AWSGlossary

AWS Direct Connect: What It Is and When to Use It

Definition

AWS Direct Connect (DX) is a service that provides dedicated, private fiber connections between an on-premises data center (or colocation facility) and AWS. Instead of routing traffic over the public internet, Direct Connect delivers AWS traffic across your own physical link terminated at an AWS Direct Connect location (typically a carrier-neutral colocation like Equinix), offering predictable bandwidth, consistent low latency, and reduced data-transfer costs compared to VPN over the internet.

DX is the enterprise-grade way to go hybrid with AWS: it pairs naturally with Direct Connect Gateway, Transit Gateway, Virtual Private Gateway, and encryption options like MACsec (for physical-link encryption on 10 Gbps/100 Gbps ports).

How It Works

Direct Connect consists of a few moving parts:

  1. AWS Direct Connect location — a physical AWS PoP where you terminate your fiber (hundreds of locations worldwide, usually in Equinix, Coresite, Digital Realty, etc.).
  2. Cross-connect — a physical fiber cable from your rack or your carrier's rack to the AWS router, ordered through the colocation provider.
  3. Connection — the logical AWS resource (dedicated or hosted) representing the link.
  4. Virtual Interfaces (VIFs) — logical sub-interfaces over the connection that carry traffic to AWS:
    • Private VIF — to a single VPC via a Virtual Private Gateway (VGW) attached to that VPC.
    • Public VIF — to AWS public service endpoints (S3, DynamoDB, public EC2 IPs) across any Region (excluding China).
    • Transit VIF — to a Direct Connect Gateway that is associated with one or more Transit Gateways, enabling connectivity to many VPCs and even multiple Regions over one link.
  5. Direct Connect Gateway (DXGW) — a global resource that associates a DX connection with VGWs or TGWs in multiple Regions, so one DX link can reach any AWS Region (except China) from any DX location.
  6. BGP session — the VIF establishes a BGP peering between your router and AWS; routes are exchanged dynamically.

Dedicated vs Hosted Connections

  • Dedicated connection — AWS provisions a port you own end to end. Port speeds of 1 Gbps, 10 Gbps, or 100 Gbps.
  • Hosted connection — an AWS Partner (carrier or reseller) provisions a logical slice of their dedicated link for you. Speeds from 50 Mbps to 25 Gbps (varies by partner), with minute-level turn-up rather than weeks.

Hosted connections are ideal for smaller bandwidth needs or quick turn-up; dedicated connections suit enterprises wanting full control and 100 Gbps.

Key Features and Limits

  • Port speeds: 50 Mbps → 25 Gbps (hosted) or 1 / 10 / 100 Gbps (dedicated).
  • Virtual Interfaces: up to 50 VIFs per dedicated connection; ~1 VIF on hosted connections.
  • MACsec: 802.1AE MACsec encryption supported on 10 Gbps and 100 Gbps dedicated ports for Layer 2 encryption.
  • BGP: required for every VIF; AWS supports BGP MD5, AS prepending, BGP communities for traffic preferences.
  • Jumbo frames: 9001-byte MTU on private/transit VIFs; 1500-byte MTU on public VIFs.
  • Direct Connect Gateway: associates with up to 20 VGWs (multi-VPC scenario) or 6 TGWs per DXGW, enabling multi-VPC and multi-Region reach.
  • Link Aggregation Group (LAG): bundles up to 4 physical connections at the same speed and location into a single logical link for higher bandwidth and HA.
  • Resiliency: Highly Resilient architecture uses 2 connections to 2 DX locations; Maximum Resilience uses 4 connections across 2 locations — AWS recommendation for critical workloads.
  • Failover to VPN: if DX fails, BGP withdrawal lets traffic swing to a Site-to-Site VPN you keep in standby.
  • SiteLink: uses the AWS global backbone to connect two DX locations directly (any-to-any at AWS edge), useful for global WANs.
  • Data transfer discount: DX egress pricing is substantially lower than internet egress.

