Cargando...
Cargando...
Dedicated, consistent, low-latency private network connectivity between your data center and AWS — bypassing the public internet entirely.
AWS Direct Connect establishes a dedicated private network connection between your on-premises environment and AWS, bypassing the public internet for improved bandwidth, reduced latency, and consistent throughput. It uses industry-standard 802.1Q VLANs to create virtual interfaces (VIFs) that connect to AWS services like VPCs, S3, and DynamoDB. Unlike VPN, traffic never traverses the public internet, making it ideal for security-sensitive, high-throughput, or latency-critical workloads.
Provide a stable, high-bandwidth, low-latency private connection from on-premises to AWS for production workloads that cannot tolerate internet variability or require consistent network performance.
Use When
Avoid When
Dedicated Connections (1/10/100 Gbps)
Physical port reserved exclusively for your use, ordered directly from AWS
Hosted Connections (50 Mbps – 10 Gbps)
Provisioned by AWS Partner Network (APN) partners; supports sub-1 Gbps speeds
Private Virtual Interface (Private VIF)
Connects to a VPC via Virtual Private Gateway or Direct Connect Gateway
Public Virtual Interface (Public VIF)
Accesses all AWS public services (S3, DynamoDB, etc.) using public IPs — still private network, no internet
Transit Virtual Interface (Transit VIF)
Connects to AWS Transit Gateway for scalable multi-VPC and multi-account architectures
Direct Connect Gateway
Global construct enabling a single DX connection to reach VPCs in multiple AWS Regions
Link Aggregation Groups (LAG)
Bundles up to 4 connections of same speed for higher aggregate bandwidth and active/active failover
MACsec Encryption (Layer 2)
IEEE 802.1AE encryption at the physical layer for dedicated 10 Gbps and 100 Gbps connections at select locations
BGP (Border Gateway Protocol)
Mandatory routing protocol; supports MD5 authentication and BFD for fast failover
Bidirectional Forwarding Detection (BFD)
Enables fast failure detection (sub-second) for BGP sessions, improving failover speed
Jumbo Frames (MTU 9001)
Supported on Private and Transit VIFs only; improves throughput for large data transfers
SiteLink
Enables on-premises-to-on-premises traffic routing through the AWS backbone via Direct Connect locations
CloudWatch Metrics
Monitors connection state, bit rate, packet rate, and CRC errors
Encryption in Transit (native)
Direct Connect itself does NOT encrypt traffic. Use MACsec (L2) or IPsec VPN over Direct Connect for encryption.
Private VIF + Virtual Private Gateway
high freqThe foundational pattern: attach a Private VIF to a VGW on a VPC for dedicated private access to EC2 instances, RDS, and other VPC resources. Traffic never touches the internet.
VPN over Direct Connect (IPsec Backup or Encryption Layer)
high freqRun an IPsec VPN tunnel over a Public VIF on Direct Connect to add encryption to the private connection, OR use Site-to-Site VPN as an automatic failover path when the DX connection fails. This is the recommended pattern for encrypted + resilient hybrid connectivity.
Transit VIF + Transit Gateway Hub-and-Spoke
high freqUse a Transit VIF connected to a Direct Connect Gateway, then associate the DX Gateway with a Transit Gateway. This single DX connection can then reach hundreds of VPCs across multiple accounts and regions — the scalable enterprise pattern.
Private VIF + VPC Endpoint via PrivateLink
high freqCombine Direct Connect (Private VIF to VPC) with VPC Interface Endpoints (PrivateLink) to access AWS managed services like SQS, SNS, or Kinesis from on-premises without internet. Traffic stays on the AWS private network end-to-end.
Multi-Region Access via DX Gateway
high freqA single Direct Connect connection at one location can reach VPCs in multiple AWS Regions through a Direct Connect Gateway — eliminating the need for separate DX connections per region.
Public VIF for CloudFront Origin Access
medium freqUse a Public VIF to privately connect to AWS public endpoints including CloudFront. On-premises systems can push content to S3 origins or interact with CloudFront APIs without internet exposure.
