This chapter covers AWS Direct Connect, a dedicated network service that establishes a private, high-bandwidth connection from your on-premises data center to AWS. On the CLF-C02 exam, this topic falls under Domain 3: Cloud Technology Services, which constitutes approximately 24% of the exam. Understanding Direct Connect is essential for distinguishing between hybrid connectivity options and recognizing when a dedicated, consistent network experience is required over internet-based VPNs.
Jump to a section
Imagine your company is a bustling warehouse that needs to ship goods to a central distribution hub (the AWS cloud) every day. Normally, you rely on the public postal service—your internet connection—to send packages. But the public road is shared with everyone else: traffic jams, detours, and the occasional lost package slow you down, and you never know exactly when a shipment will arrive. For critical, high-volume shipments, this unpredictability is unacceptable. AWS Direct Connect is like building a private, dedicated highway from your warehouse directly to the distribution hub's loading dock. This highway has its own lanes—no traffic from other companies—and a guaranteed travel time. You pay a fixed monthly fee for the highway, but you save on variable shipping costs and avoid delays. Just as a dedicated highway requires you to lay the pavement (the physical cable) and connect it to the hub's entrance (the AWS Direct Connect location), you must coordinate with a construction company (an AWS Direct Connect Partner) to establish the link. Once built, your shipments flow smoothly, securely, and predictably, even during peak hours when the public roads are jammed.
What is AWS Direct Connect and the Problem It Solves
AWS Direct Connect is a cloud service that makes it easy to establish a dedicated network connection from your on-premises data center to AWS. Think of it as a private, high-speed fiber-optic cable that bypasses the public internet. The primary problem it solves is the unpredictability and potential security risks of internet-based connections. When you use a standard internet connection to access AWS services, your traffic travels over the public internet, which is shared with millions of other users. This can lead to variable latency, jitter, packet loss, and bandwidth contention. For latency-sensitive workloads (e.g., real-time gaming, financial trading) or high-volume data transfers (e.g., large-scale backups, disaster recovery), the public internet is often unreliable. Direct Connect provides a consistent network experience, lower latency, and higher security by keeping traffic off the internet.
How It Works: The Mechanism
To use Direct Connect, you must first establish a physical connection between your network and an AWS Direct Connect location. These are specialized data centers co-located with AWS partner facilities (e.g., Equinix, Digital Realty) in major metropolitan areas around the world. You work with an AWS Direct Connect Partner (a telecom or colocation provider) to order a cross-connect—a physical cable that links your router in the facility to an AWS Direct Connect router. Once the physical connection is in place, you create a Virtual Interface (VLAN) on top of it. There are two types: a private VIF (for connecting to your Amazon VPC via a Virtual Private Gateway) and a public VIF (for connecting to AWS public services like S3, DynamoDB, or EC2 in any region, but still over the dedicated link). The private VIF uses 802.1Q VLAN tagging and BGP (Border Gateway Protocol) to route traffic between your on-premises network and your VPC. You must configure BGP sessions with your own public or private ASN, and you can use multiple VLANs to connect to multiple VPCs or multiple AWS accounts.
Key Tiers, Configurations, and Pricing Models
Direct Connect offers two port speeds: 1 Gbps and 10 Gbps. For higher bandwidth, you can use Link Aggregation Groups (LAGs) to combine multiple connections. Pricing is based on the port speed and the data transfer out (egress) from AWS. You pay an hourly fee for the port (e.g., ~$0.30/hour for 1 Gbps) plus a per-GB charge for data transferred out. Data transferred into AWS (ingress) is free. There is also a data transfer discount: if you commit to a minimum monthly data transfer volume (e.g., 10 TB), you can get lower per-GB rates. Additionally, you can purchase a Direct Connect Gateway, which allows you to connect to multiple VPCs in multiple AWS regions using a single Direct Connect connection. This is a key concept for the exam: a Direct Connect Gateway is a global resource that acts as a hub, enabling BGP routing between your on-premises network and multiple VPCs across regions.
