Tuesday, November 11, 2025

AWS Direct (DX) Connect Encryption | Overview.


A dive deep into AWS Direct Connect (DX) Encryption.

Scope:

  •        Encryption options,
  •        Architectures,
  •        Limitations,
  •        Best practices.

Breakdown:

  •        Overview
  •        Types of Encryption for Direct Connect,
  •        MACsec Encryption (Layer 2),
  •        IPsec over Direct Connect (Layer 3)
  •        Application-Level Encryption (Layer 7)
  •        Common Architectures,
  •        Best Practices,
  •        Summary Table.

Overview

  • AWS Direct Connect (DX) provides a dedicated, private network connection between twtech  on-premises environment and AWS.
  • However, Direct Connect itself does not encrypt traffic at the physical layer.
    To achieve encryption, twtech must layer additional technologies on top of DX.
  • To achieve encryption, twtech must layer additional technologies on top of DX.

 Types of Encryption for Direct Connect

Encryption Layer

Description

Encryption Type

Typical Use Case

1. No Encryption (Default)

Plain layer 2/3 connectivity.

None.

Private workloads that already use encrypted application protocols (e.g., HTTPS, TLS, SSH)

2. MACsec (Layer 2)

IEEE 802.1AE encryption on. dedicated connections.

Link-level encryption.

Data-sensitive environments requiring physical link encryption

3. IPsec over Direct Connect (Layer 3)

IPsec tunnel over DX via VPN gateway.

Network-level encryption.

Compliance or regulatory environments requiring end-to-end encryption

4. Application-level Encryption

Encryption handled by applications.

App-layer encryption.

Data-sensitive app communications (e.g., TLS 1.3, gRPC over TLS)

 MACsec Encryption (Layer 2)

 What It Is

  • MACsec (Media Access Control Security) encrypts Ethernet frames between twech on-premises router and the AWS edge device (Direct Connect location).

 Key Properties

  •         Encryption Standard: IEEE 802.1AE
  •         Algorithm: AES-GCM-128 or AES-GCM-256
  •         Applies To: Dedicated 10 Gbps and 100 Gbps Direct Connect connections
  •         Not Supported On: Hosted connections or Hosted Virtual Interfaces (Hosted VIFs)

 Architecture Sample

 Key Management

  •         MACsec uses Connectivity Association Keys (CAKs) and Secure Association Keys (SAKs).
  •         Keys are managed via AWS Direct Connect console or API.
  •         AWS automatically rotates SAKs every few minutes for continuous security.

 Configuration Flow

1.     Request a dedicated DX connection supporting MACsec.

2.     Enable MACsec during the LOA-CFA approval process.

3.     Configure twtech router with:

  •    CAK/CKN pair (from AWS console)
  •    AES-GCM-128/256 encryption settings
  •    Key rotation enabled

 IPsec over Direct Connect (Layer 3)

NB:

  • If twtech DX circuit does not support MACsec (e.g., Hosted or lower speeds), twtech can run IPsec VPN over the Direct Connect link.

 Architecture Sample

 Key Properties

  •         End-to-end encryption between twtech site and AWS.
  •         Uses IKEv2 for negotiation.
  •         Can use BGP over IPsec for dynamic routing.
  •         Supported through:
    •    Virtual Private Gateway (VGW) — simpler, managed.
    •    Transit Gateway (TGW) — scalable, multi-VPC architecture.

 Benefits

  •         Encryption independent of physical link
  •         Works with any DX connection type
  •         Compliant with FIPS 140-2 standards

 Limitations

  •         Slightly higher latency due to IPsec overhead.
  •         Reduced throughput (~10–15% lower than unencrypted DX).

Application-Level Encryption (Layer 7)

NB:

Even if twtech Direct Connect traffic isn’t encrypted at the link or network layer, most workloads today encrypt in-transit at the application layer.

Samples:

  •         HTTPS (TLS 1.2/1.3)
  •         gRPC over TLS
  •         Database connections with SSL (e.g., RDS, Aurora, PostgreSQL SSL)
  •         Message queues using TLS (e.g., Kafka, MQTT)

 Advantages

  •         Works regardless of the underlying network.
  •         Simplifies compliance for mixed traffic environments.

 Common Architectures

 Architecture A MACsec + Private VIF


 Architecture B IPsec over Hosted Connection

 Architecture C Dual Encryption (MACsec + IPsec)

  •        Used for highly regulated workloads (defense, finance, healthcare).

Best Practices

✅   Use MACsec for Dedicated 10/100 Gbps links where hardware supports it.
✅   Use IPsec over DX for Hosted/low-speed circuits or hybrid cloud VPN-DX architectures.
✅    Always enforce TLS 1.2/1.3 at the application layer.
✅    Monitor encryption performance via CloudWatch metrics (e.g., VPN tunnel state, DX throughput).
✅    For compliance (HIPAA, PCI-DSS, FedRAMP), ensure encryption in transit is enforced at at least one layer.

  Summary Table

Scenario

Recommended Encryption

Notes

Dedicated 10/100G DX

MACsec

Best performance and compliance

Hosted DX

IPsec over DX

Most flexible option

Regulated workloads (HIPAA, PCI)

MACsec + IPsec

Double encryption for compliance

General workloads

TLS/SSL only

Sufficient if data already encrypted

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...