AWS Direct Connect

Abimuktheeswaran Chidambaram
7 min readAug 20, 2023

AWS Direct Connect is used to connect your network to Amazon services over a private connection as a dedicated connection for you. The features of AWS Direct Connect are cost minimization, less bandwidth, strong network connection rather than an internet-based connection. It supports up to 100 Gbps. It supports IPV4 and IPV6 communication protocols. IPV6 addresses provided by AWS.

In this article, we will see the following chapters

  • Terms used in Direct Connect
  • AWS Direct Connect connections
  • AWS Direct Connect maintenance
  • AWS Direct Connect gateway
  • How the Direct Connect work?
  • Types of Resiliency
  • MAC security

1. Terms used in Direct Connect

Creating the Connection means connecting your data from your on-premise to the AWS region via the AWS Direct Connect location.

AWS Direct Connect location acts as the intermediator to transfer the data from your on-premise to AWS service. AWS recommends choosing one more DC location for high availability and also is nearest to your on-premise.

The virtual interface is used to access the AWS service. public virtual interface means you can access public AWS services like Amazon S3 and EC2 using a public IP address. private virtual interface means you can access private AWS services like VPC using a private IP address. The Transit Virtual interface is used to access multiple VPCs via the transit gateway associated with the Direct Connect gateway.

AWS Direct Connect gateway is a grouping of virtual private gateways (VGWs) and private virtual interfaces (VIFs). An AWS Direct Connect gateway is a global resource. You can create the AWS Direct Connect gateway in any Region and access it from all other Regions.

SiteLink means choosing the best and shortest path to transfer the data bypassing the unnecessary regions.

2. AWS Direct Connect connections

Connection is creating the connection from your on-premise to AWS Direct Connect location. There are 2 types of connections. They are

A dedicated Connection is a physical ethernet connection request by a single customer to AWS through the AWS console or CLI. The port speed ranges from 1 Gbps, 10 Gbps, and 100 Gbps. Once you request the connection, you cannot change the port speed. If you want to change the port speed, then create a new connection. You can create dedicated connections by using Connection Wizard for new setup with Resiliency recommendations and Classic for existing setup.

Hosted Connection is a physical ethernet connection request by an AWS partner on behalf of you to AWS. It links your connection with multiple connections. The port speeds for hosted connections are between 50 Mbps and 10 Gbps. AWS partner only can change the port speed.

dedicated connection using the connection wizard
dedicated connection using classic

Generally, AWS sends an e-mail to you to accept the connection in the name of a Letter of Authorization and Connecting Facility Assignment (LOA-CFA). After you receive an e-mail from AWS, You want to respond to that e-mail within 7 days. After the 7th day, the connection will lost. Billing starts automatically after 90 days such as when the port is in active or LOF-COA has been issued. To avoid billing charges, de-activate the port when the port is not active. After you respond to LOA-CFA, but you do not set up the connection within 90 days, AWS alerts you to set up the connection and gives you 10 days to you additionally. If you fail to set up the connection within 10 days, then the connection will be deleted.

See the URL of available Direct Connect locations.

3. AWS Direct Connect maintenance

AWS Direct Connect maintenance service occurs periodically. It performs on a hardware fleet that supports the device. So that it can recover quickly even there is a failure occurs (resilient connections) between AWS VPC and on-premise networks. There are two types of maintenance. They are Planned Maintenance and emergency Maintenance.

Planned Maintenance is scheduled in advance. AWS provides 3 notifications from 10 days before, followed by 5 days before, followed by 1 day before when the maintenance will occur. You can reschedule the planned maintenance 10 days before.

Emergency Maintenance occurs suddenly based on a critical basis. AWS provides notification before 60 minutes. Once you initiate this maintenance, you can’t cancel it.

You can subscribe to receive notifications about maintenance or events in the AWS console. AWS Personal Health Dashboard displays notifications. Also, you may get notifications via e-mail. AWS performs maintenance activities in business days only. During the maintenance, you may expect downtime in your business. To avoid this you follow these options, they are 1. Request the redundant Direct Connect connection.

2. Configure Site-to-Site VPN as a backup. It is the best practice to use the Direct Connect Resiliency Tool Kit to perform the test and verify the resiliency network connections.

4. AWS Direct Connect gateway

AWS Direct Connect gateway is a grouping of virtual private gateways (VGWs) and private virtual interfaces (VIFs). You can use with Virtual Private gateway (or) transit gateway to access VPCs in multiple regions.

Direct Connect gateway

A virtual private gateway acts as the entry point of the AWS site VPN connection. It connects a single VPC from the AWS region to an on-premise network. In this diagram, Each region has VPC and it is connected to Direct Connect way through virtual private gateway associations. The Direct Connect gateway is connected to the Direct Connect location using a Virtual private interface.

Direct connect with VGW

The Transit gateway is used to connect multiple VPCs from on-premise to the same AWS region. In this diagram, the Region has multiple VPCs and it is connected to the transit gateway. The Direct Connect gateway is connected with the Transit gateway through transit gateway associations. The Direct Connect gateway is connected to the Direct Connect location using a transit virtual interface.

Direct Connect with Transit gateway

5. How the Direct Connect work?

Direct Connect is used to transfer the data from on-premise to AWS. For this, you need the AWS Direct Connect location as an intermediator. First, you connect one end of the Ethernet cable on your side (customer router) and connect the other end to the AWS Direct Connect location router. With this connection, you can create a virtual interface through which you can access AWS services. These services may be public (S3, EC2) or private (VPC). You need to connect the local ISPs and Direct Connect Delivery partner for connecting from on-premise to the Direct Connect location. By default, AWS Direct Connect does not encrypt traffic that is in transit. If you want encryption, you may use transit encryption.

6. Types of Resiliency

Resiliency means the ability to recover and perform quickly in case of failure. There are 3 types of Resiliency

Maximum Resiliency for critical workloads using separate connections that terminate on separate devices in more than one location. It helps to prevent connection against device, connectivity, and complete location failure.

Maximum Resiliency

High Resiliency for critical workloads using two single connections to more than one location. It helps to prevent connection against device, connectivity, and complete location failure.

High Resiliency

Development and Testing for non-critical workloads using separate connections that terminate on separate devices in one location. It helps to prevent connection against device, connectivity. But not location failure.

Development and Test

AWS Direct Connect failover tests are designed to ensure the number of virtual interface connections placed in locations. It restores your BGP session from failure, so traffic gets routed and meets resiliency requirements. AWS deletes the test history after 365 days. The test status included the following values In Progress, Completed, Cancelled, Failed. To perform the test, set the time in minutes. The default time is 180 mins (3 hrs), and max. time is 4320 mins (72 hrs).

7. MAC security (MACsec) is an IEEE 802.1 layer 2 standard that provides data confidentiality, data integrity, and data origin authenticity. It is used to encrypt your data from the on-premise location to the Direct Connect location. MACsec secret key is a pre-shared key that establishes the connection between the customer router and the Direct Connect location port. secret key is generated by Connection Key Name (CKN) and Connectivity Association Key (CAK). You cannot modify a MACsec secret key after you associate it with a LAG. If you need to modify the key, disassociate the key from the connection, and then associate a new key with the connection.

8. Link Aggregation Group is a logical interface that uses Link Aggregation Control Protocol to combine multiple connections as a single connection at the Direct Connect Endpoint. All the connections in the LAG use the same bandwidth. All the connections must be dedicated connection and the port speeds are 1 Gbps, 10 Gbps, and 100 Gbps.

Setup for LAG

In Microsoft Azure, it is called Express Route. In GoogleCloudPlatform, it is called Google Cloud InterConnect.

Have a Good day. Thanks for Reading

Last Updated: 07-Jan-2024

--

--