This chapter covers AWS Direct Connect (DX) for the SOA-C02 exam, focusing on how to establish private, dedicated network connectivity from on-premises to AWS. Direct Connect is a critical topic for SysOps administrators managing hybrid workloads, and it appears in roughly 5-8% of exam questions, primarily in the Networking objective (5.1). You will learn the architecture, components, configuration steps, BGP peering, VLANs, and troubleshooting – all from an exam perspective. Mastery of Direct Connect is essential because the exam frequently tests your ability to choose between DX, VPN, and internet-based connectivity, and to identify misconfigurations in virtual interfaces and routing.
Jump to a section
Imagine your company has an office building and needs to access a remote data center. Most employees use the public internet: they send data through a shared cable that everyone in the neighborhood uses, which can get congested during peak hours, and the traffic goes through many hops. Now, instead, your company pays for a dedicated fiber optic line that runs directly from your building’s network room to the data center’s entrance. This line is private, not shared with anyone else. It has a fixed bandwidth (e.g., 1 Gbps) that you lease. Inside your building, you connect your internal network switch to the fiber line through a router that speaks BGP. At the data center side, the fiber terminates at a cross-connect panel in a meet-me room, then connects to the data center’s core router. You establish a BGP session between your router and the data center router to exchange routes. Once the BGP session is up, traffic between your office and the data center flows over this private fiber, bypassing the public internet entirely. This gives you consistent latency, higher throughput, and a more secure connection because no other traffic shares the path. The dedicated fiber line is AWS Direct Connect. The building’s network room is your on-premises data center. The data center is an AWS Direct Connect location. The cross-connect panel is the cross-connect you order. The BGP session is the virtual interface (VIF) that exchanges routes with AWS. The fixed bandwidth is the port speed you order (e.g., 1 Gbps, 10 Gbps). Just as you pay a monthly fee for the fiber line, you pay for the Direct Connect port hours and data transfer out.
What is AWS Direct Connect?
AWS Direct Connect (DX) is a cloud service that makes it easy to establish a dedicated network connection from an on-premises data center to AWS. Unlike a VPN over the internet, a Direct Connect link is a physical, private, and dedicated connection that bypasses the public internet. This results in more consistent network performance, lower latency, and reduced bandwidth costs for high-volume data transfer.
Why Direct Connect Exists
Organizations with hybrid workloads – where some infrastructure runs on-premises and some on AWS – often need reliable, predictable connectivity. Over the internet, traffic can be subject to congestion, variable latency, and security risks. Direct Connect provides a private path that is more secure (no internet exposure) and offers a Service Level Agreement (SLA) of up to 99.99% availability for the connection.
How Direct Connect Works Internally
At a high level, the process is:
You order a Direct Connect connection from AWS. This is a physical port (e.g., 1 Gbps or 10 Gbps) at a Direct Connect location – a facility where AWS has presence alongside other carriers.
You work with an AWS Direct Connect Partner or directly with the facility to arrange a cross-connect from your network equipment to the AWS port.
Once the physical connection is active, you create a virtual interface (VIF) – either a private VIF (to connect to a VPC via a Virtual Private Gateway) or a public VIF (to access AWS public services like S3, DynamoDB, etc.).
You configure BGP (Border Gateway Protocol) on your router and on the AWS side to exchange routing information. BGP is mandatory for both private and public VIFs.
For private VIFs, you also need a Virtual Private Gateway (VGW) attached to your VPC, and you must enable route propagation from the VGW into your VPC route tables.
Key Components, Values, Defaults, and Timers
- Port Speeds: 1 Gbps, 10 Gbps, and 100 Gbps (the latter only at select locations). You can also order a hosted connection from a Direct Connect Partner at speeds like 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps. - Virtual Interfaces (VIFs): - Private VIF: Used to connect to a single VPC. You must associate it with a Virtual Private Gateway (VGW). Supports VLAN tagging (802.1Q) with a VLAN ID between 1 and 4094, excluding reserved VLANs (0 and 4095). BGP authentication is optional but recommended. BGP timers: Keepalive interval = 30 seconds, Hold time = 90 seconds (default). - Public VIF: Used to access all AWS public services (e.g., S3, DynamoDB, EC2 public endpoints, CloudFront). You cannot use a public VIF to reach a VPC directly – that requires a private VIF. Public VIFs also use BGP. The BGP ASN can be public or private (you must own the public ASN). - Transit VIF: Used with AWS Transit Gateway to connect multiple VPCs and on-premises networks. A transit VIF is associated with a Direct Connect Gateway, which then connects to a Transit Gateway. - Direct Connect Gateway: A global resource that allows you to connect multiple VPCs in different AWS Regions (same or different accounts) via a single private VIF. The Direct Connect Gateway must be in the same Region as the VGW for each VPC. - Virtual Private Gateway (VGW): A regional resource attached to a VPC. It supports BGP dynamic routing and can be used with VPN or Direct Connect. The VGW has an Amazon-side ASN (default 64512, but you can specify a private ASN when creating it). - BGP Attributes: - Local Preference: Default 100. Used to influence outbound traffic from AWS to on-premises. - AS Path Prepending: Used to influence inbound traffic (on-premises to AWS). You can prepend AS numbers to make a path less preferred. - Link Aggregation Group (LAG): You can bundle multiple Direct Connect connections into a LAG to increase bandwidth or provide redundancy. A LAG can contain up to 4 connections of the same bandwidth. - MACsec: You can enable MACsec (802.1AE) on dedicated 10 Gbps or 100 Gbps connections for encryption at Layer 2.