Common Use Cases

  1. Enterprise hybrid cloud — consistent 10 Gbps or 100 Gbps into AWS for bulk migrations, backups, and daily operations.
  2. Low-latency trading / real-time systems — predictable single-digit-millisecond RTT to a specific Region via a nearby DX location.
  3. Multi-VPC hybrid access — one DX + DXGW + TGW stitches many VPCs and on-prem sites into a unified backbone.
  4. Regulatory or contractual requirements — private connectivity avoiding public internet transit, sometimes mandated by financial or government rules.
  5. Large-scale data transfer — nightly ETL, backup/replication, or media workflow pipelines benefit from predictable bandwidth and lower egress rates.
  6. VMware Cloud on AWS / SAP on AWS — enterprise workloads that rely on consistent cross-link performance.
  7. Global WAN replacement — SiteLink across DX locations can replace MPLS for point-to-point links.

Pricing Model

Direct Connect has two cost axes:

  • Port hours — per-hour charge based on the port speed and dedicated/hosted category. A 10 Gbps dedicated port is roughly $2.25/hour in the US (verify current rates). Hosted connections are usually cheaper and billed through the partner.
  • Data transfer out (DTO) — per-GB egress charge, billed at a discounted rate compared to internet egress (often 30–70% cheaper, depending on Region and volume).

Additional costs outside AWS:

  • Colocation fees for your rack and cross-connect (paid to the colo provider, not AWS).
  • Carrier circuit fees if you use a telco to reach the DX location.
  • MACsec: no extra AWS charge, but supported ports only.
  • LAG: each member port bills independently.

Data transfer into AWS over DX is free, which is often the biggest savings over internet ingress patterns.

Pros and Cons

Pros

  • Predictable, consistent bandwidth and latency — no internet variability.
  • Higher throughput than VPN (100 Gbps ports; LAG for more).
  • Lower egress costs than internet transit.
  • MACsec Layer 2 encryption on 10/100 Gbps ports.
  • DXGW gives any-Region reach from a single DX location.
  • Ideal for large-scale hybrid and migration workloads.

Cons

  • Not encrypted by default — private VIFs carry cleartext BGP/IP traffic unless MACsec or IPsec on top is used.
  • Lead time — dedicated connections can take weeks to provision; hosted are faster but still involve partner ordering.
  • Cost floor — port hours accrue whether you use the bandwidth or not; a lightly used 10 Gbps port is expensive.
  • No built-in HA — a single connection is a single point of failure; AWS strongly recommends two or four connections (Highly Resilient / Max Resilience).
  • Physical presence required — you need gear at (or carrier drop at) an AWS DX location.

Comparison with Alternatives

| Feature | Direct Connect | Site-to-Site VPN | Direct Connect + VPN | AWS PrivateLink | | --- | --- | --- | --- | --- | | Path | Private fiber | Internet (IPsec) | Private fiber + IPsec overlay | Private within AWS | | Throughput | 50 Mbps – 100 Gbps | ~1.25 Gbps per tunnel | Up to 100 Gbps | N/A | | Latency | Predictable, low | Variable (internet) | Same as DX | Very low (internal) | | Encryption | MACsec (L2) or DIY | IPsec always | IPsec always | TLS | | Setup time | Weeks (dedicated) / days (hosted) | Minutes | Weeks + minutes | Minutes | | Cost | Port hours + low DTO | No ports, higher DTO | Both | Per-hour + per-GB | | Best for | Enterprise hybrid, large data | Quick start, low bandwidth | Encrypted, high-bandwidth hybrid | Private service exposure |

A very common production pattern is DX with a VPN overlay: you get DX's bandwidth and consistent latency plus IPsec encryption end-to-end. Another is DX + VPN as failover: when the DX link fails, BGP withdrawals push traffic to a standby VPN automatically.

