AWS Direct Connect

Learn via video courses

Overview

In the early 21st century, cloud computing paved the way for a technological revolution in infrastructure. Once customers adapt to cloud platforms like AWS, they use the AWS Site-2-Site VPN connection to establish secure connections between their on-premise and the AWS data center(AWS region). However, VPN alone did not satisfy all the requirements of AWS customers.

In 2011, AWS released Direct Connect, a new service that uses dedicated Ethernet fiber-optic cable to link customers on-premises to an AWS region by bypassing the public internet.

What is AWS Direct Connect and How Does it Work?

AWS Direct Connect provides a private network connection between the customer's on-premise/data center and an AWS region (the customer’s AWS account).

Direct connect is the standard Ethernet fiber-optic cable connected between the customer data center, office, or colocation environment and the AWS account.

The traffic initiated by customers' on-premises servers to AWS servers/services will be routed through the physical fiber-optic cable (Direct Connect) instead of the public internet.

How does it work?

AWS Direct Connect offers an alternative to accessing AWS cloud services instead of using the public internet. It enables customers to connect to AWS in a low-latency, secure, and private way for AWS workloads that require higher speed or lower latency than the internet.

Once a customer purchases the required bandwidth Direct Connect (DX) connection by completing a Letter of Authorization, AWS will install a physical fiber-optic cable connection between the customer data center, office/colocation, or AWS partner router and the AWS region.

AWS partner routers or customer routers

  • This router will be installed at the customer's on-premises or AWS partner location.

AWS Router

  • This router is present within the AWS region Direct connect location to campus.

The below image demonstrates the traffic flow from the customer data center to AWS region via the AWS Direct Connect location

traffic flow from customer data center to aws region

Note: AWS Direct connect service providers vary based on location. In India, Tata Communications, Reliance Jio, Sify, and Bharti Airtel are the major partner network service providers for AWS Direct Connect.

Components of AWS Direct Connect

Connection

Once a Letter of Authorization is approved, AWS or AWS Partner Network (APN) will share the connection to your AWS account.

There are two types of connections 

1. Dedicated Connection

2. Hosted Connection

ParametersDedicated ConnectionHosted
TypeA dedicated physical Ethernet connection for a customer to their AWS account regionAn AWS Direct Connect Partner will provide a physical ethernet connection on behalf of a customer
AccessCustomers can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API.Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, which provides the connection
Bandwidth1 Gbps ,10 Gbps , 100 Gbps50 Mbps to 10 Gbps

Virtual Interface

There are 3 types of virtual interfaces (VIF) available in AWS Direct Connect. We can opt for any one virtual interface to connect to the provisioned direct connect connection.

  1. Public VIF
  2. Private VIF
  3. Transit VIF
VIF TypePublic VIFPrivate VIFTransit VIF
UsesThis interface is used to access all AWS public services using public IP addressesThis interface is used to connect to the VPC using private IP addressesThis interface is used to connect transit gateways associated with the Direct Connect gateway 
Use-caseOn-premise server to S3 bucket data transfer through Direct connectOn-premise private or DB servers connect with AWS VPC resourcesOn-premise to multi-VPC network architecture

Direct Connect Gateway

We can associate more than one virtual private gateway to the direct connect gateway, which helps to minimize the creation of each VIF for each virtual private gateway.

Features of AWS Direct Connect

Flexible Bandwidth

  • AWS provides a starting speed range of 10Mbps and a maximum scaled up to 100Gbps as per the customer requirements based on the Dedicated Connection.

Elasticity

  • AWS Direct Connect is elastic. So we can transfer the data seamlessly back and forth to AWS as per our bandwidth requirement.

As an example,

Assume a startup company chose AWS Direct Connect for a 50Mbps hosted connection. If they want to increase or decrease bandwidth in the future, we use the AWS console, CLI, or API to create a new connection with the required bandwidth.

Note: The port speed of an existing connection cannot be changed; we must create new connections to change the port speed.

Encryption

The encryption occurs at Layer 2 devices that are directly connected to Ethernet switches or routers.

What are Layer 2 devices?

  • Layer 2 devices will transmit data from source to destination according to the ethernet address or MAC address. These devices are configured in the Direct Connect location.