Configuration and Verification Commands
On your on-premises router (Cisco IOS example), you configure:
interface GigabitEthernet0/0/0
description To AWS Direct Connect
no shutdown
!
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100
ip address 169.254.10.1 255.255.255.252
!
router bgp 65000
neighbor 169.254.10.2 remote-as 64512
neighbor 169.254.10.2 timers 30 90
neighbor 169.254.10.2 password MyBGPSecret
address-family ipv4 unicast
neighbor 169.254.10.2 activate
network 10.0.0.0 mask 255.255.255.0
exit-address-familyTo verify the BGP session:
show ip bgp summary
show ip bgp neighbors 169.254.10.2 routesOn AWS side, you can verify using the AWS Management Console, CLI, or API. For example:
aws directconnect describe-virtual-interfaces --virtual-interface-id dxvif-xxx
aws directconnect describe-connections --connection-id dxcon-xxxHow Direct Connect Interacts with Related Technologies
VPN Backup: You can configure a Site-to-Site VPN as a backup to Direct Connect. This is a common pattern: use DX for primary traffic, and if the DX link fails, traffic automatically fails over to the VPN. This requires propagating routes from both the VGW (for DX) and the VPN connection into the VPC route tables.
Transit Gateway: For multi-VPC connectivity, you use a transit VIF with a Direct Connect Gateway attached to a Transit Gateway. The Transit Gateway then has attachments to multiple VPCs and VPN connections.
Route Propagation: When using a private VIF, you must enable route propagation on the VPC route table from the VGW. The VGW advertises the VPC CIDR to on-premises via BGP, and on-premises advertises its CIDRs to AWS.
Exam-Relevant Details
You cannot use a public VIF to access a VPC. A public VIF only gives access to public endpoints (e.g., S3 bucket endpoints, DynamoDB endpoints).
A private VIF can only connect to one VPC (or one VGW). To connect multiple VPCs, you must use a Direct Connect Gateway.
Direct Connect does not encrypt traffic by default. If you need encryption, you must either use MACsec (Layer 2) or establish a VPN over the DX connection (e.g., IPsec VPN over the private VIF).
BGP authentication is optional but strongly recommended. The password is configured on both sides.
The maximum transmission unit (MTU) for Direct Connect is 1500 bytes for 1 Gbps and 10 Gbps connections, and 9001 bytes (jumbo frames) for 10 Gbps connections if you configure it. Jumbo frames can improve throughput for large transfers.
Direct Connect data transfer out pricing is lower than internet data transfer out. You pay per port-hour for the connection plus data transfer out (GB/month).
You can have multiple virtual interfaces on a single Direct Connect connection (up to 50 private VIFs and 50 public VIFs per connection, but check limits).
Troubleshooting
Common issues: - BGP session not coming up: Check IP connectivity (Layer 3), VLAN tagging, BGP neighbor IP, ASN, and authentication. Use ping from the on-premises router to the AWS BGP peer IP (169.254.x.x). - Routes not being advertised: Ensure the VPC route table has propagation enabled from the VGW. Check that the on-premises router is advertising the correct prefixes. - Performance issues: Verify bandwidth utilization on the port. Consider using jumbo frames if supported. Check for packet drops due to MTU mismatch. - Redundancy: For high availability, you should have at least two Direct Connect connections to different locations. Use BGP attributes (Local Preference, AS Path Prepending) to control traffic flow.
Summary of Key Exam Points
Direct Connect provides a dedicated, private connection from on-premises to AWS.
