AWS Direct Connect is an Amazon Web Services service that allows you to establish a dedicated network connection between your local infrastructure (on-premises, data center, office, private cloud) and the AWS infrastructure.
Unlike connections over the public internet, Direct Connect uses private network links, which provides more predictable latency, stable bandwidth, and greater control over network traffic.
The core idea of AWS Direct Connect is to bypass the public internet when transferring data between your network and AWS. Traffic travels over a provider’s private network and then across the global AWS backbone.
How AWS Direct Connect Works: High-Level Overview
At a high level, AWS Direct Connect works as follows:
- The customer network connects to an AWS Direct Connect point of presence (Direct Connect location).
- At this location, a physical connection (cross-connect) is established between the customer’s or provider’s equipment and AWS routers.
- Traffic then enters the AWS internal network and is routed to the required region or service.
From a networking perspective, Direct Connect is a private Layer 2 / Layer 3 link with routing configured over BGP. It is not a tunnel and not a VPN — it is a physical or logically dedicated connection.
It is important to understand that AWS Direct Connect does not connect you directly to a VPC “by default”. It provides a physical link, while access to specific AWS resources is delivered through virtual interfaces (VIFs).
AWS Direct Connect Architecture
The AWS Direct Connect architecture consists of several key components, each playing a specific role in traffic delivery.
Customer Network
This is your local network, which may include:
- a corporate data center
- an office network
- a private cloud
- infrastructure hosted by a colocation provider
On the customer side, a dedicated router is typically used, supporting BGP and the required port speeds.
Direct Connect Location
A Direct Connect location is a specialized facility (most often an AWS partner data center) where AWS Direct Connect network equipment is installed.
This is where:
- the physical connection is established
- the cross-connect is configured
- the private path to the AWS backbone begins
Important: a Direct Connect location is not the same as an AWS Region. It is a separate entry point into the AWS network.
AWS Backbone Network
Once traffic reaches a Direct Connect location, it is carried over the global private AWS network. This backbone interconnects AWS Regions and provides:
- low latency
- predictable routing
- isolation from the public internet
Virtual Interfaces (VIF)
A Virtual Interface is a logical interface built on top of a physical Direct Connect connection. VIFs define:
- where traffic is allowed to flow
- which AWS services are accessible
- which routing model is used
Without a VIF, a physical Direct Connect connection does not carry traffic.
Types of AWS Direct Connect Connections
AWS Direct Connect supports several connection options that differ in terms of control, scalability, and responsibility for the underlying infrastructure.
Dedicated Connection
A dedicated connection is a physically dedicated port provided directly by AWS.
Key characteristics:
- the port is fully allocated to a single customer
- fixed bandwidth
- maximum control over the connection
- used for mission-critical and high-throughput scenarios
This type of connection is most commonly selected by large organizations with their own networking teams and equipment deployed in a Direct Connect location data center.
Hosted Connection
A hosted connection is provided through an AWS Direct Connect partner. The physical port belongs to the provider, while the customer receives a logically dedicated connection.
Key features:
- faster provisioning
- fewer requirements for customer-owned infrastructure
- flexible scalability
This option is often used by companies that need Direct Connect without complex physical integration.
Partner-Provided Connection
In this model, the provider fully handles:
- the physical connection
- interaction with AWS
- delivering traffic to the customer’s infrastructure
From the customer’s perspective, Direct Connect is consumed as a managed service with minimal involvement in the networking layer.
Virtual Interfaces Explained
A Virtual Interface (VIF) is a logical channel built on top of a physical Direct Connect connection. A single physical port can support multiple VIFs, each used for different purposes.
Private Virtual Interface
A private VIF is used to connect to:
- VPCs
- internal AWS resources using private IP addressing
Key characteristics:
- traffic does not traverse the public internet
- commonly used for hybrid cloud scenarios
- routing is implemented using BGP and a private ASN
Private VIF is the most common option for enterprise environments.
Public Virtual Interface
A public VIF provides access to public AWS services such as:
- Amazon S3
- DynamoDB
- other public AWS endpoints
Although these services use public IP addresses, traffic sent over a public VIF does not traverse the internet and remains within the AWS network.
Transit Virtual Interface
A transit VIF is used in conjunction with AWS Transit Gateway.
It enables:
- connecting multiple VPCs and on-premises networks through a single Direct Connect connection
- building scalable hub-and-spoke architectures
- centralized routing
Transit VIF is particularly relevant for complex enterprise networks spanning multiple AWS Regions and accounts.
Network Flow: How Traffic Moves Through AWS Direct Connect
To understand how AWS Direct Connect works in practice, it is important to look at the traffic path step by step.
- Traffic leaves the customer network and is sent to the router connected to Direct Connect.
- Through a physical or logically dedicated connection, it reaches the Direct Connect location.
- At the Direct Connect location, traffic is handed off to AWS routers.
- The data then travels across the global AWS backbone.
- Depending on the type of VIF, traffic is delivered:
- to a specific VPC
- to AWS Transit Gateway
- to public AWS services
Throughout this entire path, traffic does not use the public internet, which ensures stable and predictable connectivity.
Security and Reliability
AWS Direct Connect was designed from the outset as a private network connection, which already provides a higher level of isolation compared to internet-based connectivity. However, security and resiliency depend not only on the service itself but also on architectural decisions made on the customer side.
From a security perspective:
- traffic is transmitted over private links and is not routed through the public internet
- routing control is implemented using BGP
- additional encryption can be applied at the application or network protocol level when required
It is important to note that AWS Direct Connect does not include mandatory encryption by default, unlike VPN. This is a deliberate architectural choice focused on performance and predictability. In environments with stricter data protection requirements, encryption is typically implemented on top of Direct Connect.
From a resiliency perspective, AWS recommends:
- using at least two connections
- placing them in different Direct Connect locations
- combining Direct Connect with a VPN as a backup path
This type of architecture helps ensure high availability even in the event of a failure of an individual link or facility.
AWS Direct Connect Pricing Basics
The AWS Direct Connect pricing model is based on the use of network infrastructure rather than the number of connected resources.
The main cost components include:
- charges for Direct Connect port usage
- charges for outbound data transfer from AWS
- potential costs for provider services and cross-connects
In many cases, Direct Connect can reduce data transfer costs compared to using the public internet, especially for high traffic volumes.
Actual costs depend on:
- the AWS Region
- the selected connection type
- traffic volume
- network architecture
Key Takeaways
AWS Direct Connect is a service for building private, predictable, and scalable connectivity between local infrastructure and AWS.
Key points:
- Direct Connect uses private links instead of the public internet
- access to AWS is delivered through virtual interfaces
- multiple connection types and architectures are supported
The service is particularly effective for hybrid cloud and high-throughput scenarios, and achieving high reliability requires a well-designed redundant architecture.
