Direct Connect

Connecting to your remote network with AWS Direct Connect

AWS Direct Connect Overview

Dedicated Connection

AWS Direct Connect is a dedicated, private, virtual local area network (VLAN) connection that extends on-premises network to include AWS resources.

Key Benefits vs Site-to-Site VPN

• Dedicated private network connection from on-premises to AWS (vs encrypted tunnels over public internet)
• Increased bandwidth throughput and more consistent network experience
• Predictable performance compared to internet-based connections
• Uses virtual local area networks (VLANs) to establish private connection

Direct Connect Use Cases

Hybrid Environments

Applications requiring access to existing data center equipment (like on-premises database). Creates hybrid environment to leverage AWS elasticity and economic benefits.

Large Datasets

Applications operating on large datasets (HPC applications). Reduces time and cost for large data transfers compared to internet-based transfers.

Predictable Performance

Applications requiring predictable network performance (real-time data feeds, audio/video streams). Dedicated connection provides more consistent performance.

Security & Compliance

Enterprise security or regulatory policies requiring private network circuits only. Direct Connect provides dedicated private network connection.

Benefits for Large Datasets

• Network transfers don’t compete for internet bandwidth at data center
• High-bandwidth link reduces potential for network congestion and degraded application performance
• Reduced internet bandwidth usage can lower ISP fees and avoid increased bandwidth commitments
• Reduced Direct Connect data transfer rates vs internet data transfer rates

Direct Connect Architecture

Connection Types

Dedicated Connection

Physical ethernet fiber-optic cable provisioned for exclusive customer use. On-premises customer router connected by ethernet to customer router in Direct Connect location.

Hosted Connection

Physical ethernet fiber-optic cable provisioned by Direct Connect Partner and shared with customer. Provides more bandwidth options in smaller increments than dedicated connection.

Implementation Timeline

Direct Connect connection requires planning and physical resources, so implementation typically spans multiple weeks.

Virtual Interface Types

1. Public Virtual Interface

   • Provides access to public AWS services like Amazon S3
   • Connects to AWS services through public endpoints

2. Private Virtual Interface

   • Provides access to your VPC using virtual private gateway
   • Private connectivity to VPC resources

3. Transit Virtual Interface

   • Provides access to your VPC using transit gateway
   • Enables connectivity to multiple VPCs through single interface

Architecture Components

• Direct Connect locations extend on-premises network to AWS using industry-standard 802.1Q VLANs
• Default association: Locations associated with AWS Region, but can access any VPC or public AWS service in any Region (except China)
• Customer Direct Connect router: Connected to Direct Connect endpoint in Direct Connect location
• Direct Connect endpoint: Connects to AWS services including VPCs

Direct Connect with Transit Gateway

Use Direct Connect to connect to Transit Gateway instead of virtual private gateway to simplify routing between on-premises network and multiple VPCs.

Architecture Benefits

• Simplified routing between on-premises and multiple VPCs
• Direct Connect gateway: Can connect to multiple Transit Gateways
• Transit virtual interface: Communicates from Direct Connect location to Direct Connect gateway

Connection Flow

On-premises customer router → Direct Connect location customer router → Direct Connect endpoint → Direct Connect gateway (via transit virtual interface) → Transit Gateway (via transit gateway Direct Connect attachment) → VPC (via transit gateway VPC attachment)

High Availability Configurations

Primary/Backup Architecture

Implement highly available connectivity by coupling Direct Connect with backup VPN connection:

• Primary connection: Direct Connect for main traffic
• Secondary backup: Lower-cost VPN connection
• Dynamic routing: Both connections use dynamic routing
• AWS preference: Always prefers Direct Connect traffic by default
• Configuration: Configure Direct Connect and VPN-specific internal-route propagation

Tip

Choose network providers and Direct Connect locations that align with organization’s risk tolerance, financial expectations, and data center connectivity policies.

Multiple Direct Connect Locations

High Resiliency

For critical production workloads requiring high resiliency, AWS recommends one connection at multiple locations.

Benefits

• Resilience against connectivity failures due to hardware failure
• Protection against complete location failure
• Physical location redundancy by connecting from multiple data centers
• Redundant hardware and telecommunications providers

Best Practices

• Use dynamically routed, active/active connections for automatic load balancing and failover
• Provision sufficient network capacity to ensure failure of one connection doesn’t overwhelm redundant connections
• Connect from multiple data centers for physical location redundancy
• Consider redundant hardware and telecommunications providers

Example Resilient Architecture

• On-premises network 1 connects to virtual private gateway through Direct Connect location 1
• On-premises network 2 connects to virtual private gateway through Direct Connect location 2
• If Direct Connect location 1 fails or issues with on-premises network 1, on-premises network 2 maintains connectivity

Note

Well-Architected Principle: Highly resilient, fault-tolerant network connections are key to well-architected system.

Direct Connect provides dedicated, private connectivity between on-premises environments and AWS with predictable performance, higher bandwidth, and enhanced security compared to internet-based connections, supporting various virtual interface types and high availability configurations for enterprise requirements.