AWS Direct Connect (DX): SAA-C03 Study Guide

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. By using AWS Direct Connect, you establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

The Real-World Analogy

Imagine your daily commute. Using the Standard Internet is like driving on a public highway; it’s free to enter, but traffic (congestion) is unpredictable, and there are many exits (security risks). AWS Direct Connect is like having a private, dedicated HOV lane built specifically between your house and your office. No one else can use it, the speed limit is guaranteed, and you avoid the chaos of the public road system.

Core Concepts & Components

1. Connection Types

  • Dedicated Connection: A physical ethernet connection associated with a single customer. Capacities: 1 Gbps, 10 Gbps, and 100 Gbps. You provision these through the AWS Console.
  • Hosted Connection: A physical ethernet connection that an AWS Direct Connect Partner provisions on your behalf. Capacities range from 50 Mbps up to 10 Gbps.

2. Virtual Interfaces (VIF)

  • Private VIF: Used to access a VPC using private IP addresses. Connects to a Virtual Private Gateway (VGW).
  • Public VIF: Used to access AWS public endpoints (S3, DynamoDB, Glacier) without traversing the public internet.
  • Transit VIF: Used to connect to a Direct Connect Gateway associated with one or more Transit Gateways. This is the standard for complex, multi-VPC architectures.

3. Direct Connect Gateway (DXGW)

A global resource that allows you to connect a single Direct Connect connection to VPCs in any AWS Region (except China). It groups multiple Virtual Private Gateways (VGWs) or connects to a Transit Gateway.

Comparison: Direct Connect vs. Site-to-Site VPN

Feature Site-to-Site VPN Direct Connect
Transport Public Internet Private Fiber / Dedicated Path
Setup Time Minutes Weeks to Months
Bandwidth Up to 1.25 Gbps (per tunnel) Up to 100 Gbps
Cost Low (Hourly + Data Transfer) High (Port fee + Lower Data Transfer)
Reliability Unpredictable (Internet jitter) High & Consistent

Decision Matrix / If–Then Guide

  • IF you need the lowest possible latency for real-time data feeds THEN choose Direct Connect.
  • IF you need to encrypt data in transit over Direct Connect THEN use VPN over Direct Connect or MACsec (for 10/100Gbps dedicated).
  • IF you have a short-term project or need immediate connectivity THEN choose Site-to-Site VPN.
  • IF you need to connect to 50+ VPCs across multiple regions THEN use Direct Connect Gateway + Transit Gateway.

Exam Tips and Gotchas

  • Resiliency: A single DX connection is a single point of failure. For “High Availability,” the exam expects two connections. For “Maximum Resiliency,” use two connections from two different providers at two different DX locations.
  • Encryption: Direct Connect does not encrypt data by default. It is private, but not encrypted. If the requirement is “Encryption in transit,” you must layer an IPsec VPN on top of the DX or use MACsec.
  • BGP: Border Gateway Protocol (BGP) is required for routing. You cannot use static routing with Direct Connect.
  • Cost Optimization: While Port Hours are expensive, Data Transfer Out (DTO) via DX is significantly cheaper ($0.02 vs $0.09 per GB). For massive data migrations, DX pays for itself in DTO savings.
  • MTU: Private VIFs and Transit VIFs support Jumbo Frames (9001 MTU), whereas VPN is limited to 1500 MTU.

Topics covered:

Summary of key subtopics covered in this guide:

  • Dedicated vs. Hosted Connections
  • Private, Public, and Transit Virtual Interfaces (VIFs)
  • Direct Connect Gateway (DXGW) for multi-region connectivity
  • Direct Connect vs. VPN trade-offs
  • High Availability (HA) architecture patterns
  • Security and Encryption (MACsec / IPsec VPN)

Infographic: Direct Connect Architecture

On-Prem DC Dedicated Fiber DX Location AWS Region Public (S3) Private (VPC)
Service Ecosystem

Integrations

  • IAM: Control who can manage DX connections.
  • CloudWatch: Monitor LoS (Loss of Signal) and bandwidth.
  • KMS: Used for encrypting associated VPN keys.
  • Transit Gateway: Scalable multi-VPC routing.
Performance

Scaling & Speed

  • 1/10/100 Gbps speeds.
  • Link Aggregation (LAG): Combine up to 4 connections into one logical interface for increased capacity.
  • Consistent sub-5ms latency typical.
Cost Optimization

Savings Strategy

  • Use Hosted Connections for smaller workloads (<1Gbps).
  • Direct Connect is cheaper for High Outbound Data volumes.
  • No charge for data transfer into AWS.

Production Use Case

Scenario: A financial services firm needs to sync a 50TB database daily from an on-premises mainframe to AWS RDS with strict security and low latency requirements.

Solution: Deploy two 10Gbps Direct Connect Dedicated Connections in a LAG configuration across two DX locations. Implement MACsec for Layer 2 encryption and use a Transit VIF to reach the RDS VPC via a Direct Connect Gateway.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top