Direct Connect + DataSync for Large-Scale Data Migration
medium freqDeploy DataSync agents on-premises and use Direct Connect as the transport layer for high-speed, automated data migration to S3, EFS, or FSx. Avoids internet bandwidth limitations and provides consistent transfer rates.
Direct Connect does NOT encrypt data in transit by default. To encrypt, either use MACsec (Layer 2, hardware-level, at select locations for 10/100 Gbps dedicated connections) or run an IPsec VPN tunnel over a Public VIF on top of Direct Connect. This is the #1 encryption question on SAA-C03 and SAP-C02.
Know the three VIF types cold: Private VIF → VPC (via VGW or DX Gateway), Public VIF → All AWS public services (S3, DynamoDB, CloudFront) using public IPs, Transit VIF → Transit Gateway. A question describing access to S3 from on-premises via Direct Connect = Public VIF, not Private VIF.
For maximum resiliency, AWS recommends two Direct Connect connections at two different Direct Connect locations PLUS a Site-to-Site VPN as a tertiary backup. Single DX connection = single point of failure. This pattern appears frequently in SAP-C02 resilience design questions.
On the CLF-C02, the key concept is simply: Direct Connect = private dedicated connection (not internet), lower/consistent latency, higher cost, longer setup. VPN = encrypted tunnel over public internet, faster setup, variable latency, lower cost. Know when to pick each.
Direct Connect is PRIVATE but NOT ENCRYPTED. Add MACsec (Layer 2, dedicated 10/100 Gbps only) or IPsec VPN over a Public VIF for encryption. 'Private connection' ≠ 'encrypted connection' — this distinction determines exam pass/fail.
Know all three VIF types: Private VIF = VPC access, Public VIF = AWS public services (S3, DynamoDB, etc.), Transit VIF = Transit Gateway. S3 over Direct Connect = Public VIF (or Private VIF + PrivateLink). Getting this wrong eliminates most architecture answers.
For resilience: single DX = single point of failure. Maximum resilience = 2 DX connections at 2 different physical locations + Site-to-Site VPN as backup. Direct Connect takes weeks to provision — VPN is the right answer for rapid/temporary connectivity.
Direct Connect Gateway is a GLOBAL resource (not region-specific) that allows one DX connection to reach VPCs in multiple regions. However, VPCs connected through the same DX Gateway CANNOT route traffic to each other — you need Transit Gateway for VPC-to-VPC routing.
Provisioning time matters for exam scenarios: Direct Connect takes weeks to provision (physical cross-connect at a colocation facility). If a question asks for 'immediate' or 'rapid' hybrid connectivity, the answer is Site-to-Site VPN, not Direct Connect.
BGP prefix limits are tested: Private VIF supports up to 100 prefixes in each direction. If you exceed this, the BGP session drops. Use route summarization or aggregate routes to stay within limits. Public VIF allows up to 1000 prefixes from on-premises to AWS.
LAG (Link Aggregation Group) provides active/active bandwidth aggregation and connection-level redundancy at a SINGLE DX location. It does NOT protect against DX location failure. For location-level redundancy, you need connections at geographically separate DX locations.
Jumbo frames (MTU 9001) are supported on Private VIFs and Transit VIFs but NOT on Public VIFs (limited to 1500 bytes). Enable jumbo frames when moving large files or running database replication over Direct Connect to maximize throughput.
SiteLink enables on-premises-to-on-premises connectivity through the AWS global backbone using Direct Connect locations as relay points. This is useful for connecting branch offices globally without building your own MPLS network, but incurs additional per-GB charges.
Common Mistake
Direct Connect is encrypted by default because it's a private connection that doesn't use the internet.
Correct
Direct Connect is private but NOT encrypted. The dedicated physical connection bypasses the internet, but data is transmitted in plaintext unless you explicitly add MACsec (Layer 2 encryption for 10/100 Gbps dedicated connections) or an IPsec VPN tunnel over the connection.
This is the #1 Direct Connect misconception on certification exams. 'Private' and 'encrypted' are different properties. AWS explicitly states that for encryption, you must layer MACsec or VPN on top of DX. Questions often present a compliance scenario requiring encryption and test whether you know DX alone is insufficient.
Common Mistake
A single Direct Connect connection to one AWS Region provides adequate redundancy for production workloads.
