Direct Connect gateways

Use AWS Direct Connect gateway to connect your VPCs. You associate an AWS Direct Connect gateway with either of the following gateways:

A transit gateway when you have multiple VPCs in the same Region
A virtual private gateway

You can also use a virtual private gateway to extend your Local Zone. This configuration allows the VPC associated with the Local Zone to connect to a Direct Connect gateway. The Direct Connect gateway connects to a Direct Connect location in a Region. The on-premises data center has a Direct Connect connection to the Direct Connect location. For more information, see Accessing Local Zones using a Direct Connect gateway in the Amazon VPC User Guide.

A Direct Connect gateway is a globally available resource. You can connect to any Region globally using a Direct Connect gateway. This includes AWS GovCloud (US) but does not include the AWS China Regions.

Customers using Direct Connect with VPCs that currently bypass a parent Availability Zone will not be able to migrate their Direct Connect connections or virtual interfaces.

The following describe scenarios where you can use a Direct Connect gateway.

A Direct Connect gateway does not allow gateway associations that are on the same Direct Connect gateway to send traffic to each other (for example, a virtual private gateway to another virtual private gateway). An exception to this rule, implemented in November 2021, is when a supernet is advertised across two or more VPCs, which have their attached virtual private gateways (VGWs) associated to the same Direct Connect gateway and on the same virtual interface. In this case, VPCs can communicate with each other via the Direct Connect endpoint. For example, if you advertise a supernet (for example, 10.0.0.0/8 or 0.0.0.0/0) that overlaps with the VPCs attached to a Direct Connect gateway (for example, 10.0.0.0/24 and 10.0.1.0/24), and on the same virtual interface, then from your on-premises network, the VPCs can communicate with each other.

If you want to block VPC-to-VPC communication within a Direct Connect gateway, do the following:

Set up security groups on the instances and other resources in the VPC to block traffic between VPCs, also using this as part of the default security group in the VPC.
Avoid advertising a supernet from your on- premises network that overlaps with your VPCs. Instead you can advertise more specific routes from your on-premises network that do not overlap with your VPCs.
Provision a single Direct Connect Gateway for each VPC that you want to connect to your on-premises network instead of using the same Direct Connect Gateway for multiple VPCs. For example, instead of using a single Direct Connect Gateway for your development and production VPCs, use separate Direct Connect Gateways for each of these VPCs.

A Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself (for example when you have an on-premises supernet route that contains the prefixes from the gateway association). If you have a configuration with multiple VPCs connected to transit gateways associated to same Direct Connect gateway, the VPCs could communicate. To prevent the VPCs from communicating, associate a route table with the VPC attachments that have the blackhole option set.

The following describe scenarios describe where you can use a Direct Connect gateway.

Scenarios

Virtual private gateway associations
Virtual private gateway associations across accounts
Transit gateway associations
Transit gateway associations across accounts
Creating a Direct Connect gateway
Deleting Direct Connect gateways
Migrating from a virtual private gateway to a Direct Connect gateway

Virtual private gateway associations

In the following diagram, the Direct Connect gateway enables you to use your AWS Direct Connect connection in the US East (N. Virginia) Region to access VPCs in your account in both the US East (N. Virginia) and US West (N. California) Regions.

Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the AWS Direct Connect location. There is an AWS Direct Connect connection from the location to the customer data center.

A Direct Connect gateway that connects VPCs in two AWS Regions and <a href= your data center." />

Virtual private gateway associations across accounts

Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's virtual private gateway or Account B's virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.

A Direct Connect gateway that connects three AWS accounts and <a href= your data center." />

Transit gateway associations

The following diagram illustrates how the Direct Connect gateway enables you to create a single connection to your Direct Connect connection that all of your VPCs can use.

A Direct Connect gateway associated with a transit gateway with multiple VPC attachments.

The solution involves the following components:

A transit gateway that has VPC attachments.
A Direct Connect gateway.
An association between the Direct Connect gateway and the transit gateway.
A transit virtual interface that is attached to the Direct Connect gateway.

This configuration offers the following benefits. You can:

Manage a single connection for multiple VPCs or VPNs that are in the same Region.
Advertise prefixes from on-premises to AWS and from AWS to on-premises.

For information about configuring transit gateways, see Working with Transit Gateways in the Amazon VPC Transit Gateways Guide.

Transit gateway associations across accounts

Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A owns the transit gateway and wants to use the Direct Connect gateway. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's transit gateway. After Account Z accepts the proposals, the VPCs attached to the transit gateway can route traffic from the transit gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.

A Direct Connect gateway from an AWS account associated with a transit gateway from another AWS account.

Creating a Direct Connect gateway
Deleting Direct Connect gateways
Migrating from a virtual private gateway to a Direct Connect gateway

Creating a Direct Connect gateway

You can create a Direct Connect gateway in any supported Region.

To create a Direct Connect gateway

Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home .
In the navigation pane, choose Direct Connect Gateways.
Choose Create Direct Connect gateway.
Specify the following information, and choose Create Direct Connect gateway.

Name: Enter a name to help you identify the Direct Connect gateway.
Amazon side ASN: Specify the ASN for the Amazon side of the BGP session. The ASN must be in the 64,512 to 65,534 range or 4,200,000,000 to 4,294,967,294 range.
Virtual private gateway: To associate a virtual private gateway, choose the virtual private gateway.

To create a Direct Connect gateway using the command line or API

create-direct-connect-gateway (AWS CLI)
CreateDirectConnectGateway (AWS Direct Connect API)

Deleting Direct Connect gateways

If you no longer require a Direct Connect gateway, you can delete it. You must first disassociate all associated virtual private gateways and delete the attached private virtual interface.

To delete a Direct Connect gateway

Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home .
In the navigation pane, choose Direct Connect Gateways.
Select the gateways and choose Delete.

To delete a Direct Connect gateway using the command line or API

delete-direct-connect-gateway (AWS CLI)
DeleteDirectConnectGateway (AWS Direct Connect API)

Migrating from a virtual private gateway to a Direct Connect gateway

If you had a virtual private gateway attached to a virtual interface, and you want to migrate to a Direct Connect gateway, perform the following steps:

To migrate to a Direct Connect gateway

Create a Direct Connect gateway. For more information, see Creating a Direct Connect gateway.
Create a virtual interface for the Direct Connect gateway. For more information, see Create a virtual interface.
Associate the virtual private gateway with the Direct Connect gateway. For more information, see Associating and disassociating virtual private gateways.
Delete the virtual interface that was associated with the virtual private gateway. For more information, see Delete virtual interfaces.

Working with Direct Connect gateways Virtual private gateway associations Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.