Start course
2h 40m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.

Learning Objectives

  • Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
  • Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
  • Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
  • Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


Welcome to the final lecture of this course, where I will summarize the key points from the previous lectures. I begin by considering a common launch of a cloud journey. Organizations may start small using Amazon S3 buckets to extend backup repositories, but eventually most realize that to support production workloads on AWS, a connection will be required from their AWS VPC or VPCs to their on-prem data center. An IPSec VPN tunnel using either the AWS virtual private gateway or transit gateway service can be set up very quickly and easily to establish this connection. However, each VPN tunnel has a maximum achievable bandwidth of 1.25 gigabits per second, but perhaps more importantly, the VPN tunnel uses the public Internet, which can have unpredictable and inconsistent performance, potentially making the connection unusable for latency sensitive applications.

AWS Direct Connect provides an organization the means to overcome this challenge. AWS Direct Connect enables a low latency and high-speed connection to AWS services by bypassing the public Internet to establish a dedicated connection from your location to AWS. An AWS Direct Connect typically involves three entities: The customer's business location, which contains the customer manage router or firewall to be used in connecting to AWS via Direct Connect, the AWS region containing resources which will be accessed over the Direct Connect, and the Direct Connect or DX location. When you order a Direct Connect, you are ordering access to an AWS one gig, 10 gig, or 100 gig network port within a Direct Connect location. The DX location is a regional co-location facility in which AWS rents space and has deployed some number of AWS-managed routers to serve as direct connect endpoints.

The AWS Direct Connect endpoint is cross-connected to a customer or partner-owned and managed router once AWS has authorized the connection. As it relates to AWS Direct Connect prerequisites and options, we learned that AWS Direct Connect has specific needs that must be evaluated prior to ordering. The conditions a customer network must meet prior to ordering a Direct Connect are: One, Direct Connect requires the use of single mode fiber and transceivers based on connection speed. Two, in general, Auto-negotiation must be disabled and full duplex mode must be manually set for the ports used for AWS Direct Connect. Three, every device across the entire Direct Connect connection must support 802.1Q VLAN encapsulation. And four, the customer router serving as the Direct Connect termination point must support Border Gateway Protocol, BGP, and BGP MD5 authentication.

We also learn that Direct Connect supports asynchronous Bidirectional Forwarding Detection, or BFD. It supports both IP version 4 and IP version 6. And finally, we learned an Ethernet frame size of 1522 or 9023 bytes is supported, though you must ensure that all equipment across the entire Direct Connect connection supports the frame size you wish to implement. Finally, we look to answer the question, how much does AWS Direct Connect cost? We learned that the cost of AWS Direct Connect depends on two elements: port hours and data transfer out. Port hours represent the amount of time an AWS Direct Connect port has been provisioned for your use, even if no data is passing through the port. Data transfer out refers to the cumulative amount of data transferred through the AWS Direct Connect to destinations outside of AWS, and is charged per gigabyte.

That now brings me to the end of this lecture and to the end of this course. And so, you should now have a greater understanding of what challenge AWS Direct Connect solves, its architecture, requirements, and potential costs. Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you could contact support at Thank you for your time and good luck with your continued learning of cloud computing. Have a great day.


About the Author
Learning Paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).