Networking

Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic Control

Design redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.

約 3 分で読めます

Overview of Direct Connect

Direct Connect is a service that connects your on-premises environment to AWS over a dedicated line. Compared to internet VPN, it provides stable bandwidth, lower latency, and reduced data transfer costs. It offers 1 Gbps and 10 Gbps dedicated connections, as well as hosted connections from 50 Mbps to 10 Gbps. With Direct Connect Gateway, you can access VPCs in multiple regions through a single connection.

Redundancy Design and Direct Connect Gateway

For production environments, a dual-location configuration with two connections placed at different locations (data centers) is recommended. If one location experiences a failure, communication continues through the other. Direct Connect Gateway enables access to VPCs in multiple regions from a single connection, eliminating the need for separate connections per region. When combined with Transit Gateway, you can connect to Transit Gateway via Direct Connect Gateway and access all VPCs under that Transit Gateway.

High Availability and Encryption with LAG and MACsec

Link Aggregation Group (LAG) bundles multiple Direct Connect connections into a single logical interface, providing bandwidth aggregation and failover when a link fails. All connections within a LAG must have the same bandwidth and be located at the same location. Enabling MACsec (IEEE 802.1AE) encrypts data on the Direct Connect connection at Layer 2, preventing eavesdropping on the physical line. MACsec is supported on 10 Gbps and 100 Gbps dedicated connections, and you configure CKN/CAK pairs for key association. Enabling SiteLink allows direct communication between different Direct Connect locations via the AWS backbone, letting you leverage the AWS network for connectivity between on-premises sites as well. For troubleshooting Direct Connect, related books (Amazon) can be a useful reference.

Direct Connect Cost Structure

Direct Connect costs consist of port-hour charges and data transfer charges. The port charge for a dedicated connection is a fixed monthly rate based on bandwidth; for example, 1 Gbps costs approximately $0.30/hour. Data transfer charges apply only to outbound traffic (AWS to on-premises); inbound is free. Hosted connections are available from 50 Mbps through partners and are cost-effective for smaller workloads. Using Direct Connect Gateway, you can access VPCs in multiple regions with a single connection, eliminating the need for per-region connections. When monthly traffic exceeds 1 TB, Direct Connect often becomes more cost-effective than VPN in terms of data transfer costs.

Summary

Direct Connect is a service that connects your on-premises environment to AWS over a dedicated line, providing a stable, low-latency network. LAG aggregates bandwidth, and MACsec provides Layer 2 encryption. Direct Connect Gateway enables access to VPCs in multiple regions from a single connection, and SiteLink lets you leverage the AWS backbone for communication between on-premises sites.

Related Services

AWS Direct ConnectA service that provides a dedicated network connection between on-premises and AWS for stable, low-latency connectivityAmazon VPCBuild a logically isolated virtual network on AWSAWS Transit GatewayA network hub that connects multiple VPCs and on-premises networks in a hub-and-spoke topology

Related Articles

Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.Visualizing Your Global Network with AWS Network Manager - Centralized Topology and Health ManagementLearn how to visualize the topology of your global network including Transit Gateways and VPNs, and verify connectivity with route analysis.Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.Global Network Acceleration - Low-Latency Delivery with AWS Global Accelerator and CloudFrontRoute traffic onto the AWS global network early using Anycast IPs to direct clients to the nearest edge location. This guide covers ALB/NLB integration and failover design.

Similar Articles and Services

AWS Direct ConnectA service that provides a dedicated network connection between on-premises environments and AWS, delivering stable, low-latency connectivity that bypasses the public internetDedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.The Depth of AWS Networking Services - Enterprise Network Design with VPC, Transit Gateway, and PrivateLinkThis article examines AWS networking services centered on VPC, Transit Gateway, PrivateLink, Direct Connect, and Network Firewall, comparing them with Azure VNet/ExpressRoute and GCP VPC/Cloud Interconnect to explain the flexibility advantages in enterprise network design.