It uses BGP for routing, with VLAN tagging for virtual interfaces.
Private VIFs connect to a VPC via a VGW; public VIFs connect to AWS public services.
Direct Connect Gateway allows multi-VPC connectivity across regions.
VPN can be used as a backup.
Encryption is not default; use MACsec or IPsec VPN for encryption.
Order a Direct Connect connection
You begin by ordering a Direct Connect connection through the AWS Management Console. You specify the location (a Direct Connect facility), the port speed (e.g., 1 Gbps, 10 Gbps), and whether it is a dedicated connection or a hosted connection via a partner. AWS will provision a port at the facility and provide you with a Letter of Authorization (LOA) that authorizes you to arrange a cross-connect from your network equipment to that port. The LOA includes details like the facility address, patch panel location, and port details. This step is purely administrative – no data flows yet.
Arrange cross-connect at the facility
You work with the facility (or a Direct Connect Partner) to physically connect your network equipment to the AWS port. This involves running a fiber optic cable from your router/switch in the facility's meet-me room to the cross-connect panel designated for AWS. The cross-connect is a physical cable that completes the Layer 1 connection. Once the cross-connect is installed and tested, the AWS port status changes from 'Requested' to 'Pending' and then to 'Available'. This step can take days to weeks depending on facility logistics.
Create a Virtual Private Gateway (VGW)
To connect a VPC, you need a Virtual Private Gateway (VGW) attached to that VPC. In the AWS Console, you create a VGW, specify the Amazon-side ASN (default 64512, but you can choose a private ASN from 64512-65534 or 4200000000-4294967294). Then you attach the VGW to your VPC. The VGW is the AWS side termination point for the BGP session over the private VIF. It also supports VPN connections if you want a backup. Note: Only one VGW can be attached to a VPC at a time.
Create a private virtual interface (VIF)
In the Direct Connect console, you create a private VIF on your connection. You assign a VLAN ID (802.1Q tag) that must be unique per VIF on the same connection. You specify your BGP ASN (public or private), the authentication key (optional), and you select the VGW you created. AWS will assign two BGP peer IP addresses from the 169.254.0.0/16 range – one for your router and one for AWS. These IPs are used for the BGP session. The VIF status will become 'Available' once the BGP session is established. You must also enable route propagation on the VPC route table from the VGW.
Configure on-premises router for BGP
On your on-premises router, you configure a subinterface with the VLAN ID you specified. You assign the BGP peer IP (the one assigned to your router) to this subinterface. Then you configure BGP with the neighbor being the AWS BGP peer IP, the remote ASN (Amazon-side ASN from VGW), and optionally the authentication key. You also advertise your on-premises CIDR prefixes (e.g., 10.0.0.0/8) via the network statement. The BGP session should come up within seconds. Verify with 'show ip bgp summary'. Once the session is up, routes are exchanged, and traffic can flow over the Direct Connect.
Enterprise Scenario 1: Hybrid Data Center with High-Volume Data Transfer
A financial services company runs its core banking application on-premises but uses AWS for analytics and machine learning. Daily, it transfers terabytes of transaction logs to S3 and runs compute jobs on EC2. Using the internet would be expensive and unpredictable. They deploy a 10 Gbps Direct Connect connection to an AWS Direct Connect location near their data center. They create a private VIF to a VPC containing their analytics cluster, and a public VIF to access S3 directly. The result: consistent latency (~2 ms), 40% lower data transfer costs, and no bandwidth contention. They also set up a VPN backup over the internet using the same VGW. BGP is configured with local preference to prefer the DX path. Monitoring via CloudWatch metrics (ConnectionState, VirtualInterfaceBgpStatus) ensures they detect BGP failures quickly.
Enterprise Scenario 2: Multi-Region Disaster Recovery
A global e-commerce company has on-premises data centers in Virginia and Oregon. They want to replicate data to AWS in us-east-1 and us-west-2 for DR. They order two Direct Connect connections: one at a facility in Virginia (for us-east-1) and one in Oregon (for us-west-2). They use a Direct Connect Gateway (DX Gateway) to connect both VPCs (in different regions) to a single private VIF per location. The DX Gateway is created in us-east-1 and associated with both VGWs. This allows them to advertise a single set of on-premises routes to both VPCs. BGP AS path prepending is used to make the cross-region path less preferred for traffic from AWS to on-premises. They also enable jumbo frames on the 10 Gbps connections to maximize throughput for database replication.
Common Misconfigurations
Wrong VLAN ID: Using a VLAN ID that is already in use on the same connection causes the VIF to fail. Always check for duplicate VLANs.
