What is AWS Direct Connect? A detailed explanation of how it works, how it's configured, and how it differs from VPNs.

AWS Direct Connect is a service that connects the AWS cloud to your company's network via a dedicated line. This article provides an easy-to-understand explanation of the key points that corporate network managers should keep in mind, including how it works, configuration examples, how it differs from VPNs, and the benefits and cost estimates of its implementation.

What is AWS Direct Connect?

AWS Direct Connect, which directly connects AWS to your company's network via a dedicated line, is a service used in use cases that prioritize communication stability, security, and bandwidth availability.

Direct Connect's basic functions and positioning

AWS Direct Connect is a service that connects AWS and on-premises environments via a dedicated line. Because communication is possible without going through the Internet, it allows you to build a network with lower latency and greater stability than VPN connections.

Major features

• Secure bandwidth through dedicated line connection (1Gbps to 100Gbps)

• Improved security through closed network communications

• Reduced impact on business operations through bandwidth guarantees

• Improved availability through redundant configuration (HA configuration)

• By utilizing Direct Connect Gateway, it is possible to connect to multiple regions and multiple VPCs.

Unlike VPNs that run over the Internet, it is designed as an infrastructure element to provide a constant, stable connection between a corporate network and AWS.

When to use the service (use case)

Direct Connect is the best choice when you have the following requirements:

• Migrating business systems to AWS

  • When you need a constant, stable connection between your internal network and the cloud

• Regular transfer of large amounts of data

  • Scenes where video data, IoT logs, backup data, etc. are transmitted at high speed and high quality

• Industries with strict security requirements

  • Financial institutions, public institutions, medical institutions, etc. that do not permit communication via the Internet

• Disaster recovery (DR) measures

  • For data synchronization and replication between different regions and data centers

• Hybrid Cloud Configuration

  • The system is distributed between on-premise and AWS, and requires constant collaboration.

How Direct Connect works and example configurations

Direct Connect connects AWS and your on-premises environment through a dedicated physical line.

Connection flow and basic configuration

The basic configuration is a route from the on-premises environment to a connection point in the data center and then to a VPC in the AWS region. Unlike a VPN, it allows direct communication with AWS without going through the internet, making it easier to meet bandwidth stability and security requirements.

Direct Connect connection diagram

The connection image for Direct Connect is as follows:

[On-premise environment]

        │

(router/switch)

        │

    Dedicated line (1Gbps and above)

        │

[AWS Direct Connect Location]

        │

    AWS network

        │

     [VPC]

In terms of configuration, there is a "Direct Connect location" between your premises and AWS. This is a shared facility where AWS and a network provider connect, and is often provided by a carrier or cloud exchange provider.

Image of physical connection path

The physical configuration has three main elements:

• On-premise network equipment: routers, switches, etc. Establish routing with AWS using BGP

• Carrier-provided line: Physical line to Direct Connect location

• Virtual interface on the AWS side: A logical interface that connects to a VPC, etc.

The dedicated line terminates at a connection point (Direct Connect location) designated by AWS, from which it connects to the AWS network. A "Virtual Interface (VIF)" is used to configure between the location and the VPC. A private VIF is common, but you can also choose a public VIF or transit VIF depending on the situation.

Connection type/Configuration pattern

Direct Connect allows you to choose from multiple connection configurations depending on your requirements. We will explain the differences between the two most common patterns: "single connection/redundant configuration" and "partner connection."

Single connection/redundant configuration (HA)

A single connection is a simple configuration that uses only one Direct Connect line. While it is easy to implement in terms of construction and cost, there is a risk of communication being completely stopped in the event of a physical failure or network outage.

On the other hand, a redundant configuration (High Availability: HA configuration) involves running two independent lines with different routes to support failover. AWS recommends the introduction of a redundant configuration for production use.

Common Configurations

• Connect to different Direct Connect locations

• Distribution to different devices (AWS connection points)

• Failover support using BGP route control

In systems that require communication availability and SLAs, a single connection is risky, and a redundant configuration is a de facto prerequisite.

Partner Connection (via AWS Direct Connect Partner)

If it is difficult for you to physically connect to a Direct Connect location yourself, you can use an AWS Direct Connect Partner.

In this configuration, your site is indirectly connected to AWS through the infrastructure of an AWS-certified network provider.

Major features

• Our partners will handle the arrangement and configuration of dedicated lines on your behalf.

