Skip to main content

Ensure Direct Connect Connections Are Redundant

Overview

This check verifies that your AWS Direct Connect setup includes redundant connections across at least two distinct physical locations. Direct Connect provides a dedicated network link between your on-premises data center and AWS, but a single connection creates a single point of failure.

Risk

Without redundant connections at different locations, your AWS connectivity is vulnerable to:

  • Fiber cuts - Construction or accidents can sever your connection
  • Device failures - Router or switch malfunctions at a single location
  • Facility outages - Power failures, natural disasters, or maintenance at one site
  • Planned maintenance - AWS or partner maintenance may require taking a connection offline

A loss of Direct Connect can halt application traffic, break data replication, and block administrative access until connectivity is restored.

Remediation Steps

Prerequisites

You need:

  • An AWS account with permissions to manage Direct Connect resources
  • An existing Direct Connect connection (the check fails because you need a second one)
  • A relationship with a Direct Connect Partner or colocation at AWS Direct Connect locations

Important: Creating a new Direct Connect connection requires coordination with AWS Direct Connect Partners and typically takes days to weeks to provision. This is not an instant fix.

AWS Console Method

  1. Review your current connections

    • Open the AWS Direct Connect console
    • Ensure the region is set to US East (N. Virginia) (us-east-1)
    • Click Connections in the left navigation
    • Note the Location of your existing connection(s)

  2. Identify a second Direct Connect location

    • Click Create connection
    • Review the available locations in the Location dropdown
    • Choose a location that is geographically separate from your existing connection
    • For example, if your primary is in an Equinix facility in Virginia, consider a facility in New York or another metro area

  3. Create the redundant connection

    • Enter a Connection name (e.g., secondary-dx-connection)
    • Select the Location you identified
    • Choose the Bandwidth (should match or exceed your primary connection)
    • Optionally add to a Link Aggregation Group (LAG) for bandwidth aggregation
    • Click Create connection

  4. Complete the physical setup

    • Download the Letter of Authorization (LOA) from the connection details
    • Provide the LOA to your Direct Connect Partner or colocation provider
    • Work with them to establish the cross-connect to AWS equipment

  5. Configure routing for failover

    • Set up Virtual Interfaces on both connections
    • Use BGP with appropriate AS path prepending or MED values to control traffic flow
    • Test failover by temporarily disabling one connection
AWS CLI (optional)

List available Direct Connect locations

aws directconnect describe-locations --region us-east-1

View your existing connections

aws directconnect describe-connections --region us-east-1

Create a redundant connection at a different location

aws directconnect create-connection \
    --region us-east-1 \
    --location "EqNY2" \
    --bandwidth "1Gbps" \
    --connection-name "secondary-dx-connection" \
    --tags Key=Name,Value="Secondary Direct Connect" Key=Role,Value=Secondary

Parameters:

  • --location - Use a location code different from your existing connection (get codes from describe-locations)
  • --bandwidth - Match your primary connection bandwidth (e.g., 1Gbps, 10Gbps)
  • --connection-name - A descriptive name for the connection

Check connection status

aws directconnect describe-connections \
    --region us-east-1 \
    --query 'connections[*].{Name:connectionName,Location:location,State:connectionState}'
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Primary Direct Connect connection
resource "aws_dx_connection" "primary" {
  name      = "primary-dx-connection"
  bandwidth = "1Gbps"
  location  = "EqDC2"  # Example: Equinix DC2 in Ashburn, VA

  tags = {
    Name        = "Primary Direct Connect"
    Environment = "Production"
    Role        = "Primary"
  }
}

# Secondary Direct Connect connection at different location
resource "aws_dx_connection" "secondary" {
  name      = "secondary-dx-connection"
  bandwidth = "1Gbps"
  location  = "EqNY2"  # Example: Equinix NY2 in New York

  tags = {
    Name        = "Secondary Direct Connect"
    Environment = "Production"
    Role        = "Secondary"
  }
}

output "primary_connection_id" {
  description = "ID of the primary Direct Connect connection"
  value       = aws_dx_connection.primary.id
}

output "secondary_connection_id" {
  description = "ID of the secondary Direct Connect connection"
  value       = aws_dx_connection.secondary.id
}

Note: Replace the location values with actual Direct Connect location codes appropriate for your region. Use aws directconnect describe-locations to find available locations.

CloudFormation (optional)

Note: While CloudFormation supports AWS::DirectConnect::Connection, most organizations provision Direct Connect connections through the console or CLI due to the physical provisioning coordination required.

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy redundant AWS Direct Connect connections across two locations

Parameters:
  PrimaryLocation:
    Type: String
    Description: Location code for primary Direct Connect connection
    Default: EqDC2

  SecondaryLocation:
    Type: String
    Description: Location code for secondary Direct Connect connection
    Default: EqNY2

  Bandwidth:
    Type: String
    Description: Connection bandwidth
    Default: 1Gbps
    AllowedValues:
      - 1Gbps
      - 10Gbps
      - 100Gbps

Resources:
  PrimaryConnection:
    Type: AWS::DirectConnect::Connection
    Properties:
      ConnectionName: primary-dx-connection
      Location: !Ref PrimaryLocation
      Bandwidth: !Ref Bandwidth
      Tags:
        - Key: Name
          Value: Primary Direct Connect
        - Key: Role
          Value: Primary

  SecondaryConnection:
    Type: AWS::DirectConnect::Connection
    Properties:
      ConnectionName: secondary-dx-connection
      Location: !Ref SecondaryLocation
      Bandwidth: !Ref Bandwidth
      Tags:
        - Key: Name
          Value: Secondary Direct Connect
        - Key: Role
          Value: Secondary

Outputs:
  PrimaryConnectionId:
    Description: ID of the primary Direct Connect connection
    Value: !Ref PrimaryConnection

  SecondaryConnectionId:
    Description: ID of the secondary Direct Connect connection
    Value: !Ref SecondaryConnection

Verification

After creating your redundant connection:

  1. Go to the Direct Connect console
  2. Click Connections in the left navigation
  3. Verify you have at least two connections listed
  4. Check that the connections are at different locations (shown in the Location column)
  5. Confirm both connections show a state of Available
CLI verification commands

List all connections and their locations

aws directconnect describe-connections \
    --region us-east-1 \
    --query 'connections[*].{Name:connectionName,Location:location,State:connectionState}' \
    --output table

Verify connections are at different locations

aws directconnect describe-connections \
    --region us-east-1 \
    --query 'connections[*].location' \
    --output text | tr '\t' '\n' | sort | uniq -c

You should see at least two different locations listed.

Additional Resources

Notes

  • Lead time: Provisioning a new Direct Connect connection typically takes 1-4 weeks depending on the location and partner availability. Plan ahead.

  • Cost considerations: Each Direct Connect connection incurs hourly port fees plus data transfer charges. Budget for the additional connection cost.

  • VPN backup: AWS recommends maintaining a Site-to-Site VPN as a tertiary backup in case both Direct Connect connections fail simultaneously.

  • Active/Active routing: For best resilience, configure BGP to use both connections actively rather than keeping one as pure standby. This helps detect issues before a failover event.

  • Different providers: For maximum resilience, consider using different Direct Connect Partners for each connection to avoid single-provider dependencies.

  • Bandwidth sizing: Ensure each connection can handle your full traffic load independently in case one fails. Don't rely on both connections being available for normal operations.