Comparison to On-Premises and Competing Approaches
Before Direct Connect, organizations typically used IPsec VPNs over the internet to connect to AWS. VPNs are easier to set up (no physical infrastructure) and cheaper for low-bandwidth needs, but they suffer from internet variability. Direct Connect provides a more consistent, lower-latency experience. Another alternative is AWS Site-to-Site VPN, which can be used as a backup to Direct Connect. For hybrid architectures, many enterprises use both: Direct Connect as the primary link and VPN as a failover. On the exam, be aware that Direct Connect is not a VPN; it is a physical, dedicated connection. Also, note that Direct Connect does not encrypt data by default—you must add encryption at the application layer or use IPsec over Direct Connect (which is supported but adds complexity).
When to Use Direct Connect vs Alternatives
Use Direct Connect when:
You need consistent, predictable network performance for real-time applications.
You transfer large volumes of data (e.g., terabytes daily) and want to save on internet bandwidth costs.
You have regulatory or compliance requirements that mandate data not travel over the public internet.
You are migrating large workloads to AWS and need a stable, high-bandwidth pipe.
Use VPN when:
Your bandwidth needs are low (< 1 Gbps) and latency variability is acceptable.
You need a quick, temporary connection (e.g., for a proof of concept).
You want to use the internet as a backup for Direct Connect.
Use AWS Transit Gateway with VPN or Direct Connect when you have many VPCs and on-premises networks that need to interconnect.
Order the Direct Connect Connection
First, you sign in to the AWS Management Console and navigate to the Direct Connect console. You choose a port speed (1 Gbps or 10 Gbps) and select an AWS Direct Connect location near your data center. AWS generates a Letter of Authorization (LOA) that you provide to your colocation provider or telecom partner. The partner then provisions a cross-connect cable from your router to the AWS router in that facility. This step is purely physical and can take weeks to complete, depending on the partner's availability. You must also ensure your on-premises router supports BGP and 802.1Q VLAN tagging. AWS does not manage the physical layer; you are responsible for the connection up to the Direct Connect location.
Create a Virtual Interface (VIF)
Once the physical connection is active (status shows 'available'), you create a Virtual Interface. For private connectivity to your VPC, you create a private VIF. You specify a VLAN ID (a number between 1-4094), your BGP ASN (public or private), and the BGP authentication key. You also specify the IP addresses for the BGP session (usually a /30 subnet). AWS allocates an Amazon-side IP and you provide your side. After creation, you must configure your on-premises router to establish BGP peering with the AWS router. The BGP session exchanges routes: your on-premises network advertises its CIDR blocks, and AWS advertises the VPC CIDR. Once BGP is up, traffic can flow.
Attach the VIF to a Virtual Private Gateway
In the VPC console, you create a Virtual Private Gateway (VGW) and attach it to your VPC. Then, in the Direct Connect console, you associate the private VIF with that VGW. This links the physical connection to your VPC. You must also update your VPC route tables to include routes pointing to the VGW for your on-premises CIDR blocks. Additionally, you must update your on-premises firewall rules to allow traffic to/from the VPC CIDR. At this point, your on-premises resources can communicate with EC2 instances, RDS databases, or other resources inside the VPC using private IP addresses.
Configure Routing and Test Connectivity
After association, test connectivity by pinging an EC2 instance's private IP from an on-premises server. If the ping fails, check BGP status—ensure routes are being advertised. Common issues: incorrect VLAN ID, mismatched BGP ASN, or firewall blocking ICMP. You can also use the AWS Direct Connect console to view BGP session status and route tables. For redundancy, you can order a second Direct Connect connection at a different location and configure BGP with different ASNs. This provides high availability. AWS recommends using separate devices and diverse paths to avoid single points of failure.
Scale with Direct Connect Gateway
If you need to connect multiple VPCs across multiple regions, you can create a Direct Connect Gateway (DX Gateway). A DX Gateway is a global resource that allows a single Direct Connect connection to reach any VPC in any region, as long as the VPC has a VGW attached and the VGW is associated with the DX Gateway. You create a private VIF associated with the DX Gateway instead of a specific VGW. Then, you create virtual interface associations to each VGW. BGP routes are propagated through the DX Gateway. This simplifies management and reduces the number of VIFs needed. Note that DX Gateway does not support transitive routing between VPCs—it only connects on-premises to VPCs, not VPC-to-VPC.