• Can be implemented in a short period of time and at relatively low cost

• Physical connection is from partner location → Direct Connect location

This is a suitable option for medium-sized or smaller companies or companies with multiple locations that want to implement the system quickly.

What is Direct Connect Gateway?

Direct Connect Gateway (DXGW) is a relay service that logically connects AWS Direct Connect to multiple VPCs and regions. It simplifies management of connections between Direct Connect circuits and multiple VPCs, enabling more flexible network design.

The role of the Direct Connect Gateway

Normally, Direct Connect is based on a configuration that directly connects to one VPC. However, if you need to connect to multiple regions or multiple VPCs, the design becomes complicated if you configure each individually.

The Direct Connect Gateway performs the following functions:

• Aggregating connections to multiple VPCs

  • Associating multiple VPCs with one DXGW allows for line aggregation and simplified connection management.

• Supports connections across regions

  • It is also possible to connect to VPCs in multiple regions (e.g., connecting from the Tokyo region to a VPC in the Oregon region).

• Can also be used in conjunction with Transit Gateway

  • Design that can flexibly accommodate large-scale network configurations

Even if a company's network configuration expands and diversifies, it will be possible to operate it flexibly while maintaining the efficiency of using Direct Connect lines.

Example of use when building a global connection configuration

It is especially useful for global companies and those using multiple AWS regions. It is suitable for the following scenarios:

• Connecting to multiple AWS regions from a Japanese base

  • Connecting the Tokyo region with Singapore/Virginia etc. via a single dedicated line

• Connecting the head office and each overseas base to AWS all at once

  • Simplify network design at each site and centralize management with DXGW

• Cross-region data synchronization and backup

  • A safe and stable transfer path can be secured via DXGW

In such cases, stable operation of the wide area network can be achieved while reducing line costs and the burden of configuration management.

Use in combination with AWS Transit Gateway

Combining Direct Connect Gateway (DXGW) with AWS Transit Gateway (TGW) enables a configuration that can centrally and efficiently connect VPCs and on-premises environments. When there are many locations or VPCs, this combination helps simplify network design and improve availability.

The role and benefits of Transit Gateway

Transit Gateway is a routing platform that connects multiple VPCs, VPNs, Direct Connect Gateways, etc. within AWS in a hub-and-spoke configuration.

Main Roles and Benefits

• Aggregating routing between multiple VPCs

  • There is no need for individual settings to directly connect each VPC, simplifying design and operation.

• Integrates different connection methods such as VPN and Direct Connect

  • Centralized management possible even in hybrid configurations

• Scalable and highly available architecture

  • Multiple attachments can be configured redundantly per region

• Supports cross-account integration

  • Can be used in AWS environments with multiple accounts

Standard configuration example for Direct Connect Gateway + Transit Gateway

A typical configuration is as follows:

[On-premise environment]

        │

   Direct Connect Lines

        │

[AWS Direct Connect Gateway]

        │

[AWS Transit Gateway]

  ├───── VPC-A (Tokyo)

  ├────── VPC-B (Osaka)

  └───── VPC-C (separate account)

In this configuration, a physical connection is made to the AWS environment via a Direct Connect Gateway, and routing is distributed to multiple VPCs via a Transit Gateway. The Direct Connect Gateway acts as an aggregation point for physical circuits, and the Transit Gateway acts as a relay point for VPC connections.

Points to consider when designing

When designing a combined configuration, you need to pay attention to the following points:

• Transit Gateway is designed for each region

  • Connection is possible via DXGW, but each TGW is created for each region.

• Be aware of routing separation and aggregation

  • Route tables must be designed according to the communication requirements of each VPC.

• Organizing BGP routing

  • Redundant configurations require active/standby designs and metric adjustments.

• Governance design for communication control

  • When sharing TGW or connecting to a cross-account, a design that includes IAM and security policies is required.

This configuration is a practical option for ensuring scalability and manageability while maintaining the benefits of Direct Connect (high bandwidth and stability).

What is the difference between Direct Connect and VPN?

In addition to Direct Connect, VPN is also an option for connecting AWS and on-premises environments. We will explain the differences between the two from the perspectives of communication path, bandwidth, security, and cost.

Differences between communication paths and quality

VPN and Direct Connect have fundamentally different communication path structures, which directly affect communication quality.

VPN over the Internet

AWS VPN is a method for connecting on-premises and AWS via the Internet. It uses an IPsec tunnel for encrypted communication, ensuring a certain level of security, but because the route is left to the Internet, the following issues may arise.

