AWS Direct Connect

Concepts Covered

• AWS Direct Connect
• Dedicated and hosted connections
• Direct Connect locations
• Virtual interfaces
• Private VIF
• Public VIF
• Transit VIF
• Direct Connect gateway
• Resilient connectivity
• Direct Connect versus VPN

1. Plain-English Mental Model

AWS Direct Connect is dedicated private network connectivity from your environment to AWS.

The simple model is:

on-premises network -> Direct Connect location -> AWS network -> VPCs or AWS services

Site-to-Site VPN builds encrypted tunnels over the public internet. Direct Connect uses a dedicated connection through a Direct Connect location, usually with a network provider or colocation partner involved.

Direct Connect is useful when the requirement emphasizes consistent network performance, private connectivity, high bandwidth, lower variability, or dedicated hybrid connectivity.

It does not automatically encrypt traffic. If encryption is required, combine Direct Connect with VPN or application-layer encryption.

2. Why This Service Exists

Hybrid architectures often need stronger connectivity than internet VPN alone.

A company may run databases on premises and applications in AWS. A migration may move terabytes of data. A trading, media, analytics, or enterprise application may need predictable latency and throughput. A network team may require private connectivity that does not traverse the public internet.

Direct Connect exists to provide dedicated network links into AWS.

For SAA-C03, Direct Connect appears in questions about private dedicated connectivity, consistent bandwidth, lower latency variability, large data transfer, hybrid architectures, private access to VPCs, public access to AWS services over Direct Connect, Direct Connect gateway, and VPN backup or encryption.

The exam contrast is usually Direct Connect versus Site-to-Site VPN.

3. The Naive Approach And Where It Breaks

The naive pattern is to use VPN for everything:

on-premises -> internet -> VPN tunnels -> AWS

VPN is useful, fast to provision, and encrypted. But it depends on internet path quality and may not satisfy bandwidth, consistency, or private dedicated connectivity requirements.

Another naive pattern is to order one Direct Connect connection and call it highly available. One physical path can fail. Real production designs use redundant connections, diverse devices, and often multiple locations.

Another mistake is assuming Direct Connect encrypts traffic by default. The connection is private, but encryption is a separate requirement.

Direct Connect is about dedicated connectivity, not automatic encryption.

4. Core Primitives

A Direct Connect location is where your network connects to AWS.

A dedicated connection is a physical Ethernet connection associated with your AWS account.

A hosted connection is provisioned by an AWS Direct Connect Partner.

A virtual interface, or VIF, is a logical interface over a connection.

A private VIF connects to a VPC through a virtual private gateway or Direct Connect gateway.

A public VIF reaches public AWS service endpoints over Direct Connect.

A transit VIF connects to a Direct Connect gateway associated with Transit Gateway.

A Direct Connect gateway lets you connect Direct Connect to VPCs or Transit Gateways across supported Regions and accounts depending on design.

BGP is used for routing.

5. Architecture Use Cases

Use Direct Connect for consistent high-throughput hybrid access to AWS.

Use private VIFs when on-premises networks need private access to VPC resources.

Use public VIFs when on-premises networks need private-path access to public AWS service endpoints.

Use transit VIFs with Transit Gateway for many VPCs:

on-premises -> Direct Connect -> transit VIF -> Direct Connect gateway -> Transit Gateway -> many VPCs

Use Site-to-Site VPN over Direct Connect or alongside Direct Connect when encryption or backup is required.

Use multiple connections and locations for resilience.

7. Security Model

Direct Connect is private connectivity, but private does not automatically mean encrypted.

If traffic must be encrypted in transit, use VPN over Direct Connect, application TLS, MACsec where supported, or another approved encryption design.

BGP routing needs careful route filtering and monitoring. Advertise only intended prefixes.

Security groups, NACLs, routing, firewalling, and IAM still matter after traffic reaches AWS.

Direct Connect gateway and VIF permissions should be controlled.

Treat hybrid routing as a high-trust path. A misadvertised prefix or overly broad route can expose resources unexpectedly.

8. Reliability And Resilience

Direct Connect resilience requires redundant design.

Use multiple connections, devices, and locations for critical workloads. AWS provides resiliency recommendations and models for different availability targets.

VPN can be used as failover if Direct Connect is unavailable, although performance characteristics differ.

BGP failover behavior should be tested.

Direct Connect does not eliminate the need for multi-AZ VPC design. It only provides the hybrid path into AWS.

Monitor connection state, BGP status, traffic, and route changes.

9. Performance And Scaling

Direct Connect can provide more predictable network performance than internet VPN.

It is useful for high-volume data transfer, steady hybrid application traffic, migrations, and workloads sensitive to internet path variability.

Bandwidth depends on connection type and capacity.

Transit Gateway plus Direct Connect can simplify access to many VPCs, but adds its own data processing and routing considerations.

Do not assume Direct Connect automatically improves every application. Application latency still includes distance, routing, backend performance, and protocol behavior.

10. Cost Model

Direct Connect costs include port hours, data transfer, partner charges where applicable, colocation or cross-connect costs, and related gateway or Transit Gateway costs.

It can reduce some data transfer costs compared with internet paths depending on traffic pattern and current pricing.

VPN is usually simpler and cheaper to start. Direct Connect becomes attractive when bandwidth, consistency, private connectivity, or enterprise network requirements justify it.

Redundant Direct Connect design costs more than one connection, but one connection may not meet availability requirements.

12. SAA-C03 Exam Signals

"Dedicated private connection to AWS" points to Direct Connect.

"Consistent network performance or high bandwidth hybrid connectivity" points to Direct Connect.

"Encrypted tunnel over the internet" points to Site-to-Site VPN.

"Private VIF, public VIF, or transit VIF" points to Direct Connect.

"Connect Direct Connect to many VPCs through Transit Gateway" points to transit VIF and Direct Connect gateway.

"Direct Connect with encryption requirement" may point to VPN over Direct Connect or application encryption.

13. Common Exam Traps

Do not assume Direct Connect is encrypted by default.

Do not treat one Direct Connect connection as highly available.

Do not use Direct Connect when the question needs quick encrypted connectivity over the internet and no dedicated link.

Do not confuse private VIF, public VIF, and transit VIF.

Do not forget BGP routing.

Do not ignore VPN backup for resilience.

15. Related Topics

Review AWS Transit Gateway, AWS Site-to-Site VPN, VPC Networking Model, and AWS Network Firewall.

Official AWS references:

• What is AWS Direct Connect?
• AWS Direct Connect virtual interfaces
• AWS Direct Connect gateways