Scenario 1: Financial Services Firm with Latency-Sensitive Trading A hedge fund runs automated trading algorithms on AWS that require sub-millisecond latency to regional exchanges. Using a VPN over the internet introduces unpredictable latency spikes during market volatility, causing trades to fail. The firm orders a 10 Gbps Direct Connect connection from its co-location facility in New Jersey to an AWS Direct Connect location in the same building. By configuring a private VIF to a VPC containing their trading engines, they achieve consistent 0.5ms latency. They also set up a backup VPN connection for failover. Cost: ~$2,000/month for the port plus data transfer egress. The firm saves millions by avoiding missed trades.
Scenario 2: Media Company Transferring Large Video Files A video streaming service needs to upload hundreds of terabytes of raw footage daily to AWS S3 for processing. Internet uploads are slow and unreliable—often failing mid-transfer. They order a 1 Gbps Direct Connect connection and create a public VIF to access S3 endpoints directly. The dedicated link provides consistent 900 Mbps throughput, cutting upload time from days to hours. They use AWS DataSync over Direct Connect to automate transfers. Cost: ~$300/month for the port plus egress fees. The company avoids costly internet bandwidth upgrades and reduces transfer errors.
Scenario 3: Healthcare Provider with Compliance Requirements A hospital system must comply with HIPAA, which requires that patient data not traverse the public internet when connecting to AWS. They order a Direct Connect connection to a local AWS Direct Connect location. They configure a private VIF to a VPC hosting their electronic health records (EHR) system. All traffic stays within the private network, satisfying compliance. They also enable encryption at the application layer using TLS. When the hospital's IT team misconfigures the BGP route filters, traffic is black-holed, and the EHR system becomes unreachable for two hours. This highlights the need for proper BGP community tagging and monitoring with Amazon CloudWatch.
What CLF-C02 Tests: The exam tests your understanding of Direct Connect as a dedicated, private network connection that bypasses the internet for lower latency and higher security. You must know:
The difference between Direct Connect and VPN (physical vs. encrypted tunnel over internet).
The two types of Virtual Interfaces: private VIF (to VPC) and public VIF (to public services like S3, DynamoDB).
That Direct Connect does not encrypt data by default (you must add encryption separately).
The concept of Direct Connect Gateway for multi-region connectivity.
That Direct Connect requires a physical connection at an AWS Direct Connect location.
Common Wrong Answers and Why Candidates Choose Them: 1. "Direct Connect is a VPN connection" – Wrong because Direct Connect is a physical, dedicated line; VPN is an encrypted tunnel over the internet. Candidates confuse 'private connection' with 'encrypted connection'. 2. "Direct Connect encrypts all traffic automatically" – Wrong. Direct Connect provides a private network path but does not encrypt; you must add encryption. Candidates assume private means secure. 3. "Direct Connect can connect to any AWS service without a VIF" – Wrong. You must create a VIF (private or public) to route traffic. Direct Connect alone does not provide connectivity. 4. "Direct Connect is faster than any internet connection" – Wrong. While more consistent, the maximum speed is 10 Gbps per port; internet connections can be faster but less reliable. Candidates overgeneralize.
Specific Terms on the Exam: - "Letter of Authorization (LOA)" - "Cross-connect" - "Virtual Interface (VIF)" - "BGP" (Border Gateway Protocol) - "Direct Connect Gateway" - "Link Aggregation Group (LAG)"
Tricky Distinctions: - Direct Connect vs. AWS Site-to-Site VPN: Direct Connect is physical, VPN is logical. Both can be used together. - Private VIF vs. Public VIF: Private goes to VPC, public goes to public services. Public VIF still uses the dedicated connection but routes to public endpoints. - Direct Connect Gateway vs. VPC Peering: DX Gateway connects on-prem to multiple VPCs; VPC Peering connects VPCs directly.
Decision Rule for Multi-Choice Questions: If the question mentions "consistent latency," "dedicated bandwidth," or "bypass the internet," the answer is likely Direct Connect. If it mentions "encrypted tunnel" or "over the internet," the answer is VPN. If it mentions "multiple VPCs across regions," consider Direct Connect Gateway.
Direct Connect provides a dedicated, private network connection from on-premises to AWS, bypassing the public internet.
There are two types of Virtual Interfaces: private VIF (to VPC) and public VIF (to AWS public services like S3).
Direct Connect does not encrypt data; encryption must be added separately.
A Direct Connect Gateway allows a single connection to reach multiple VPCs in multiple regions.