Incorrect BGP peer IPs: The on-premises router must use the IP assigned to 'your router' (not the AWS peer). Mixing them up prevents BGP from establishing.
Missing route propagation: Even if BGP is up, if the VPC route table does not have propagation enabled from the VGW, the routes from on-premises will not appear, and traffic from VPC to on-premises will fail.
Firewall blocking BGP: On-premises firewalls must allow TCP port 179 for BGP and ICMP (for keepalives). Also, the BGP peer IPs are in 169.254.0.0/16, so routes to that subnet must exist on the on-premises router.
Performance Considerations
At scale, monitor the port utilization. A single 10 Gbps connection can saturate. Use Link Aggregation Groups (LAGs) to combine multiple connections. For applications sensitive to packet loss, ensure jumbo frames are enabled end-to-end. The Direct Connect SLA requires at least 99.99% availability per connection (for dedicated connections).
What SOA-C02 Tests on Direct Connect
The SOA-C02 exam objectives under Domain 5 (Networking) include Objective 5.1: 'Implement and manage network connectivity between on-premises and AWS'. Direct Connect is a key part of this. The exam tests your ability to:
Differentiate between Direct Connect, VPN, and internet-based connectivity.
Identify the correct configuration steps for private vs. public VIFs.
Understand the use of Direct Connect Gateway for multi-VPC and multi-region connectivity.
Troubleshoot BGP issues and know the default BGP timers.
Recognize when to use MACsec and when to use VPN over DX.
Common Wrong Answers and Why Candidates Choose Them
'Direct Connect encrypts data by default.' Many candidates assume a private line implies encryption. Reality: Direct Connect is private but not encrypted. You must add MACsec or an IPsec VPN.
'A public VIF can be used to connect to a VPC.' This is false. Public VIFs only reach public endpoints. Candidates confuse 'public' with 'VPC' because they think public VIF means public internet. No – public VIF means access to AWS public services, not your VPC.
'You can connect multiple VPCs with a single private VIF without a DX Gateway.' Wrong. A private VIF can only associate with one VGW (one VPC). To connect multiple VPCs, you need a Direct Connect Gateway. Candidates often think they can just attach multiple VGWs to the same VIF – not possible.
'BGP authentication is required.' It is optional, but many exam questions have a distractor that says 'must configure BGP authentication'. The correct answer is that it is recommended but not mandatory.
Specific Numbers and Terms That Appear on the Exam
BGP keepalive interval: 30 seconds; Hold time: 90 seconds.
VLAN ID range: 1-4094 (excluding 0 and 4095).
Default Amazon-side ASN for VGW: 64512.
BGP peer IP range: 169.254.0.0/16.
Maximum MTU: 1500 (default), up to 9001 (jumbo frames) on 10 Gbps connections.
Direct Connect Gateway: Allows up to 10 VPC associations per gateway (default limit).
Edge Cases and Exceptions
MACsec is only supported on dedicated 10 Gbps or 100 Gbps connections, not on hosted connections.
You cannot create a private VIF without a VGW. The VIF must be associated with a VGW at creation time.
If you delete a VIF, the BGP session is torn down, and routes are withdrawn.
Direct Connect does not support IPv6 BGP sessions by default – you must specifically enable IPv6 on the VIF.
How to Eliminate Wrong Answers
If a question asks about connecting to S3, and the options include 'private VIF' and 'public VIF', the correct answer is public VIF (or a private VIF with a VPC endpoint). But if the question mentions 'VPC', private VIF is needed.
If a question mentions 'multiple VPCs in different regions', look for 'Direct Connect Gateway' in the answer choices. If it's not there, the answer is likely wrong.
For encryption questions: if the scenario requires encryption over DX, the answer is either 'MACsec' or 'IPsec VPN over DX' – never 'Direct Connect alone'.
Direct Connect is a dedicated, private network connection from on-premises to AWS that bypasses the internet.
Private VIFs connect to a single VPC via a Virtual Private Gateway; public VIFs access AWS public services only.
BGP is mandatory for both private and public VIFs; default keepalive = 30s, hold time = 90s.
To connect multiple VPCs (same or different regions), you must use a Direct Connect Gateway.
Direct Connect does not encrypt traffic by default; use MACsec or an IPsec VPN for encryption.
You can use a VPN as a backup to Direct Connect by attaching both to the same VGW.
The default Amazon-side ASN for a VGW is 64512.
Jumbo frames (MTU 9001) are supported on 10 Gbps and 100 Gbps connections.
VLAN IDs for virtual interfaces must be unique on the same connection and in the range 1-4094.
