AWS Direct Connect

Dedicated Network Connection to AWS Cloud

Table of Contents

Overview

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

Key Point: Direct Connect provides a dedicated, private connection that bypasses the public internet, offering more predictable performance, enhanced security, and potentially lower data transfer costs.

Architecture & Components

graph TB subgraph "Customer Network" A[Customer Router] --> B[Customer Gateway] end subgraph "AWS Direct Connect Location" C[AWS Direct Connect Router] --> D[Cross Connect] D --> E[Customer Router at DX Location] end subgraph "AWS Region" F[AWS Direct Connect Gateway] --> G[Virtual Private Gateway] G --> H[VPC] F --> I[Transit Gateway] I --> J[Multiple VPCs] end B -.->|Dedicated Circuit| E E --> C C --> F style A fill:#ff9999 style H fill:#99ff99 style J fill:#99ff99 style F fill:#9999ff

🔍 Virtual Private Gateway (VGW) Role in Direct Connect

Important Clarification: The Virtual Private Gateway in Direct Connect is NOT the same as a VPN Gateway, though they share similar naming!

In Direct Connect Context:

  • Virtual Private Gateway (VGW): Acts as the AWS-side termination point for your Direct Connect private virtual interface (VIF)
  • Primary Function: Routes traffic between your on-premises network and your VPC over the dedicated Direct Connect connection
  • BGP Peering: Establishes BGP sessions with your on-premises router to exchange routing information
  • No Encryption: Unlike VPN connections, Direct Connect through VGW provides a private but unencrypted connection

Key Difference from VPN:

  • VPN Gateway: Provides encrypted tunnels over the internet
  • Direct Connect VGW: Provides dedicated private connectivity without encryption (encryption can be added at application layer or via MACsec)

Core Components

Direct Connect Location

AWS partner facilities where AWS equipment is collocated. These are third-party data centers where you can connect to AWS infrastructure.

Virtual Interfaces (VIFs)

Logical connections that allow you to access AWS services. Can be public (for AWS public services) or private (for VPC resources).

Direct Connect Gateway

Allows you to connect your Direct Connect connection to multiple VPCs across different AWS regions.

Virtual Private Gateway

The AWS side of a VPN connection that connects your VPC to your Direct Connect connection.

Key Benefits

mindmap root((AWS Direct Connect Benefits)) Performance Consistent Network Performance Reduced Latency Higher Bandwidth Cost Reduced Data Transfer Costs Predictable Pricing No Internet Gateway Charges Security Private Connection Enhanced Compliance Isolated Network Path Reliability Redundant Connections 99.9% Availability SLA Predictable Performance
Benefit Description Use Case
Reduced Network Costs Lower data transfer rates compared to internet-based connections High-volume data transfers
Consistent Performance Dedicated bandwidth with predictable performance Real-time applications, video streaming
Enhanced Security Private connection that doesn't traverse the public internet Sensitive data transfers, compliance requirements
Hybrid Cloud Seamless integration between on-premises and AWS Gradual cloud migration, hybrid architectures

Connection Types

graph LR A[Direct Connect Connection Types] --> B[Dedicated Connection] A --> C[Hosted Connection] B --> D[1 Gbps] B --> E[10 Gbps] B --> F[100 Gbps] C --> G[50 Mbps to 10 Gbps] C --> H[Provided by APN Partners] style B fill:#ff9999 style C fill:#99ff99

Dedicated vs Hosted Connections

Dedicated Connection: Physical ethernet connection dedicated to you. You work directly with AWS to establish the connection.

Hosted Connection: Provisioned through an AWS Direct Connect Partner. The partner owns the physical connection and provides you with a portion of the bandwidth.

Setup Process

sequenceDiagram participant Customer participant AWS participant Partner participant DXLocation as DX Location Customer->>AWS: 1. Request Direct Connect AWS->>Customer: 2. Provide LOA-CFA Customer->>Partner: 3. Order Cross Connect Partner->>DXLocation: 4. Install Cross Connect DXLocation->>AWS: 5. Notify Completion AWS->>Customer: 6. Connection Available Customer->>AWS: 7. Create Virtual Interface AWS->>Customer: 8. Configure BGP
LOA-CFA: Letter of Authorization and Connecting Facility Assignment - This document authorizes the colocation provider to connect your equipment to AWS equipment.