• Communication delays fluctuate greatly

  • Latency may be unstable depending on the time of day and route conditions.

• Susceptible to network outages

  • There is a risk of inaccessibility due to ISP or external network failures

• No guarantee of line quality (best effort)

While VPNs have the advantage of being easy to implement and low cost, they are not suitable for systems that require high availability and quality.

Direct Connect is via a dedicated line

Direct Connect uses a physical dedicated line provided by a telecommunications carrier to directly connect your on-premises environment to AWS over a private network. Because it does not go via the Internet, it has the following advantages:

• The communication path is fixed and highly stable

• Low latency and low variability

• Unaffected by internet outages

• Dedicated bandwidth ensures predictable communication quality

This connection method is suitable for applications where quality is directly linked to business operations, such as core systems and large-volume data transfers.

Guaranteed Bandwidth and Performance

When selecting a connection method, the stability of communication bandwidth and throughput performance are important criteria. Here we will explain the differences in bandwidth between VPN and Direct Connect.

VPN is best effort

Because VPNs go through the internet, bandwidth is not guaranteed and will vary depending on usage.

特性

• Affected by ISP and route congestion

  • Communication speed and response time may vary depending on the time of day.

• Not suitable for applications requiring stable throughput

  • Fluctuations in communication can be a problem when processing large amounts of data continuously, video streaming, or other processes that require real-time performance.

• Difficult to identify the cause of a problem

  • Because public infrastructure is used, it is difficult to identify the route on which a problem occurs.

It is sufficient for operations that do not have strong requirements for availability or throughput, but it is not suitable for situations where continuous transfer performance is important.

Direct Connect can guarantee bandwidth

Direct Connect uses a physical dedicated line, allowing you to select a clear bandwidth plan (1Gbps/10Gbps/100Gbps) and ensuring predictable communication performance.

Main benefits

• Ensure stable throughput according to contracted bandwidth

• Communication speeds do not drop even during peak times

• Bandwidth usage can be monitored (CloudWatch Metrics integration)

Because the lines are physically separated, there is no impact from other users and traffic quality can be maintained stably. This makes it suitable for mission-critical applications and businesses that perform scheduled transfers of large volumes.

Security differences

Security requirements are an important consideration when selecting a connection method. VPN and Direct Connect have different communication path characteristics and risk assumptions.

VPN is encrypted/routes are public networks

VPN is a secure connection method that relies on IPsec encryption of communications. It is designed to prevent the risk of eavesdropping and tampering even over the Internet, but it operates under the following conditions:

• The communication is encrypted, but the route is public.

  • Attack vectors cannot be completely eliminated

• Not recommended for industries with restrictive security policies

  • Financial, medical, and public institutions may require non-internet-based transactions.

VPNs provide sufficient security for general business use, but do not guarantee closed network security at the infrastructure level.

Direct Connect is a closed network (suitable for industries with strict security requirements)

Direct Connect allows communication over a closed network that does not go through the Internet. Although encryption of communication content is optional, the closed route itself has the following advantages:

• The communication path is completely isolated from the Internet

• Traffic is less susceptible to third-party influence and less likely to be the target of attacks

• Easily comply with industry guidelines and regulations

If encryption is required, you can also configure a VPN over Direct Connect on top of Direct Connect.

Cost and implementation hurdles

VPN and Direct Connect have significant differences in implementation costs and man-hours. You need to choose the option that best suits your company's requirements and resources, taking into account the characteristics of each.

VPN is low cost and flexible

VPNs can be used by simply creating a VPN Gateway on the AWS side and configuring on-premises equipment, so they can be built at a lower cost and in a shorter timeframe than Direct Connect.

Features

• AWS charges only a fixed fee + transfer volume charge

• Since there is no need to arrange for physical lines, it can be implemented in a few days or a short period of time.

• Easy to use for testing and short-term projects

• Operation can be simplified depending on the compatibility of on-premise devices (IPsec/BGP, etc.)

It offers excellent cost and flexibility, and is also effective as a backup line for small-scale environments and redundant routes.

Direct Connect is more expensive but ensures high quality and stability

Direct Connect requires a dedicated line to be arranged by a telecommunications carrier, which takes time and money to set up.

Features

• Initial costs: Dedicated line installation and cross-connect construction costs are incurred

• Monthly fee: Port fee + Data transfer fee + Partner fee (if required)

• Implementation lead time: In most cases it takes about 1 to 2 months

• Configuration and design: BGP and redundant configurations must be designed

However, these costs are justified by the high communication quality, bandwidth stability, and availability, making it a suitable option for production environments and core systems.

