Multi Account AWS Direct Connect with S2S VPN Redundancy

Cloud computing is widely used for a variety of businesses. It reduces cost and adds agility to your business projects but sometimes you need to have On-Prem resources to fit regulations or reduce cost for static loads.

In this blog, we will touch on Amazon Direct Connect (AWS DX), and Direct Connect redundancy with S2S cost-effective method.

What is Direct Connect

Direct connect (DX) is AWS’s closed circuit connectivity to Transit Providers and Datacenters over AWS and the Delivery partner’s private network paths. With the DirectConnect cloud private resources such as VPCs are interconnected to On-Prem locations.


Why Direct Connect

The widespread solution for cloud and On-Prem connectivity is S2S VPN. It’s easy setup and low cost but if your services are mission critical, require high availability, or must comply with the regulations, S2S is not fit for your solution because there is no service level agreement (SLA) for S2S VPN. S2S VPN uses the internet to connect two regions and the path between two regions can change because of the business and way of work for telecommunication. The unpredictability of latency between two areas and no possible service agreement (SLA) due to the varieties of the network path, is inappropriate for some business solutions.


For more control of the accounts and isolation reasons, your corporate architecture might have sub-accounts on AWS based on business and environment (dev, stage, prod). Sharing connectivity between accounts can be easily achieved with the AWS Transit Gateway solution. Also, you can attach S2S VPN to your Transit Gateway and set it as fallback connectivity for your Direct Connect. Transit Gateway is a multi-account and multi-region solution but besides resource hours billing, you are also get billed by processed data as well, on the other hand, Direct Connect Gateway is a more basic solution and there is no billing for this resource but it does not directly supports S2S VPN as a redundancy link.


AWS Direct Connect has at least 2 links for resiliency. When you connect those two links on your Direct Connect Gateway, the system checks the health of the two links. There is no routing configuration on AWS Direct Connect Gateway (DXGW) and Virtual Gateway (VGW) on VPC, your On-Prem BGP announcements will set routing behaviors of the network. For example, you can set two DX connections as load balance mode, so each packet will be distributed to DX interfaces while exiting the AWS region network, or you can configure the second interface order is lower than the first and if the first interface is down, the second interface will take over the link.

Until here, we have redundant connectivity on your Direct Connect but we don’t have a third option. For example, if your transit provider has a software-level issue and the network collapses for that vendor, and on the other hand, your second On-Prem provider does not provide the Direct Connect feature as well, what you will do?

In this situation, a combination of a second internet provider and S2S VPN is a cost-effective fallback solution for Direct Connect service.

If your connectivity does not exceed 1 Gbps, you can terminate the DXGW attachment and S2S VPN at the same VGW to eliminate the TGW data process fee as well.

Announcement of DX connections is when higher than S2S, VGW prefers to use DX for connection path, but if the DX connection announcements do not reach VGW due to some technical issues, VGW in VPC will forward traffic to S2S.



  • The association of VGW to Direct Connect is not placed under the ec2 page, you have to visit the Direct Connect page, and there is a tab for VGW.
  • When you create a request from the secondary account’s Direct Connect page for that VGW, you have to visit the first account’s Direct Connect DXGW page to accept the VGW DXGW link association request and after this operation, you have to also accept static routing from VGW to DX connection at first accounts DXGW which is used by DXGW to announce your VPC subnets to On-Prem.
  • If throughput is higher than 1 Gbps, S2S VPN creates a bottleneck for your system. In this case, you have to use TGW with multiple S2S VPNs because each VPN tunnel has a 1.25 Gbps limitation. You cannot distribute loads between VPNs with VGW, because VGW does not support Equal Cost Multi Path (ECMP) so it is not capable of distributing load between multiple S2S VPNs.
  • By default, Direct Connect does not encrypt your connection between On-Prem and VPC, for more details, you can read this documentation at AWS.

© 2024 All rights reserved.

Powered by Hydejack v7.5.0