AWS Direct Connect supports MACsec encryption for customers who have a dedicated connection with a bandwidth of 10 Gbps or 100 Gbps.

What is MACsec Encryption?

MACSec-Media access control security

  • MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity.

Layer 2 devices with MACsec capability will support MACsec encryption. This encryption will occur at the Direct Connect Location Layer 2 devices and customer-opted Layer 2 devices.

MACsec requires that your connection be terminated on a MACsec-capable device on the AWS Direct Connect side of the connection.

Note: MACsec supports 10 Gbps and 100 Gbps dedicated connections. It also supports Direct Connect Sitelink

SiteLink

  • SiteLink is an optional Direct Connect feature available in Direct Connect for virtual private interfaces.

  • Usage of SiteLink will incur additional charges.

  • AWS Sitelink helps to achieve the shortest path between any two Direct Connect points of presence using the AWS backbone network instead of routing via an AWS region.

With Direct Connect

Here we can see the data transfer routed to the region and then passing to the AWS Direct Connect Location.

direct connect

With Direct Connect Sitelink

direct connect sitelink

Here, we can achieve the data transfer between AWS Direct Connect Locations without being routed toward the AWS region.

Use Cases of AWS Direct Connect

Some enterprise customers opt for AWS Direct Connect for the following 4 reasons:

The AWS Direct Connect service is natively compatible with AWS services

  • We can upload and download the data to the AWS public services such as S3 directly from our on-premises infrastructure. We can also connect to the AWS VPC Network from our on-premises infrastructure. In both cases, the traffic will pass through without routing through the public internet.

Cloud and on-premises Hybrid Environments

  • Database Migration, Application Migration, and Data Transfer to AWS enhance the hybrid environment.

Transferring large data sets

  • Using EFS and Storage Gateway, we can transfer large data sets with less latency and achieve high performance.

Real-time data feeds

  • We can set up the data pipeline on AWS or on-premise for real-time data analytics. Direct Connect helps to achieve high performance with resiliency. 

Requirements to Use AWS Direct Connect

There is a certain network requirement we must meet to establish Direct Connect.

Network Device:

Port Capacity1 gigabit10 gigabit100 gigabit
TransceiverSingle-mode fiber with a 1000BASE-LX (1310 nm)Single-mode fiber with a 10GBASE-LR (1310 nm)Single-mode fiber with a 100GBASE-LR4

Port AutoNegotiation:

For 1 Gbps: Enabled or Disabled depends upon the Direct connect endpoint

For more than 1 Gbps: Must be Disabled

VLAN : IEEE 802.1Q Encapsulation

Protocol : Border Gateway protocol

Authentication : BGP MD5

Those who have the above requirements can opt for Direct Connect.

Those who do not have the requirement still opt for Direct Connect using APN (AWS Partner Network)

AWS Direct Connect Pricing

Three components determine the pricing of AWS Direct Connect irrespective of location. They are:

  1. Capacity
  2. Port hour
  3. Data transfer out

Dedicated Port Connection

CapacityPort hour rate excluding JapanPort hour rate in Japan
1 Gbps$0.30/hour$0.285/hour
10 Gbps$2.25/hour$2.142/hour
100 Gbps$22.50/hour$22.50/hour

Hosted Port Connection

CapacityPort hour rate excluding JapanPort hour rate in Japan
50 Mbps$0.03/hour$0.029/hour
100 Mbps$0.06/hour$0.057/hour
200 Mbps$0.08/hour$0.076/hour
300 Mbps$0.12/hour$0.114/hour
400 Mbps$0.16/hour$0.152/hour
500 Mbps$0.20/hour$0.190/hour
1 Gbps*$0.33/hour$0.314/hour
2 Gbps*$0.66/hour$0.627/hour
5 Gbps*$1.65/hour$1.568/hour
10 Gbps*$2.48/hour$2.361/hour
  • These capacities are available from selected AWS Direct Connect Partners

For example,

In India, the two partners listed below offer dedicated and hosted connections for Direct Connect Service.

