AWS Direct Connect

- aws networking

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

Direct Connect

Direct Connect is a connection to AWS that bypass the Internet and used a dedicated connection. You are connected to Amazon either thorugh a partner or directly in a CoLo/Internet Exchange. It contains 4 logical components: the actual connection, a cross-connect, the last mile, and a virtual interface. Setting up a DX connection takes longer than IPSec VPN but could potentially have significant cost savings. It is a low latency, high performance connection with consistent and controlled latency. The cost is a per hour port charge and a charge on outbound data transfer.

Available Speeds

You can get either a 1Gbps or 10Gbps from Amazon directly. Via a DX partner, you can get speeds of 50, 100, 200, 300, 400, and 500 Mbps.

DX Physical Requirements

1000BASE-LX or 10GBASE-LR connections over singlemode fiber using Ethernet transport, using 802.1q VLANs.

DX Handoff Direct to AWS

The following steps are taken to get a DX handoff direct to AWS:

  1. Selection Region in AWS Account
  2. Order Connection
  3. Wait for AWS to Review and setup connection. They will send LOA to email address associated with Root AWS account
  4. Arrange cross connect
  5. (optional) Physical backhaul from carrier to customer
  6. Port and physical integration
  7. Interface creation, configuration, integration

DX Handoff via a Partner

The only way to get a sub 1Gbps connection is through a partner. This also saves you from operating your own equipment at a colo/internet exchange. The partner owns the cross-connect between the DX router and their own router. A disadvantage is you only get 1 VLAN and would have to order more another connection for another entry point into AWS.

The follwoing steps are taken to get a DX handoff from a partner:

  1. Place order with APN partner (1 wk - 3 months)
  2. Accept hosted connection
  3. Create virtual interface (1-2 days) (Create in account with account that has connection or create in external account as a hosted VIF)
  4. Router configuration & integration


Service providers can add an AWS DX connection to your existing MPLS network. This can be an economical, reliable, and efficient way to add direct connecitivty to AWS to your existing corporate WAN.

DX Cross Connect Process

When you order the cross connect, you must wait for AWS to connect the port and then send you an LOA, a Letter of Authorization, which will tell tell the CoLo that you can connect your device to certain ports on Amazon’s device.


The DX is represented on AWS side in the VPC as a virtual interface or VIF. There are two types, public and private. Private VIFs are how you connect to your VPC networks. Public VIFs allow access to public AWS resources, such as S3, DynamoDB, RDS, and others. Public VIFs required the use of BGP and publicly routable addresses over which to establish the BGP peer connection. Private VIFs can use private address and AWS can asssign address to use (in the 169.254.x.x range). You do not need to use BGP for private VIFs, but it is recommended.

Configuration Needed for DX VIFs

You need to create the VIF and attach it to a VGW.

Securing DX VIFs

You do not have compelte control over the connection between you and Amazon, there is fiber and colo facilities in between. A best practice for security is encrypting the traffic over the DX conection to the private VIF with an IPSec VPN tunnel. You do this just like you would an IPSec tunnel over the Internet.

Public VIFs generally do not need to be encrypted at the network layer, as they are designed to be accessed over the public Intenret and provide encryption at higher layers.

Share a VIF between accounts.

To share a VIF between accounts, the account with the DX connect creates a hosted VIF and the other account must accept it. The account that has the VIF pays for it.