📋 Detailed Configuration Steps Flowchart

flowchart TD A[Start: Plan Direct Connect Implementation] --> B{Choose Connection Type} B -->|Dedicated| C[Order Dedicated Connection
1Gbps, 10Gbps, 100Gbps] B -->|Hosted| D[Contact AWS Partner
50Mbps - 10Gbps] C --> E[AWS Provides LOA-CFA] D --> F[Partner Handles Cross Connect] E --> G[Order Cross Connect
at Direct Connect Location] F --> H[Connection Established] G --> H H --> I[Create Virtual Interface VIF] I --> J{VIF Type?} J -->|Private| K[Create Private VIF
Access VPC Resources] J -->|Public| L[Create Public VIF
Access AWS Public Services] J -->|Transit| M[Create Transit VIF
Access Multiple VPCs via TGW] K --> N[Create Virtual Private Gateway VGW] L --> O[Configure Public IP Ranges] M --> P[Associate with Transit Gateway] N --> Q[Attach VGW to VPC] O --> R[Configure BGP Session] P --> R Q --> R R --> S[Configure Customer Router
BGP Settings] S --> T[Exchange BGP Routes] T --> U[Update VPC Route Tables] U --> V[Configure Security Groups
& NACLs] V --> W[Test Connectivity] W --> X{Connection Working?} X -->|Yes| Y[Configure Monitoring
CloudWatch Alarms] X -->|No| Z[Troubleshoot
BGP/Routing Issues] Z --> S Y --> AA[Set Up Redundancy
Second Connection] AA --> BB[Production Ready ✅] style A fill:#e1f5fe style BB fill:#c8e6c9 style X fill:#fff3e0 style Z fill:#ffebee style N fill:#f3e5f5 style P fill:#f3e5f5 style Q fill:#e8f5e8

🔧 Key Configuration Commands Flow

flowchart LR A[aws directconnect
create-connection] --> B[aws directconnect
create-private-virtual-interface] B --> C[aws directconnect
create-direct-connect-gateway] C --> D[aws ec2
create-vpn-gateway] D --> E[aws ec2
attach-vpn-gateway] E --> F{Multi-VPC Setup?} F -->|Yes| G[aws ec2
create-transit-gateway] F -->|No| H[aws directconnect
create-direct-connect-gateway-association] G --> I[aws directconnect
create-direct-connect-gateway-association
(with Transit Gateway)] H --> J[aws ec2
create-route] I --> J J --> K[aws ec2
enable-vgw-route-propagation] style A fill:#ffcdd2 style D fill:#f8bbd9 style H fill:#c8e6c9

AWS CLI Configuration

1. Create a Direct Connect Connection

# Create a new Direct Connect connection
aws directconnect create-connection \
    --location "US West (Oregon)" \
    --bandwidth 1Gbps \
    --connection-name "MyDirectConnectConnection" \
    --lag-id lag-12345678
This command creates a new Direct Connect connection at the specified location with 1Gbps bandwidth. The connection-name is a friendly name for identification, and lag-id is optional for Link Aggregation Groups.

2. Create a Virtual Interface (VIF)

# Create a private virtual interface
aws directconnect create-private-virtual-interface \
    --connection-id dxcon-fguhmqlc \
    --new-private-virtual-interface \
    vlan=100,virtualInterfaceName=MyPrivateVIF,asn=65000,authKey=myBGPAuthKey,amazonAddress=192.168.1.1/30,customerAddress=192.168.1.2/30,addressFamily=ipv4
This creates a private VIF that allows access to resources in your VPC. The VLAN ID must be unique, ASN is your Border Gateway Protocol Autonomous System Number, and the IP addresses are used for BGP peering between AWS and your router.