MACsec is only supported on dedicated 10 Gbps or 100 Gbps connections.
Direct Connect data transfer out pricing is lower than internet data transfer out.
For high availability, deploy at least two Direct Connect connections to different locations.
These come up on the exam all the time. Here's how to tell them apart.
AWS Direct Connect
Dedicated physical connection, not shared with other traffic
Consistent latency and higher throughput (up to 100 Gbps)
Lower data transfer out costs compared to internet
Requires physical setup (cross-connect) and longer provisioning time (weeks)
No encryption by default; must add MACsec or VPN
Site-to-Site VPN
Uses the public internet with IPsec encryption
Latency and throughput are variable due to internet congestion
Higher data transfer costs (internet rates)
Can be set up in minutes without physical infrastructure
Encrypted by default (IPsec)
Mistake
Direct Connect automatically encrypts all traffic.
Correct
Direct Connect is a private, dedicated connection but does not encrypt data at Layer 2 or Layer 3 by default. To encrypt, you must use MACsec (Layer 2) or an IPsec VPN over the Direct Connect (Layer 3).
Mistake
A public virtual interface can be used to access resources inside a VPC.
Correct
A public VIF only provides access to AWS public endpoints (e.g., S3, DynamoDB, EC2 public IPs). To reach a VPC, you need a private VIF associated with a Virtual Private Gateway.
Mistake
You can attach multiple private VIFs to the same Virtual Private Gateway.
Correct
A VGW can have multiple private VIFs (from different connections) attached to it, but each private VIF can only be associated with one VGW. You can have multiple VIFs on the same connection, but each VIF must have a unique VLAN ID.
Mistake
BGP authentication is mandatory for Direct Connect.
Correct
BGP authentication (MD5) is optional but strongly recommended. The exam may present a scenario where authentication is not configured, and the correct answer is that it is still allowed.
Mistake
Direct Connect provides a connection to the internet.
Correct
Direct Connect provides private connectivity to AWS, not to the internet. If you need internet access, you must route through a VPN or use a separate internet connection. However, a public VIF gives access to AWS public services, which is not the same as general internet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but not with a single private VIF. You must create a Direct Connect Gateway (DX Gateway) and associate it with multiple Virtual Private Gateways (VGWs) in different VPCs. Alternatively, you can create multiple private VIFs on the same connection, each with a unique VLAN ID, and associate each VIF with a different VGW. However, the DX Gateway approach is more scalable and supports cross-region VPCs.
No, Direct Connect does not encrypt data by default. It provides a private, dedicated connection, but the data is sent in cleartext over the fiber. To encrypt, you can enable MACsec (Layer 2 encryption) on 10 Gbps or 100 Gbps dedicated connections, or you can establish an IPsec VPN tunnel over the Direct Connect private VIF. The exam often tests that encryption is not inherent.
A private VIF is used to connect to a VPC via a Virtual Private Gateway (VGW). It provides access to private IP addresses within the VPC. A public VIF provides access to AWS public services (e.g., S3, DynamoDB, EC2 public endpoints) but not to VPCs. Public VIFs use public IP addresses. Both use BGP for routing.
Yes, this is a common pattern. You attach both a Direct Connect private VIF and a Site-to-Site VPN connection to the same Virtual Private Gateway (VGW). You then configure BGP attributes (e.g., local preference) to prefer the DX path. If the DX BGP session fails, routes are withdrawn, and the VPN path takes over. Ensure the VPN connection is active and routes are propagated.
The default BGP keepalive interval is 30 seconds, and the hold time is 90 seconds. These can be changed on the on-premises router, but AWS side uses these defaults. If the hold time expires (i.e., no keepalive received for 90 seconds), the BGP session is torn down. The exam may ask for these values.
First, verify Layer 3 connectivity: ping the AWS BGP peer IP (169.254.x.x) from your router. If that fails, check VLAN tagging, MTU mismatches, and firewall rules (allow TCP 179). Second, verify BGP configuration: correct neighbor IP, remote ASN, and authentication key. Use 'show ip bgp summary' to see the session state. If the state is 'Idle' or 'Active', the router is not receiving BGP messages. Ensure the VIF is in 'Available' state in the AWS console.
The default MTU is 1500 bytes. For 10 Gbps and 100 Gbps connections, you can enable jumbo frames with an MTU of 9001 bytes. This must be configured on the VIF and supported by your on-premises equipment. Jumbo frames can improve throughput for large data transfers by reducing overhead.
You've just covered AWS Direct Connect for SysOps — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?