Areas Of Interest
Getting Certified
search
AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router.
With this connection, you can create a public virtual interface directly to public AWS services (for example, to Amazon S3) and/or a private virtual interface to your Amazon VPC, bypassing internet service providers in your network path.
An AWS Direct Connect location provides access to AWS in the Region with which it is associated. You can use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all other public Regions.
The following diagram shows how AWS Direct Connect interfaces with your network.
Your network must meet the following conditions:
AWS Direct Connect has two billing elements:
Port hour pricing is determined by capacity and connection type (dedicated connection or hosted connection).
Data Transfer Out charges for private interfaces and transit virtual interfaces are allocated to the AWS account responsible for the Data Transfer. There are no additional charges to use a multi-account AWS Direct Connect gateway.
When connecting to AWS services in a different region than which the DX is installed in, any data transfer out of that region is billed at the remote Region data transfer rate.
Use AWS Direct Connect gateway to connect your VPCs. You associate an AWS Direct Connect gateway with either of the following gateways:
A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any Region and access it from all other Regions.
Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the AWS Direct Connect location. There is an AWS Direct Connect connection from the location to the customer data center.
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A’s virtual private gateway or Account B’s virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
But a better way is to use a Transit Gateway.
The following diagram illustrates how the Transit gateway enables you to create a single connection to your Direct Connect connection that all of your VPCs can use.
The solution involves the following components:
This configuration offers the following benefits. You can:
If your customer gateway is behind a network address translation (NAT) device that’s enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
For Routing options, choose whether to use Dynamic or Static.