Benefits of introduction and usage scenarios

Direct Connect requires a certain amount of cost and effort to implement, but it offers benefits in performance, stability, and security that are worth the investment. We will summarize the typical benefits gained by implementing it and the use cases for which it is suitable.

Typical benefits of implementation

The benefits of implementing Direct Connect include stabilizing communication bandwidth, ensuring security requirements, and optimizing for large-volume data communications.

Ensuring bandwidth and stability

Because it uses a dedicated line, stable communication based on the contracted bandwidth is possible. It is particularly superior to VPN in the following points:

• Maintain stable communication speeds even during peak times

• Latency fluctuations are small, minimizing the impact on business processing

• Route control by BGP enables stable operation along the intended route

This helps prevent degradation of application performance and batch processing delays caused by unstable communication quality.

Enhanced security

A closed network configuration that does not go through the Internet offers the following security advantages:

• Supports industries with strict security requirements (finance, healthcare, public sector)

• The communication path itself is isolated, making it highly reliable by design.

Depending on your requirements, multi-layered measures such as closed network connection + encryption (VPN over Direct Connect) are also possible.

Regular transfer of large amounts of data and DR measures

With its three features of high bandwidth, stability, and low latency, it is ideal for moving large amounts of data and for regular replication.

• Regular transfer of business system logs and backup data

• Disaster recovery data replication between distant regions

• Real-time processing of large volumes of video, audio, and media data

It is possible to maintain quality even with data communications at levels that cannot be handled via the regular Internet.

Suitable use cases

Direct Connect is not required for all AWS customers, but it offers advantages that are difficult to replace with other connection methods for certain requirements and industries.

Migrating core systems to AWS

When migrating business systems or internal mission-critical systems to AWS, stable communication, low latency, and high availability are essential. Direct Connect meets these requirements, making it the preferred choice in the following environments:

• A configuration in which an on-premises database and a system on AWS are linked

• A system in which the response speed of user operations is directly linked to the quality of work

• A business infrastructure that requires stable operation 24 hours a day, 365 days a year

Data Center Collaboration

It is suitable for connecting existing on-premises data centers with AWS to create a hybrid cloud configuration.

• Configuration for load balancing/backup between on-premise and AWS

• Internal infrastructure that assumes integration with AD, file servers, etc.

• Non-disruptive system migration between on-premise DC and AWS

In such cases, where continuous communication quality is required, Direct Connect is more suitable than VPN.

Utilizing large amounts of data in the video distribution/media industry

If your work involves sending and receiving large files, such as video, audio, and 3D data, in real time, or processing them, you need a stable, broadband connection.

• Broadcasters and production companies uploading video materials to AWS

• High-definition video transmission and processing for streaming services

• AWS cloud rendering processing in the CG/VFX production process

In these industries, even a temporary disruption in communications can have a major impact on business operations, making stable connections via Direct Connect an almost essential requirement.

Meeting closed network requirements for financial institutions and regulated industries

In highly regulated industries such as finance, healthcare, and the public sector, a "closed network connection that does not go through the Internet" may be a security requirement.

• Communication routes that comply with guidelines such as FISC and NISC are required

• It is necessary to minimize the risk of external communication routes

• There are legal restrictions on the handling of customer data and sensitive information

Direct Connect makes it easy to create a configuration that meets these requirements, enabling you to create an infrastructure design that can withstand third-party reviews and audits.

Direct Connect pricing and cost estimates

Direct Connect fees are not simply a fixed monthly fee, but are comprised of multiple components such as port usage fees, data transfer volume, and line provider fees. We will summarize the basic fee structure and estimated costs for each usage scale.

Direct Connect fee components

Unlike standard AWS services, this service consists of multiple cost elements. When considering implementation, you need to be aware of the following costs that will be incurred depending on the configuration.

Port fee (fixed monthly fee)

A fixed monthly fee is charged per bandwidth for the Direct Connect port provided by AWS. The main fee structure is as follows (an example for the Tokyo region):

*Prices vary depending on the region, currency rate, and terms of service, so please refer to the official pricing page for the latest information.

Data transfer charges

Outbound communication (sending) from AWS to on-premises will incur charges based on the amount of data transferred. Inbound communication (receiving) is free. *Reference values ​​(Tokyo region)

• First 10TB: $0.0491/GB

• 10-50TB: $0.0480/GB

• More than 50TB: $0.0469/GB

In configurations that send large amounts of data, this transfer fee can have a significant impact on monthly costs.

