In this lesson, we will discuss encryption when using an AWS Direct Connect connection. I think the first thing to remind ourselves of is, unlike Site-to-Site VPN connections, Direct Connect connections do not encrypt traffic by default. If we wish to encrypt traffic traveling across the Direct Connect connection, we must either use MAC security, (MACsec), or enable a VPN connection over the Direct Connect connection. MACsec provides: confidentiality, integrity, and origin authenticity. MACsec is only available for Direct Connect dedicated connections, not hosted connections. And the Direct Connect connection must be either a 10 Gbps per second or 100 Gbps per second connection. MACsec is not available for 1 Gbp per second Direct Connect connections. You will need a device on-premises that supports MACsec, and your last mile provider must also support MACsec.

MACsec works at layer two, and is performed through hardware, which offers near line rate speeds. When we compare MACsec to IPsec, for example, MACsec encrypts data faster. Also, MACsec makes the full 10 Gbps per second or 100 Gbps per second of bandwidth available for your Direct Connect virtual interfaces. Whereas with the Site-to-Site VPN, you are limited to the 1.25 Gbps per second max bandwidth for a single VPN tunnel. As part of your Direct Connect connection, you configure virtual interfaces. There are several types of virtual interfaces, for example: Private virtual interfaces that connect you to VPCs, and Public virtual interfaces that connect you to AWS public endpoints. In order to create an address managed VPN connection over a Direct Connect connection, you need to use Public VIFs, so that you can connect AWS public endpoints across your Direct Connect connection.

Then you create a VPN connection with your AWS virtual private gateway or transit gateway, routing traffic towards those gateways across your Direct Connect connection. By combining both Direct Connect and AWS-managed Site-to-Site VPNs, you get the benefits of the entrance security of the IPsec connection, with the low latency and increased bandwidth of AWS Direct Connect. To create a VPN over our Direct Connect connection, we create our Direct Connect connection and then create a Public Virtual Interface. When you create your Public VIFs, you specify the prefixes you want to advertise to AWS. This must include your customer gateway public IP address as well as any of the network prefixes you wish to advertise to AWS. AWS will advertise all AWS public IP prefixes to you from each address region except China. After this step, you can now create a new VPN connection. This connection will be between your customer gateway and the public VPN endpoints provisioned for your connection. Is configured to use the same configuration as a site-to-site VPN that uses the internet.