A Direct Connect (DX) is a physical connection between your network and AWS either directly via a cross-connect and customer router at a DX location or via a DX partner.
Dedicated Connections are direct via AWS and use single-mode fiber, running either 1 Gbps using 1000Base-LX or 10 Gbps using 10GBASE-LR.
Virtual interfaces (VIFs) run on top of a DX. Public VIFs can access AWS public services such as S3 only. Private VIFs are used to connect into VPCs. DX is not highly available or encrypted.
Dedicated link from your internal network to AWS:
- Dedicated throughput
- Provide more consistent network performance
- Reduce bandwidth costs
- Private connection to AWS
- Elasticity and scaling – provision multiple 1 Gbps and 10 Gbps connections
For dedicated connections, DX require single-mode fiber:
- 1 Gbps: 1000BASE-LX (1310nm)
- 10 Gbps: 10GBASE-LR (1310nm)
Best Practice:
- Using a private peered connection might not need extra security
- Check your organization’s requirements
- VPC networking (subnets, security groups, NACLs)
- Avoid VPN hardware that can’t support high data transfer rates (>4 Gbps)
- Note: Direct Connect (DX) is not highly available by default. It is recommended to use multiple DX connections in different AWS regions.
Choosing between Direct Connect (DX) and VPC VPN is a critical part of any connectivity-based exam questions.
VPN
- Urgent need — can be deployed in minutes
- Cost constrained — cheap and economical
- Low end or consumer hardware — DX requires BGP
- Encryption required
- Flexibility to change locations
- Highly available options available
- Short-term connectivity (DX generally has physical minimums due to the physical transit connections required) — not applicable if you are in a DX location because then it’s almost on demand
Direct Connect
- Higher throughput
- Consistent performance (throughput)
- Consistent low latency
- Large amounts of data — cheaper than VPN for higher volume
- No contention with existing internet connection
Both
- VPN as a cheaper HA option for DX
- VPN as an additional layer of HA (in addition to two DX)
- If some form of connectivity is needed immediately, provides it before the DX connection is live
- Can be used to add encryption over the top of a DX (public VIF VPN)