybrid cloud
- private routing
- deterministic performance
- enterprise connectivity
Important Integrations¶
Virtual Private Gateway (VGW)¶
Supports:
- Direct Connect → single VPC
Legacy architecture.
AWS Transit Gateway¶
Supports:
- centralized routing
- multi-VPC networking
- multi-account connectivity
Modern architecture.
Site-to-Site VPN¶
Common pattern:
Direct Connect
+
VPN
=
Private + Encrypted
Very important architecture pattern.
Amazon VPC¶
Provides:
- private application connectivity
Direct Connect Gateway (DXGW)¶
Supports:
- multiple VPCs
- multiple regions
Very important architecture component.
BGP¶
Direct Connect uses:
→ Border Gateway Protocol
for:
- route advertisement
- failover
- routing decisions
Very important identity.
Security Features¶
Private Connectivity¶
Traffic flow:
On-Prem
↓
Direct Connect
↓
AWS
Traffic avoids:
- public internet
Predictable Performance¶
Benefits:
- stable throughput
- reduced jitter
- lower latency
Hybrid Isolation¶
Supports:
- segmentation
- centralized controls
Encryption Consideration (Classic Trap)¶
Direct Connect provides:
- private transport
Direct Connect does NOT automatically provide:
- encryption
Need encryption?
Direct Connect
+
VPN
or
MACsec
Very important distinction.
Advanced Security and Operational Concepts¶
Hosted vs Dedicated Connection¶
Dedicated Connection¶
Provisioned directly.
Options:
- 1 Gbps
- 10 Gbps
- 100 Gbps
Hosted Connection¶
Provisioned via:
- AWS Partner
Useful for:
- smaller environments
Very important procurement distinction.
Virtual Interfaces (VIF)¶
Direct Connect uses:
→ Virtual Interfaces
Private VIF¶
Connectivity:
On-Prem
↓
VPC
Public VIF¶
Connectivity:
On-Prem
↓
AWS Public Services
Examples:
- S3
- DynamoDB
Very important trap:
Public VIF still uses:
→ AWS private backbone
Transit VIF¶
Connectivity:
On-Prem
↓
Transit Gateway
↓
Multiple VPCs
Enterprise pattern.
VPN over Direct Connect (Advanced Trap)¶
Architecture:
On-Prem
↓
Direct Connect
↓
Public VIF
↓
AWS VPN Endpoint
↓
IPsec
Why Public VIF?
Standard VPN endpoints expose:
- public IPs
Traffic still stays on:
- AWS backbone
Very important exam nuance.
Direct Connect Gateway Routing Limits¶
DXGW supports:
On-Prem
↓
AWS
DXGW does NOT support:
VPC
↔
VPC
Need VPC routing?
Use:
- Transit Gateway
- VPC Peering
Very important architecture trap.
AWS Resiliency Models¶
High Resiliency¶
Architecture:
2 DX Links
↓
2 Locations
Protects:
- device failures
- location failures
Maximum Resiliency¶
Architecture:
4 Connections
↓
2 Locations
↓
2 Per Site
Supports:
- critical workloads
- maximum fault tolerance
Very important AWS recommendation.
Link Aggregation Group (LAG)¶
Combines:
- multiple DX links
Benefits:
- scale
- redundancy
Jumbo Frames (MTU Optimization)¶
Standard:
1500
Jumbo:
9001
Supported:
- Private VIF
- Transit VIF
Useful for:
- replication
- large transfers
- high throughput
Very important performance optimization.
MACsec Encryption¶
Direct Connect supports:
→ MACsec
Provides:
- Layer 2 encryption
Very important advanced security capability.
Architecture Example¶
Enterprise Hybrid Connectivity¶
flowchart LR
DC[Data Center]
DX[Direct Connect]
DXGW[DX Gateway]
TGW[Transit Gateway]
VPC1[Production]
VPC2[Security]
VPN[Site-to-Site VPN]
DC --> DX
DX --> DXGW
DXGW --> TGW
TGW --> VPC1
TGW --> VPC2
VPN -. Backup .-> TGW
classDef network fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
class DC,DX,DXGW network;
class TGW,VPC1,VPC2,VPN security;Use case: resilient enterprise hybrid connectivity.
Connectivity Workflow¶
sequenceDiagram
autonumber
participant ONPREM
participant DX
participant DXGW
participant TGW
participant APP
ONPREM->>DX: Send traffic
DX->>DXGW: Route
DXGW->>TGW: Forward
TGW->>APP: Deliver
APP-->>ONPREM: ResponseEncrypted Connectivity Workflow¶
sequenceDiagram
autonumber
participant USER
participant DX
participant PVIF
participant VPN
participant AWS
USER->>DX: Private transport
DX->>PVIF: Reach VPN endpoint
PVIF->>VPN: Establish IPsec
VPN->>AWS: Deliver encrypted trafficDirect Connect vs Site-to-Site VPN¶
| Direct Connect | Site-to-Site VPN |
|---|---|
| dedicated | internet |
| predictable | variable |
| not encrypted | encrypted |
| performance | flexibility |
Direct Connect vs Transit Gateway¶
| Direct Connect | Transit Gateway |
|---|---|
| connectivity | routing |
| external | internal |
Direct Connect vs PrivateLink¶
| Direct Connect | PrivateLink |
|---|---|
| network access | service access |
| hybrid | application |
Common Exam Traps¶
Trap 1 — Direct Connect Is Not Encrypted¶
Need encryption?
→ VPN or MACsec
Trap 2 — Forgetting BGP¶
DX uses:
→ BGP
Trap 3 — Confusing VIF Types¶
Private:
→ VPC
Public:
→ Public AWS Services
Transit:
→ Transit Gateway
Trap 4 — Forgetting Public VIF for VPN¶
Need VPN over DX?
→ Public VIF
Trap 5 — DXGW Is Not Transitive¶
Need VPC↔VPC?
→ TGW
Trap 6 — Forgetting Resiliency Models¶
Need highest availability?
→ 4 links / 2 locations
Trap 7 — Public VIF Is Not Internet¶
Public VIF uses:
→ AWS backbone
Trap 8 — Need Better Throughput¶
→ Jumbo Frames
5-Second Recall¶
Identity¶
Direct Connect = dedicated private connectivity into AWS
Keywords¶
If the scenario mentions:
- dedicated connection
- hybrid networking
- predictable latency
- enterprise connectivity
Answer:
→ AWS Direct Connect
Need Encryption?¶
→ DX + VPN
Need Multi-VPC Routing?¶
→ Transit Gateway
Need AWS Public Services?¶
→ Public VIF
Need Maximum Availability?¶
→ 4 DX links / 2 sites
Quick Revision Notes¶
- dedicated connectivity
- BGP
- DX Gateway
- Transit Gateway
- VIF types
- MACsec
- not encrypted by default
- VPN over DX
- jumbo frames
- resiliency models
- hybrid networking
- private connectivity