Maximum port speed is 10 Gbps per connection; you can use Link Aggregation Groups (LAGs) to combine multiple connections.
You must coordinate with an AWS Direct Connect Partner to provision the physical cross-connect.
Direct Connect is ideal for latency-sensitive, high-volume, or compliance-required workloads.
These come up on the exam all the time. Here's how to tell them apart.
AWS Direct Connect
Physical, dedicated connection
Consistent latency and bandwidth
Higher cost (port hourly + data egress)
Does not encrypt by default
Requires weeks to provision
AWS Site-to-Site VPN
Logical, encrypted tunnel over internet
Variable latency and bandwidth
Lower cost (no port fee, only VPN hourly + data egress)
Encrypts traffic automatically (IPsec)
Can be set up in minutes
Mistake
Direct Connect is a VPN service.
Correct
Direct Connect is a physical, dedicated network connection; it is not a VPN. VPNs use encryption over the internet, while Direct Connect uses a private fiber link.
Mistake
Direct Connect automatically encrypts all data.
Correct
Direct Connect does not encrypt data by default. It provides a private network path, but data is transmitted in cleartext unless you add encryption (e.g., IPsec or TLS).
Mistake
You can order Direct Connect directly from AWS without any third party.
Correct
You must work with an AWS Direct Connect Partner (e.g., a telecom carrier or colocation provider) to provision the physical cross-connect. AWS does not install cables into your data center.
Mistake
Direct Connect can only connect to one VPC in one region.
Correct
Using a Direct Connect Gateway, a single Direct Connect connection can connect to multiple VPCs across multiple regions. Without the gateway, a private VIF connects to a single VPC.
Mistake
Direct Connect is always faster than the internet.
Correct
Direct Connect offers consistent performance, but its maximum port speed is 10 Gbps (or 40 Gbps with LAG). The internet can be faster (e.g., 100 Gbps) but is less reliable. Speed depends on the specific connection.
Direct Connect is a physical, dedicated network connection from your on-premises data center to AWS, providing consistent latency and bandwidth but requiring weeks to provision. VPN is an encrypted tunnel over the public internet that can be set up quickly but offers variable performance. Direct Connect does not encrypt data by default, while VPN does. Use Direct Connect for high-volume, latency-sensitive workloads; use VPN for low-cost, flexible connectivity.
No, Direct Connect does not encrypt data by default. It provides a private network path, but data is transmitted in cleartext. To encrypt data over Direct Connect, you can use IPsec VPN over the Direct Connect connection, or use application-layer encryption like TLS. AWS recommends using encryption for sensitive data even over Direct Connect.
You use a Direct Connect Gateway. Create a Direct Connect Gateway in the AWS Management Console, then associate it with a private VIF from your Direct Connect connection. Then, associate the Direct Connect Gateway with Virtual Private Gateways (VGWs) attached to VPCs in different regions. The Direct Connect Gateway routes traffic between your on-premises network and all associated VPCs.
Yes, you can access S3 and other AWS public services (e.g., DynamoDB, EC2 API) over Direct Connect by creating a public Virtual Interface (public VIF). The public VIF routes traffic to AWS public endpoints, but the traffic still travels over your dedicated Direct Connect connection, bypassing the internet. This provides consistent performance for accessing public services.
If your Direct Connect connection fails, traffic will be dropped unless you have a backup connection. Many customers use an AWS Site-to-Site VPN over the internet as a failover. You can configure BGP to automatically route traffic to the VPN when the Direct Connect link is down. For high availability, you can also order a second Direct Connect connection at a different location.
Direct Connect pricing includes an hourly port fee (e.g., $0.30/hour for 1 Gbps, $2.25/hour for 10 Gbps) plus data transfer out (egress) charges (e.g., $0.02/GB for the first 10 TB). Data transfer into AWS is free. You can also commit to a minimum monthly volume (e.g., 10 TB) for lower per-GB rates. There are no upfront costs, but the physical cross-connect from your partner may have additional fees.
No, you must work with an AWS Direct Connect Partner to provision the physical cross-connect. AWS does not install cables into your data center. The partner provides the physical infrastructure and connectivity to the AWS Direct Connect location. You can find a list of partners in the AWS Management Console.
You've just covered AWS Direct Connect — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?