Column 1GPX, Mumbai, IndiaSify Rabale, Mumbai, IndiaSTT GDC India Pvt. Ltd. VSB, Chennai, IndiaNetMagic DC2, Bangalore, IndiaSTT Delhi DC2, Delhi, IndiaSTT Hyderabad DC1, Hyderabad, India
Sify✔G✔G✔G✔G✔G
Tata Communications✔H✔H✔H✔H✔H

✔ -Supports Dedicated Connections G -Approved for Hosted Connections of capacities from 50 Mbps to 500 Mbps H - Approved for Hosted Connections of capacities from 50 Mbps to 10 Gbps

Data transfer in

There will be no charges incurred for data transfer towards your AWS account by Direct Connect.

Data transfer out

Each region's data transfer out rate will vary based on the country's location.

data transter out

SiteLink hours

Fixed $0.50 per hour for each VIF associated with the Direct connect gateway

SiteLink Data Transfer rates

sitelink data transfer rates

How to Configure AWS Direct Connect?

Assuming we are establishing Direct Connect with an APN partner,

  • Once the Letter Of Authorization is completed, the partner will share the network connection. This will show up in the Direct Connect console.
  • We should accept and continue the below steps

Connection details

Name: Enter any preferred name

Location: Choose Mumbai (for demo purposes)

Port Speed: 1Gbps or 10Gbps

Service providers: Tata Communication, Bharti Airtel, GPX. (If you choose to use an AWS Direct Connect partner.)

Additional settings (Optional)

MACsec Support : Disabled by default

Existing LAGs: Disabled by default.

configure aws direct connect

  • Once the above steps are finished, we have two options here.

  • To create a new VIF or choose an existing VIF

Creating a VIF

  • We should choose the type of VIF, whether it is private, public, or transit.

create a vif

  • In VIF, we choose either a Direct Connect gateway or a Virtual Private Gateway.

  • We must enter the Virtual Local Area Network (VLAN) and BGP ASN to create a VIF.

create a vif

  • In addition to this, we can configure the following parameters optionally.

Your router's peer IP: CIDR

Amazon router peer IP: CIDR

BGP authentication key: can be up to 126 characters long

Jumbo MTU (MTU size 9001) : MTU Frame size

SiteLink: Disabled by default

create a vif

  • Once the DX connection is created, and VIF is attached to the DX connection, we need to wait for 10 to 15 minutes for the direct connection state to become available.

create a vif

AWS Direct Connect Locations

  • AWS Direct Connect is available in locations all over the world. Those who lack the necessary equipment for the Direct Connect location can still connect through APN Technology and Consulting Partners.

  • These APN Partners can help you establish network circuits between an AWS Direct Connect location and your data center.

  • To minimize cost and latency, AWS recommends selecting the closest available Direct Connect location and AWS region to the customer's data center.

For example,

If the customer data center is located in Mumbai, there are multiple Direct Connect locations available for the AWS Mumbai region.

AWS suggests choosing the Direct Connect location and AWS region that is nearest to the customer's data center to reduce latency, cost, and management overhead.

Benefits of AWS Direct Connect

  • Customers can choose their required bandwidth for data transfer and consistent network performance.
  • Bandwidth options include 1 GB, 10 GB, and 100 GB for dedicated connections.
  • The cost of direct-connect data transfer will be less when compared to the cost of internet data transfer from AWS to the customer data center.
  • It provides a dedicated private network connection to the AWS VPC.
  • It supports Ipv4 and IPv6 BGP peering sessions.
  • It also supports Jumbo frames with 9001` MTUs.

Note: Jumbo frames are single Ethernet frames with a payload size of more than 1500 bytes. Using Jumbo frames, we can reduce the CPU processing time.

Conclusion

  • AWS Direct Connect establishes a private network link between the customer data center and the AWS region with the help of a standard Ethernet fiber-optic cable.

  • Customers can establish a Direct Connect by opting for either a dedicated connection or a hosted connection.

  • AWS Direct Connect pricing components include capacity, port hours, and data transfer out.

  • It provides MACsec encryption and a flexible bandwidth range from 10 Mbps to 100 Gbps.

  • Using Direct Connect SiteLink, customers can transfer the data without routing toward the AWS region.

  • It provides high availability and resilience. Leveraging AWS Direct Connect will reduce the latency and data transfer costs.