Partner line costs (if applicable)

If you outsource the physical line from your company to a Direct Connect location to an AWS certified partner, that partner will incur additional costs.

Pricing Features

• Monthly fees typically range from about $270 to $1,000

• Varies depending on service area, bandwidth, and whether or not redundant configuration is used

• Construction and setup fees may be required at the beginning of implementation

There is no charge to AWS, and the contract and payment is made directly with the network operator. In particular, if you use it at multiple locations, the cost will increase in proportion to the number of locations.

Cost simulation example

We will simulate the estimated monthly cost of Direct Connect for each expected usage scale. Actual charges will vary depending on the line provider, configuration, and usage, so please use this as a reference value only during the initial consideration.

Small-scale use cases

Assumed scenario: One location, mainly for communication with backup and verification environments. Single connection with a partner line at 1 Gbps bandwidth.

✔ Although it is more expensive than VPN, it is a realistic option if you have requirements for regular backups or a closed network.

Medium Use Case

Assumed scenario: Business system connected to multiple VPCs, data transmission rate of approximately 10TB/month. Redundant configuration (1Gbps x 2) + Direct Connect Gateway configuration.

✔ Designed to withstand cloud integration with business systems and internal infrastructure, ensuring stability that is commensurate with the cost.

Large-scale use cases

Assumed scenario: Video distribution, large-volume data processing, DR configuration, etc. Broadband of 10Gbps or more + Transit Gateway + multiple-site connection.

✔ Configuration for industries and applications that require stability and throughput for large-scale operations.

Important points to note when installing

When implementing Direct Connect, there are some points that need to be considered in advance, such as circuit arrangements, design constraints, and ensuring availability. This section summarizes common issues and points to note when implementing Direct Connect.

Lead time until implementation

Unlike VPNs, which can be used immediately via the Internet, Direct Connect requires the procurement and configuration of physical lines, so it takes a certain amount of time to implement.

In some cases, the lead time may take more than one to two months due to factors such as the following:

• Arrangements and construction of dedicated lines by telecommunications carriers (adjustments may be required depending on the location of the base and the equipment status)

• Availability of AWS connection points (locations) (waiting due to port congestion)

• Adjusting cross-connects (physical connections within a DC)

• Coordination process for internal approval, security review, BGP design, etc.

When considering the implementation schedule, you need to plan for a lead time of at least one month, including verification and connection testing.

Redundant configuration recommended

Direct Connect can be used with a single connection, but there is a risk of complete communication interruption in the event of a physical or network failure. A single configuration is not recommended for production environments or mission-critical systems.

AWS recommends dual connections (redundant configuration) to different locations and devices when using it for production purposes. The typical concept of redundant configuration is as follows:

• Have two separate Direct Connect circuits

• Use different locations and AWS-side connected devices

• Design an active/standby or active/active configuration for BGP

Even if a failure or maintenance occurs on one system, communication continuity and business availability can be ensured. When designing with cloud connectivity in mind, redundancy should be considered a design requirement, not a cost, but an insurance policy.

AWS and network design perspectives

When implementing Direct Connect, the network design on the AWS side and on-premises side must be properly coordinated. There are two technical aspects to consider:

BGP design/bandwidth design

Direct Connect uses BGP (Border Gateway Protocol) for routing between AWS and on-premises. When configuring redundancy or failover, you need to pay attention to the following points:

• Active/active bandwidth allocation and routing

• Priority control by metric settings in active/standby configuration

• Bandwidth design based on estimated communication volume (1Gbps/10Gbps)

• Traffic visualization and monitoring design using CloudWatch

Redundancy and performance can vary greatly depending on the BGP design, so it is essential to identify communication requirements in advance and clarify path control policies.

Consistency with VPC connection design

Direct Connect does not connect directly to a VPC, but rather connects to the VPC via a virtual interface (VIF). Please note the following points.

• Private VIF/Public VIF/Transit VIF selection

• Associating a VPC with a VGW (Virtual Private Gateway) or TGW (Transit Gateway)

• Route table consistency across multiple VPCs

• Risk of communication failure due to incomplete security group or NACL settings

If the design is not consistent, there are many cases where communication does not go through even if the connection is successful. It is important to manage the entire configuration, including not only the Direct Connect but also the VPC design.