What is AWS Direct Connect (DX)?

AWS Direct Connect (DX) is a network service that allows a customer to establish a dedicated (network) connection between their on-premise (datacenter, office, branch) network and AWS.



Connections are available in dedicated and hosted mode

  • Dedicated Connection – direct physical (Ethernet) connection between customer’s location and AWS. Available in 1 Gbps or 10 Gbps capacity
  • Hosted Connection – physical (Ethernet) connection established through AWS Direct Connect Partner(s). Capacities available – 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps


Virtual Interfaces (VIFs)

Virtual Interface enables communication over Direct Connect. You must create a VIF to establish communication channel. There are three types of VIFs available:

  1. Public Virtual Interface (Public VIF) – allows communication with resources (such as EC2, ELB) in a VPC using private IP addresses
  2. Private Virtual Interface (Private VIF) – allows communication with AWS public endpoints (such as S3, DynamoDB) using public IP addresses. For Private VIF connections, VPC CIDR is advertised over the BGP (Border Gateway Protocol). You cannot broadcast just a subset (e.g., select-few Subnets in that VPC), or hide a subset of that VPC
  3. Transit Virtual Interface (Transit VIF) – allows communication with AWS Transit Gateways. The way it’s done is by attaching Transit VIF(s) to Direct Connect Gateway, which in turn enables interface with Transit Gateways (maximum of 3). It’s only available on select capacities (1, 2, 5, and 10 Gbps)


    • You can have 50 VIFs per VGW (Virtual Private Gateway) – that is 50 BGP sessions per VPC (remember – there is 1 VGW per VPC).
    • Private VIF cannot connect to a VPC that is outside its Direct Connect Home Region – each Direct Connect location is associated with a Region, which is called its Home Region. In order to connect to a VPC outside its Home Region, you have to use Direct Connect Gateway.


Benefits of AWS Direct Connect

  • Reliable and consistent network performance – because you are not accessing AWS resources over the the internet, rather through a dedicated network line
  • Bandwidth cost saving – particularly in case if you have workloads / processes that consume lot of bandwidth


Limitations of AWS Direct Connect

  • Direct Connect, by itself, is not a Highly Available architecture. Suggested options to gain resiliency:
    • Pair it with a VPN connection for backup
    • Have one Direct Connect per main (on-premise) site, and you can also deploy Direct Connect Gateway to access any AWS Region (excluding China) from any AWS Direct Connect location
    • If your need to have maximum resiliency, you can deploy two Direct Connect per (on-premise) site

Testing – you can leverage a provided feature – “AWS Direct connect Failover Testing” – to test resiliency of your DX connection. When enabled, this feature disables the BGP session between on-premise and AWS

  • Direct Connect does not encrypt the data that traverses through it. Unlike VPN – which is over public network points, and thus deploys encrypted connection via IPSec – Direct Connect is supposed to be a private connection. If you have a need to encrypt the data (in transit), you need to either leverage AWS resource (e.g., EC2) specific options of securing data in transit, or deploy VPN in conjunction with Direct Connect.
  • It takes time to get Direct Connect setup done. If you have an immediate need, VPN may be your best option



There are no setup charges, and no contract period. Service may be canceled any time.

Direct Connect pricing is based on two scenarios and two elements:

  • Scenarios (based on Connection type)
    • Dedicated Connection (directly with AWS)
    • Hosted Connection (you go through one of AWS Direct Connect Partners)


  • Elements (applies in both scenarios)
    • Port hours – charged per port-hour consumed
      • is different for each of the two scenarios
      • uniform pricing for all regions (except Japan)
    • Outbound data transfer – charged per GB
      • varies by Region
      • similar pricing for the two scenarios
      • does not vary by service-type that generates outbound data transfer
      • no charge for ingress traffic


External Resources