3. Create a Public Virtual Interface

# Create a public virtual interface for AWS public services
aws directconnect create-public-virtual-interface \
    --connection-id dxcon-fguhmqlc \
    --new-public-virtual-interface \
    vlan=200,virtualInterfaceName=MyPublicVIF,asn=65000,authKey=myBGPAuthKey,amazonAddress=192.168.2.1/30,customerAddress=192.168.2.2/30,routeFilterPrefixes='[{cidr=10.0.0.0/16}]'
Public VIFs provide access to AWS public services like S3, DynamoDB over the Direct Connect connection. Route filter prefixes specify which of your IP ranges you want to advertise to AWS.

4. Create a Virtual Private Gateway (VGW)

# Create a Virtual Private Gateway for Direct Connect (NOT VPN)
aws ec2 create-vpn-gateway \
    --type ipsec.1 \
    --amazon-side-asn 64512 \
    --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=DirectConnect-VGW},{Key=Purpose,Value=DirectConnect}]'
Important: Despite the command name "create-vpn-gateway", this creates a Virtual Private Gateway that can be used for Direct Connect (not just VPN). The VGW serves as the AWS-side anchor point for your private VIF, handling BGP routing between your on-premises network and VPC over the dedicated connection.

5. Attach Virtual Private Gateway to VPC

# Attach the VGW to your VPC
aws ec2 attach-vpn-gateway \
    --vpn-gateway-id vgw-87654321 \
    --vpc-id vpc-12345678
This command connects your Virtual Private Gateway to your VPC, enabling Direct Connect traffic to flow into your VPC. Once attached, the VGW can participate in your VPC's routing and receive traffic from your private virtual interface.

6. Create a Direct Connect Gateway

# Create a Direct Connect Gateway for multi-region connectivity
aws directconnect create-direct-connect-gateway \
    --name MyDirectConnectGateway \
    --amazon-side-asn 64512
Direct Connect Gateway enables you to connect to multiple VPCs across different AWS regions using a single Direct Connect connection. The Amazon-side ASN is used for BGP routing.

7. Associate Virtual Private Gateway with Direct Connect Gateway

# Associate a Virtual Private Gateway with Direct Connect Gateway
aws directconnect create-direct-connect-gateway-association \
    --direct-connect-gateway-id dxgw-12345678 \
    --virtual-gateway-id vgw-87654321 \
    --allowed-prefixes cidr=10.0.0.0/16
This command links your VPC (via its Virtual Private Gateway) to the Direct Connect Gateway. Allowed prefixes specify which IP ranges can be routed between your on-premises network and the VPC.

8. Create a Transit Gateway (Optional - for Multi-VPC Scenarios)

# Create a Transit Gateway for connecting multiple VPCs
aws ec2 create-transit-gateway \
    --description "Transit Gateway for Direct Connect multi-VPC connectivity" \
    --options DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable \
    --tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=DirectConnect-TGW},{Key=Purpose,Value=MultiVPC-Connectivity}]'

# Attach VPCs to the Transit Gateway
aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id tgw-12345678 \
    --vpc-id vpc-12345678 \
    --subnet-ids subnet-12345678

# Attach additional VPCs as needed
aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id tgw-12345678 \
    --vpc-id vpc-87654321 \
    --subnet-ids subnet-87654321
Transit Gateway is only needed if you want to connect multiple VPCs to your Direct Connect connection. It acts as a central hub, allowing you to route traffic between your on-premises network and multiple VPCs through a single Direct Connect Gateway association. Skip this step if you're only connecting to a single VPC (use VGW instead).

9. Associate Transit Gateway with Direct Connect Gateway

# Associate Direct Connect Gateway with Transit Gateway (only if using Transit Gateway)
aws directconnect create-direct-connect-gateway-association \
    --direct-connect-gateway-id dxgw-12345678 \
    --transit-gateway-id tgw-12345678 \
    --allowed-prefixes cidr=10.0.0.0/8,cidr=172.16.0.0/12
This command is used when you have multiple VPCs and want to route traffic through Transit Gateway. The allowed prefixes specify which IP ranges from your on-premises network can be routed to the VPCs connected to the Transit Gateway. Use this instead of the VGW association if you need multi-VPC connectivity.