Exam Relevance

  • Solutions Architect Associate (SAA-C03) — key concepts: DX vs VPN (predictable/lower cost/higher bandwidth vs quick/cheap/internet), when to add a VPN overlay, DX Gateway for multi-VPC/multi-Region.
  • Solutions Architect Professional (SAP-C02) — designing Highly Resilient / Max Resilience DX, DXGW + TGW, DX + VPN failover.
  • Advanced Networking Specialty (ANS-C01) — extremely heavy: BGP details (AS prepending, LOCAL_PREF, MED, BGP communities), public vs private vs transit VIFs, jumbo frames, MACsec, SiteLink, LAG configuration, HA patterns, DXGW limits.
  • Security Specialty (SCS-C02) — DX is not encrypted by default; when to layer IPsec / MACsec.

Classic exam traps: DX is not encrypted unless you add MACsec (L2) or a VPN overlay (L3). DX alone is not highly available — AWS recommends two connections in two different DX locations. DX Gateway lets a single DX reach many VPCs in many Regions (no inter-Region VPC traffic over the internet). Transit VIFs connect to a DXGW associated with TGW(s); Private VIFs connect to a single VGW. Public VIFs reach AWS public services and can be used for S3 transfer without internet.

Frequently Asked Questions

Q: What's the difference between Direct Connect and a Site-to-Site VPN?

A: Direct Connect uses a dedicated physical fiber link from your data center to AWS — predictable bandwidth up to 100 Gbps, consistent low latency, lower egress costs, but weeks to set up and not encrypted by default. Site-to-Site VPN uses IPsec tunnels over the public internet — quick to set up (minutes), always encrypted, no port fees, but limited to ~1.25 Gbps per tunnel and subject to internet variability. A common best practice is both: DX for primary traffic, VPN as encrypted failover or as an encryption overlay on top of DX.

Q: What is a Direct Connect Gateway and when do I need one?

A: A Direct Connect Gateway (DXGW) is a global resource that decouples your DX connection from individual VPCs. Without a DXGW, a Private VIF can connect to only one VPC in the same Region. With a DXGW, your DX link can reach up to 20 Virtual Private Gateways (one per VPC) or up to 6 Transit Gateways, spanning any AWS Region (except China). This is essential for multi-VPC, multi-Region hybrid architectures served from a single (or a few) DX locations.

Q: How do I make Direct Connect highly available?

A: A single DX connection is a single point of failure — cable cuts and AWS router failures can take you offline. AWS's recommended patterns are Highly Resilient (two connections to two separate AWS Direct Connect locations, ideally via different carriers and different paths) and Maximum Resilience (four connections across two locations, for SLA-critical workloads). You can also aggregate multiple links with a LAG (Link Aggregation Group) and keep a Site-to-Site VPN in warm standby so BGP automatically fails over to the internet path if both DX legs drop.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official Direct Connect documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

Amazon VPC: Subnets, Gateways & Networking Explained

Amazon VPC is a logically isolated AWS network. Learn subnets, route tables, internet gateway vs NAT gateway, security groups vs NACLs, peering, and exam tips.

AWS Transit Gateway: VPC Hub for Hybrid Networking

AWS Transit Gateway is a regional hub connecting VPCs, VPNs, and Direct Connect. Learn transitive routing, 5000 attachments, multicast, cross-Region peering, and exam tips.

VPC Subnet: Public vs Private Subnets in AWS Explained

A VPC subnet is a CIDR range inside a VPC pinned to one AZ. Learn public vs private subnets, route tables, the 5 reserved IPs, IPv6 /64 subnets, and exam tips for SAA-C03.

AWS Security Group: Stateful Instance-Level Firewall Guide

AWS Security Groups are stateful, instance-level firewalls with allow-only rules. Learn inbound/outbound rules, SG references, the 60-rule limit, and exam tips for SAA-C03.

Security Group vs NACL: AWS Firewall Comparison Guide

Compare AWS Security Groups vs Network ACLs: stateful vs stateless, instance vs subnet, allow-only vs allow+deny, SG references vs CIDR only, and defense-in-depth patterns.

View all Networkingterms →