Securing Direct Connect Traffic Using AWS VPN
Sajid Mohammed
EX-Lead Architect - Deloitte Consulting | 10x AWS Certified | AWS Cloud Architecture & Sol Design | Technology Strategy & Transforamtion | Amazon Connect | AWS Authorized Instructor | Cloud Security | DevOps | FinOps
---
This is a common and often misunderstood aspect: the assumption that AWS Direct Connect inherently secures your traffic. In reality, Direct Connect does NOT provide built-in encryption or security. It simply offers a dedicated, private bandwidth between your AWS Cloud infrastructure and your on-premises network. This raises an important question: how can you securely transmit traffic while still leveraging Direct Connect's dedicated bandwidth?
In this guide, we'll explore in-depth how you can secure your network traffic between AWS Cloud and your on-premises environment by implementing AWS VPN over Direct Connect. Since clear and detailed documentation on this setup is often hard to find, I will walk you through the entire implementation process step-by-step, ensuring you clearly understand every detail required to achieve secure connectivity.## ?? You don't explicitly select Direct Connect in the VPN configuration.
Why is that?
This is because the traffic path for VPN tunnels over Direct Connect is determined by network routing and route priorities set in your AWS and on-premises environment—not by selecting a Direct Connect option explicitly within the VPN configuration itself.
---
? How Traffic Flows (VPN over Direct Connect):
When you create a VPN connection in AWS, AWS will automatically generate two public VPN endpoint IP addresses. By default, these endpoints are reachable via the public internet. To route VPN traffic over Direct Connect instead of the internet, you must ensure that your on-premises router/firewall routes the VPN endpoint IP addresses through your Direct Connect interface.
Here's how it works visually:
Default (Internet-based VPN):
To Route VPN via Direct Connect (Your desired setup):
---
?? How to Ensure VPN Traffic Uses Direct Connect Bandwidth:
You achieve this through routing configuration on your on-premises router/firewall:
Step-by-step:
?? STEP 1: Identify AWS VPN Endpoint Public IPs
- After creating the AWS VPN connection, AWS provides two public IP addresses for VPN termination (Tunnel 1 and Tunnel 2 endpoints).
?? STEP 2: Advertise or Route AWS VPN Endpoint IPs via Direct Connect
- On your on-premises router/firewall, explicitly add routes pointing AWS VPN endpoint IP addresses through your Direct Connect connection (instead of default public internet gateway).
Example (Conceptual):
Let's say AWS VPN endpoint IPs are 3.10.20.30 and 52.40.50.60.
***
- Your default routing table (initially via internet):
Destination IP Next-Hop
0.0.0.0/0 Internet Gateway
***
- Change/add explicit routes to route those AWS VPN IPs via Direct Connect interface:
***
Destination IP Next-Hop
3.10.20.30/32 [Direct Connect Interface]
52.40.50.60/32 [Direct Connect Interface]
***
?? STEP 3: Ensure AWS Side Routing is Correct
- On AWS side, your Virtual Private Gateway (VGW) or Transit Gateway (TGW) attached to your VPC will route traffic back to your on-premises networks via the VPN tunnel automatically after successful VPN establishment.
---
?? Important Note (Public Virtual Interface):
To route AWS VPN endpoint IP addresses (which are public IP addresses) through Direct Connect, you must have a Public Virtual Interface (Public VIF) configured on your Direct Connect.
- A Public VIF allows you to route AWS public IP ranges (like VPN endpoints, AWS public services endpoints, etc.) through your Direct Connect link.
- If you don't have a Public VIF yet, you must create one to achieve this routing scenario.
---
? Summary (Key points):
| Action | Details |
|--------|---------|
| Explicitly select Direct Connect in VPN config? | ? No, not directly, currently this feature is NOT available |
| How do you direct VPN traffic over Direct Connect? | ? Routing (on-premises router/firewall) |
| Required Direct Connect type? | ? Public Virtual Interface (Public VIF) on your Direct Connect |
| VPN endpoint IP addresses | ? Provided by AWS on VPN creation |
| Routing config required? | ? Explicit routes on your on-premises device |
---
?? Quick Checklist (for your scenario):
- [ ] Created AWS VPN (not explicitly selecting Direct Connect) ?
- [ ] AWS provided VPN public endpoint IPs ?
- [ ] Configure Public Virtual Interface on Direct Connect ?
- [ ] Configure explicit routing on your on-premises device for VPN endpoints through Direct Connect ?
- [ ] Verify VPN traffic flows through Direct Connect (using traceroute/ping tests from on-premises) ?
---
? Conclusion:
You don't explicitly select Direct Connect during VPN creation. Instead, you route VPN traffic through Direct Connect by configuring your on-premises router/firewall to send AWS VPN endpoint IP addresses via your Direct Connect Public Virtual Interface.
This ensures encrypted VPN traffic traverses your private, dedicated Direct Connect link instead of going through the public internet.
I hope this clarifies the routing clearly! Let me know if you have any further questions on setting this up!