Encryption for Direct Connect
Start course
2h 40m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.

Learning Objectives

  • Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
  • Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
  • Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
  • Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


In this lesson, we will discuss encryption when using an AWS Direct Connect connection. I think the first thing to remind ourselves of is, unlike Site-to-Site VPN connections, Direct Connect connections do not encrypt traffic by default. If we wish to encrypt traffic traveling across the Direct Connect connection, we must either use MAC security, (MACsec), or enable a VPN connection over the Direct Connect connection. MACsec provides: confidentiality, integrity, and origin authenticity. MACsec is only available for Direct Connect dedicated connections, not hosted connections. And the Direct Connect connection must be either a 10 Gbps per second or 100 Gbps per second connection. MACsec is not available for 1 Gbp per second Direct Connect connections. You will need a device on-premises that supports MACsec, and your last mile provider must also support MACsec.

MACsec works at layer two, and is performed through hardware, which offers near line rate speeds. When we compare MACsec to IPsec, for example, MACsec encrypts data faster. Also, MACsec makes the full 10 Gbps per second or 100 Gbps per second of bandwidth available for your Direct Connect virtual interfaces. Whereas with the Site-to-Site VPN, you are limited to the 1.25 Gbps per second max bandwidth for a single VPN tunnel. As part of your Direct Connect connection, you configure virtual interfaces. There are several types of virtual interfaces, for example: Private virtual interfaces that connect you to VPCs, and Public virtual interfaces that connect you to AWS public endpoints. In order to create an address managed VPN connection over a Direct Connect connection, you need to use Public VIFs, so that you can connect AWS public endpoints across your Direct Connect connection.

Then you create a VPN connection with your AWS virtual private gateway or transit gateway, routing traffic towards those gateways across your Direct Connect connection. By combining both Direct Connect and AWS-managed Site-to-Site VPNs, you get the benefits of the entrance security of the IPsec connection, with the low latency and increased bandwidth of AWS Direct Connect. To create a VPN over our Direct Connect connection, we create our Direct Connect connection and then create a Public Virtual Interface. When you create your Public VIFs, you specify the prefixes you want to advertise to AWS. This must include your customer gateway public IP address as well as any of the network prefixes you wish to advertise to AWS. AWS will advertise all AWS public IP prefixes to you from each address region except China. After this step, you can now create a new VPN connection. This connection will be between your customer gateway and the public VPN endpoints provisioned for your connection. Is configured to use the same configuration as a site-to-site VPN that uses the internet.


About the Author
Learning Paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).