10. Update VPC Route Tables and Enable Route Propagation

# For VGW-based setup (single VPC):
# Update VPC route table to use Virtual Private Gateway
aws ec2 create-route \
    --route-table-id rtb-12345678 \
    --destination-cidr-block 192.168.0.0/16 \
    --gateway-id vgw-87654321

# Enable automatic route propagation from VGW
aws ec2 enable-vgw-route-propagation \
    --route-table-id rtb-12345678 \
    --gateway-id vgw-87654321

# For Transit Gateway-based setup (multi-VPC):
# Update VPC route tables to use Transit Gateway
aws ec2 create-route \
    --route-table-id rtb-12345678 \
    --destination-cidr-block 192.168.0.0/16 \
    --transit-gateway-id tgw-12345678

# Verify route tables
aws ec2 describe-route-tables \
    --route-table-ids rtb-12345678
The routing configuration depends on your architecture choice. For single VPC scenarios, route traffic through the Virtual Private Gateway. For multi-VPC scenarios, route traffic through the Transit Gateway. Route propagation automatically updates your route tables when BGP routes are learned from your on-premises network.

11. Configure BGP Sessions

# View BGP peer information
aws directconnect describe-virtual-interfaces \
    --virtual-interface-id dxvif-fguhmqlc

# Confirm BGP session status
aws directconnect describe-connections \
    --connection-id dxcon-fguhmqlc
These commands help you monitor the status of your virtual interfaces and BGP sessions. BGP (Border Gateway Protocol) is used to exchange routing information between your network and AWS.

12. Monitor Connection Health

# Get connection state and metrics
aws directconnect describe-connections-on-interconnect \
    --interconnect-id dxcon-fguhmqlc

# List all virtual interfaces
aws directconnect describe-virtual-interfaces

# Check for any connection issues
aws logs describe-log-groups \
    --log-group-name-prefix "/aws/directconnect"
Regular monitoring helps ensure your Direct Connect connection is performing optimally. These commands provide visibility into connection status, virtual interface health, and can help troubleshoot issues.

13. Set up Redundancy

# Create a second connection for redundancy
aws directconnect create-connection \
    --location "US East (Virginia)" \
    --bandwidth 1Gbps \
    --connection-name "MyDirectConnectConnection-Backup"

# Create LAG (Link Aggregation Group) for bandwidth aggregation
aws directconnect create-lag \
    --number-of-connections 2 \
    --location "US West (Oregon)" \
    --connections-bandwidth 1Gbps \
    --lag-name "MyLAG"
For production workloads, it's recommended to have redundant connections across different locations. LAG allows you to bundle multiple connections together for increased bandwidth and redundancy.

Monitoring & Management

graph TD A[CloudWatch Metrics] --> B[Connection State] A --> C[BGP State] A --> D[Virtual Interface State] A --> E[Data Transfer Metrics] F[Monitoring Tools] --> G[AWS Console] F --> H[CloudWatch Alarms] F --> I[SNS Notifications] F --> J[Third-party Tools] K[Key Metrics] --> L[ConnectionState] K --> M[VirtualInterfaceState] K --> N[ConnectionBpsEgress] K --> O[ConnectionBpsIngress] K --> P[ConnectionPpsEgress] K --> Q[ConnectionPpsIngress]

Important Monitoring Metrics

  • ConnectionState: UP or DOWN status of the connection
  • BGPState: Status of BGP sessions
  • Bandwidth Utilization: Current usage vs. available bandwidth
  • Packet Loss: Quality of the connection

Best Practices

Redundancy

Always configure redundant connections across different Direct Connect locations to ensure high availability.

Security

Use MACsec for layer 2 encryption and implement proper BGP authentication with strong passwords.

Monitoring

Set up CloudWatch alarms for connection state changes and bandwidth utilization thresholds.

Documentation

Maintain detailed network diagrams and configuration documentation for troubleshooting.

Network Design Considerations

  • Plan your IP addressing carefully to avoid conflicts
  • Consider using Transit Gateway for complex multi-VPC scenarios
  • Implement proper BGP route filtering and path selection
  • Design for failure scenarios with automatic failover
  • Regular testing of backup connections and failover procedures

AWS Direct Connect provides the foundation for reliable, high-performance hybrid cloud connectivity

Implementing Direct Connect requires careful planning but delivers significant benefits in terms of performance, security, and cost optimization for enterprise workloads.