AWS: Services & Architecture
by Sergey Okinchuk
ELBTransit Gateway
AWS Direct Connect
Service 29

AWS Direct Connect

NetworkingHybridNetwork

Direct Connect sets up a dedicated private fiber link between an on-premises location and AWS. Instead of crossing the public internet or an IPsec VPN over it, traffic rides a physical connection to an AWS-owned router at a colocation facility — predictable bandwidth (1, 10, or 100 Gbps), lower latency and jitter, and cheaper AWS-bound data transfer.

It is mostly an enterprise and data-center service. The link is private but not encrypted by default, and setup is not one-click — it coordinates AWS, a colocation provider, and often a network partner over days or weeks.

Connections and Virtual Interfaces

A Dedicated Connection gives you an AWS port at 1/10/100 Gbps that you cross-connect to; a Hosted Connection comes through a partner with more flexible bandwidth and faster provisioning. The physical link carries virtual interfaces (VIFs), each an 802.1Q VLAN with BGP.

Three VIF types: a private VIF reaches a VPC — directly through a virtual private gateway, or through a Direct Connect Gateway that fans out to VPCs in any Region; a public VIF reaches AWS public services (S3, DynamoDB) over the private link; a transit VIF reaches one or more Transit Gateways through a Direct Connect Gateway. One connection can host all three.

Direct Connect Gateway and Resiliency

A Direct Connect Gateway is a global object that decouples the connection from specific VPCs, letting on-prem reach VPCs in any Region through one link. Without it, a connection only reaches VPCs in its local Region.

A single link is a single point of failure. AWS's resilience patterns range from one connection (dev/test) to two at different locations (production) to four across two locations (critical). A VPN over a public VIF is a common cheap backup.

Encryption and Pricing

Direct Connect is private but not encrypted — add MACsec on supported ports or run an IPsec VPN over it if compliance requires wire-level encryption. Pricing is per port-hour plus per-GB data-transfer-out (much cheaper than internet egress); inbound is free.

For large egress workloads Direct Connect can pay for itself on transfer savings alone; for small workloads a Site-to-Site VPN over the internet is cheaper and simpler.

Direct Connect vs Site-to-Site VPN

Direct Connect — consistent bandwidth, low latency, and large data egress for enterprise hybrid setups — at the cost of physical provisioning.

Site-to-Site VPN — encrypted hybrid connectivity over the public internet, cheaper and faster to set up, fine for small-to-medium workloads.

Common Mistakes
  • Assuming Direct Connect encrypts traffic — it does not by default; add MACsec or IPsec where encryption is required.
  • Running a single Direct Connect link for production, making it a single point of failure — use two at different locations.
  • Skipping a VPN backup over the public internet, leaving no path when the link drops.
  • Using a single connection to reach VPCs in multiple Regions instead of a Direct Connect Gateway.
  • Choosing Direct Connect for a small workload where a Site-to-Site VPN would be cheaper and adequate.
  • Not monitoring BGP session state, so a flapping session fails traffic over silently.
Best Practices
  • Use at least two connections at different locations for production hybrid links.
  • Pair Direct Connect with a Site-to-Site VPN as cheap backup.
  • Use a Direct Connect Gateway for multi-Region or multi-VPC reach.
  • Add MACsec or IPsec over the link if compliance requires encryption.
  • Monitor BGP session state in CloudWatch.
Comparable services GCP Cloud InterconnectAzure ExpressRoute

Knowledge Check

Is traffic over a Direct Connect link encrypted by default?

  • No — the link is private but unencrypted; add MACsec or run IPsec over it
  • Yes — AWS encrypts all Direct Connect traffic end to end by default
  • Only on public VIFs that reach AWS public services, which are encrypted automatically
  • Only when the link is paired with a Transit Gateway, which adds encryption

What does a Direct Connect Gateway add?

  • It decouples the link from specific VPCs, letting on-prem reach VPCs in any Region
  • It encrypts the underlying physical link automatically with MACsec on every VIF that crosses it
  • It doubles the provisioned port bandwidth for free across both ends of the link
  • It replaces the need to run BGP on the VIFs

When is a Site-to-Site VPN the better choice than Direct Connect?

  • For small-to-medium workloads where encrypted internet connectivity is cheaper and quicker
  • For the largest sustained data-egress workloads pushing terabytes daily to on-prem
  • When you need the lowest possible latency and predictable jitter for real-time interactive traffic
  • When you need a guaranteed 100 Gbps of dedicated bandwidth

What is the recommended Direct Connect setup for a production hybrid workload?

  • At least two connections at two different DX locations, ideally with a VPN backup
  • A single fast 100 Gbps connection at one location, sized to handle the full peak load alone
  • A single Hosted Connection with no backup path, kept simple to lower the monthly port cost
  • Only a Site-to-Site VPN over the internet

You got correct