April 23, 2016

AWS – Direct Connect

Some Internet Service Providers can connect your on premise devices directly to aws AZ without being rerouted via the rest of the internet.


You can find all my latest posts on medium.
  • this results in faster connection
  • more stable connection
  • reduced latency
  • No need to go via the public internet
  • better security
  • No need to have any special hardware on-site
  • aws charges less for data traffic going to from aws via direct connect, rather than via the internet
  • It gives you dedicated private network connection. I.e. you can connect to your ec2 instances via it’s private ip addresses. Previously we saw that this is possible by setting up vpn, however with Direct Connect, you don’t need to set up connection. This is achieved by your onsite devices connecting to your vpc via a Virtual Gateway that’s attached to your vpc. To achieve this you need to setup Virtual Interfaces (vifs) on your onsite devices.


private virtual interface: this is something that has to be attached to your vpc to enable direct connect connections to your ec2 instances using private ip addresses. you can think of ec2 private ip addresses as private endpoints. Each vpc must have it’s own vif in order to connect to it via direct connect.

However some aws services, e.g. rds and s3 by default ┬áhave public endpoints. So you can’t using private vifs with things like S3. Theres 2 ways to overcome this:

  • you can actually set up private endpoints for these aws services, which will then make it possible to continue using private vifs
  • Use “Public VIFS”, this is essentially private vifs except some extra rerouting is done on the AWS region side to reroute the traffic from aws direct connect, to the public endpoints.

You can also attach Public VIFS to your vpc too. This would then let you access your ec2 instances via their public ip addresses too, but still going through via direct connect.

public VIFS makes use of public CIDR block range, but traffic is still routed via dedicated network and hardware, due to direct connect.


In order to use direct connect, your ISP needs to establish a connection from your site to it’s internal traffic network. This connection is referred to as a cross-connect, aka cross network connection.


Direct Connect, by design, can only connect to a single AWS region.