Correct
A single DX connection is a single point of failure. AWS best practice for maximum resiliency requires two dedicated connections at two separate DX locations. For critical workloads, add a Site-to-Site VPN as a tertiary failover. Single-region, single-connection architectures fail the AWS Well-Architected reliability pillar.
Exam questions frequently present scenarios with a single DX connection and ask how to improve resilience. The correct answer always involves a second connection at a different physical location, not just a second connection at the same location (which still fails if the facility goes down).
Common Mistake
You can use a Private VIF to access AWS public services like S3 and DynamoDB from on-premises.
Correct
To access AWS public services (S3, DynamoDB, SQS, etc.) over Direct Connect, you must use a PUBLIC VIF, not a Private VIF. A Private VIF only provides access to resources within a specific VPC. Alternatively, you can use a Private VIF + VPC Interface Endpoints (PrivateLink) to reach public services via private IPs within the VPC.
This VIF type confusion appears frequently in architecture questions. S3 is a public AWS service — it has public endpoints. To reach it privately over DX without internet, you need a Public VIF (which still uses the private DX connection, just reaches public AWS IPs) or PrivateLink via Private VIF.
Common Mistake
AWS Direct Connect and AWS Site-to-Site VPN are interchangeable — both provide private connections to AWS.
Correct
Site-to-Site VPN creates an encrypted IPsec tunnel over the PUBLIC INTERNET. It is NOT a private connection — it traverses the internet, which means variable latency and shared bandwidth. Direct Connect is a physically dedicated private connection that never touches the internet. VPN is faster to provision but less consistent; DX is slower to provision but offers guaranteed bandwidth and lower latency.
This is explicitly listed as a top misconception in exam question banks. CLF-C02 questions often test the fundamental distinction. The word 'private' in 'Virtual Private Network' misleads candidates — the 'private' refers to the encrypted tunnel, not a dedicated physical connection.
Common Mistake
Direct Connect Gateway allows VPCs connected to it to communicate with each other.
Correct
Direct Connect Gateway is NOT a transit hub for VPC-to-VPC traffic. It only provides a path from on-premises (via DX) to multiple VPCs. VPCs attached to the same DX Gateway cannot route traffic between themselves through the gateway. For VPC-to-VPC routing, you need Transit Gateway (which can be combined with DX Gateway via Transit VIF).
SAP-C02 architecture questions test this boundary. Candidates who understand DX Gateway's multi-region capability often assume it also enables VPC peering-like behavior — it does not. This is why the DX Gateway + Transit Gateway combination exists.
Common Mistake
Pre-provisioning maximum Direct Connect capacity (e.g., ordering 100 Gbps when you only need 1 Gbps) is a good operational excellence practice to avoid future bottlenecks.
Correct
Over-provisioning Direct Connect capacity is wasteful and conflicts with cost optimization. You pay port-hour charges for every hour the port exists, regardless of utilization. Best practice is to right-size your connection and use LAG to add capacity incrementally, or use hosted connections for flexible sub-Gbps options. Cost optimization and operational excellence are complementary, not conflicting.
This misconception directly appears in exam question banks. AWS Well-Architected Framework emphasizes right-sizing. The exam tests whether candidates understand that unused capacity still incurs costs and that you should scale capacity based on actual need, not theoretical maximums.
VIF Types — 'PPT': Private VIF → Private VPC resources, Public VIF → Public AWS services (S3/DynamoDB), Transit VIF → Transit Gateway. Think of it like a conference: Private room, Public lobby, Transit hub.
DX vs VPN: 'DX = Dedicated eXpressway (private road, no encryption), VPN = Virtual Private Network (public highway with an encrypted tunnel)' — know the road type AND whether it's encrypted.
Resiliency tiers: '2 connections, 2 locations, 1 VPN backup' = maximum resilience. Remember: 2-2-1.
MACsec memory trick: 'MAC = Media Access Control (Layer 2)' — MACsec encrypts at Layer 2, available only on dedicated 10/100 Gbps connections. If the question says 'Layer 2 encryption' or 'hardware-level encryption' on DX, think MACsec.
CertAI Tutor · CLF-C02, SAA-C03, SAP-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns