AWS Direct Connect
Dedicated network connection from on-premises to AWS
Direct Connect is like building a private highway between your office and AWS, instead of using the public internet. Imagine you're shipping valuable cargo daily, you could use public roads (internet), but they're unpredictable, congested, and not very secure. Direct Connect gives you a dedicated lane that's faster, more reliable, and more secure. It's a physical fiber optic connection from your data center to AWS, bypassing the internet entirely. Perfect for workloads requiring consistent network performance, large data transfers, or strict security requirements. It's like having a private tunnel that only you use, guaranteeing speed and privacy.
Direct Connect provides dedicated network connections from on-premises to AWS via AWS Direct Connect locations (colocation facilities). You order a connection (1Gbps, 10Gbps, or 100Gbps dedicated, or 50Mbps-10Gbps hosted), and AWS provisions a cross-connect to your router in the colocation facility. You create virtual interfaces (VIFs): private VIF (access VPC resources), public VIF (access public AWS services like S3), or transit VIF (connect to Transit Gateway for multi-VPC access).
Key Capabilities
- Dedicated physical connection (1Gbps or 10Gbps) from an on-premises facility to an AWS Direct Connect location, bypassing the public internet for consistent latency and throughput
- Hosted connections via Direct Connect partners: flexible speeds from 50Mbps to 10Gbps without requiring a dedicated physical port, faster to provision than dedicated connections
- Three Virtual Interface types: Private VIF (access resources inside a VPC), Public VIF (access AWS public service endpoints such as S3 and DynamoDB), and Transit VIF (connect to AWS Transit Gateway)
- Data transfer out via Direct Connect is priced lower than internet egress, making it cost-effective for high-volume data transfers between on-premises and AWS
- Direct Connect Gateway: attach a single Direct Connect connection to VPCs across multiple AWS regions and accounts without requiring separate connections per region
- Link Aggregation Groups (LAG): bundle multiple Direct Connect connections into a single logical connection for increased bandwidth and redundancy at the same location
Gotchas & Constraints
Gotcha #1: Direct Connect is not encrypted by default; use VPN over Direct Connect or MACsec for encryption. Gotcha #2: Single Direct Connect connection is a single point of failure; use multiple connections across different locations for high availability. Constraints: Requires physical presence in a Direct Connect location (or partner), setup takes weeks (physical provisioning), and you pay for port hours plus data transfer.
A financial services company runs a hybrid cloud architecture with 500 servers on-premises and 200 in AWS. They transfer 50TB of data monthly between environments for backups, analytics, and disaster recovery. Using internet VPN, transfers are slow (200Mbps), unreliable (frequent disconnects), and expensive ($5,000/month in data transfer). They provision two 10Gbps Direct Connect connections in different locations for redundancy. Transfers now run at 8Gbps consistently, completing in hours instead of days. They create a private VIF to access VPCs and a public VIF to upload backups to S3. For security, they run VPN over Direct Connect, encrypting all traffic. Direct Connect costs $3,000/month (port hours + data transfer), saving $2,000/month while providing 40x better performance. They use Direct Connect Gateway to connect to 10 VPCs across 3 regions via a single connection.
The Result
predictable network performance, reduced costs, and improved disaster recovery capabilities.