AWS Networking & CDN
Direct Connect
Dedicated private network connection from your data center to AWS
AWS Direct Connect establishes a dedicated physical network connection from your on-premises data center directly to an AWS Direct Connect location, bypassing the public internet entirely. It provides consistent network performance, reduced bandwidth costs for high-volume data transfer, and the ability to access both public AWS services and private VPC resources over the same physical link.
How Direct Connect Works
A Direct Connect connection is a physical cross-connect at a Direct Connect location between your router (or a partner's equipment) and an AWS Direct Connect router. Over this physical link you create logical Virtual Interfaces (VIFs) to access different AWS resources.
| Component | Description | Key Detail |
|---|---|---|
| Dedicated Connection | Physical port on AWS Direct Connect router | 1 Gbps, 10 Gbps, or 100 Gbps; takes weeks to provision |
| Hosted Connection | Shared connection via an APN partner | 50 Mbps to 10 Gbps; faster provisioning |
| Virtual Interface (VIF) | Logical partition of the connection using VLANs | One connection can carry multiple VIFs |
| Private VIF | Connects to a specific VPC via Virtual Private Gateway | One private VIF per VGW per connection |
| Public VIF | Accesses all AWS public endpoints (S3, DynamoDB) | BGP peering to advertise your prefixes |
| Transit VIF | Connects to a Transit Gateway | Allows access to multiple VPCs via TGW |
| Direct Connect Gateway (DXGW) | Global resource connecting DX to VPCs in any region | Avoid per-region private VIFs; one DXGW connects many VPCs |
A Direct Connect Gateway (DXGW) is the recommended pattern. Associate your connection with a DXGW, then attach the DXGW to VGWs or Transit Gateways in any region. This avoids creating a private VIF per region and is much more scalable.
Direct Connect Resilience Patterns
A single Direct Connect connection is a single point of failure. AWS recommends specific resiliency architectures depending on your requirements.
| Resiliency Level | Architecture | SLA Equivalent |
|---|---|---|
| Development | Single DX connection + VPN backup | Best effort; VPN activates on DX failure |
| High Resiliency | Two DX connections at one location | Survives single device failure at that location |
| Maximum Resiliency | Two connections at two separate DX locations | Survives full location failure; best for critical workloads |
| Site Resilient | Two locations + two on-prem sites | Handles both AWS and customer-side failures |
AWS provides the Direct Connect Resiliency Toolkit in the console to guide you through ordering connections for your chosen resiliency level and verify your configuration before going live.
A VPN-only backup to Direct Connect adds latency and has much lower throughput than Direct Connect. If your workload requires consistent high bandwidth, the backup VPN will become the bottleneck during a DX failure. Size your VPN tunnels accordingly and test failover before you need it.
Direct Connect vs Site-to-Site VPN
| Aspect | Direct Connect | Site-to-Site VPN |
|---|---|---|
| Network path | Dedicated private circuit | Encrypted tunnel over public internet |
| Bandwidth | 50 Mbps to 100 Gbps | Up to 1.25 Gbps per tunnel (ECMP for more) |
| Latency | Consistent, low latency | Variable (internet-dependent) |
| Setup time | Weeks to months | Minutes to hours |
| Cost | Port hours + data transfer rates | VPN connection hours + data transfer |
| Encryption | Not encrypted by default (private physical link) | Always encrypted (IPSec/IKE) |
| Compliance | Required for some regulated workloads | May not satisfy all compliance requirements |
| Failover role | Primary for high-bandwidth or latency-sensitive | Backup for Direct Connect; primary for small offices |
Direct Connect traffic is not encrypted by default because it's a private physical circuit. For defense-in-depth or compliance requirements, you can run a VPN over Direct Connect (MACsec for hardware encryption at the link level, or IPSec VPN over Public VIF).
Direct Connect Pricing
| Component | Cost | Notes |
|---|---|---|
| Dedicated port (1 Gbps) | $0.30/hr | Varies by DX location; charged continuously |
| Dedicated port (10 Gbps) | $2.25/hr | Per Direct Connect location pricing |
| Dedicated port (100 Gbps) | $16.00/hr | Available at select locations |
| Data transfer out (in-region) | $0.02/GB | Vs $0.09/GB internet egress - significant savings at scale |
| Data transfer out (cross-region) | $0.08/GB | Lower than internet for most regions |
| Hosted connection | Varies by partner and port speed | Partner charges their own rates |
Break-even analysis: at $0.09/GB internet egress vs $0.02/GB DX, you save $0.07/GB. A 1 Gbps DX port at $0.30/hr costs ~$216/month. At $0.07/GB savings you need to transfer ~3 TB/month just to break even on the port cost alone - before connection and co-location fees.
Interview Focus Points
- 1What is the difference between a Private VIF, Public VIF, and Transit VIF?
- 2How would you design a resilient Direct Connect architecture for a financial services workload?
- 3When does Direct Connect make financial sense over Site-to-Site VPN?
- 4How do you encrypt traffic over Direct Connect? What are the options?
- 5What is a Direct Connect Gateway and why would you use it instead of per-region Private VIFs?
- 6How does Direct Connect interact with Transit Gateway for multi-VPC access?
- 7What happens to your Direct Connect traffic if an AWS Direct Connect location goes down? How do you mitigate this?
- 8Explain the difference between a Dedicated Connection and a Hosted Connection.