3 Mins Read

AWS Direct Connect Connection Security

Direct Connect: An Overview

When customers want to establish hybrid connectivity between their corporate data center and AWS resources using a consistent network with high throughput, they can opt for a Direct Connect connection. This connection can be created and managed by a customer or with the help of a Direct Connect partner. Using this hybrid connection, customers can create various architectures to establish connectivity between on-premises resources and VPC through a Virtual Gateway, Transit Gateway, or Direct Connect Gateway. In this blog, we will try to understand some security features that are available with Direct Connect connection to secure it.

Direct Connect Connection-Security Considerations

We can secure the Direct Connect connections on various layers. Let’s look at some options that can be used for security.


  • Layer4 Security – Traffic can be encrypted through the host communicating over a Direct Connect connection using TLS / Layer4 encryption.


  • Layer3 Security – Establishing VPN connection using IPSec over the Direct Connect connection. It works only with a Public virtual interface. IPSec tunnels can be set using Public IPs on the customer router and Public IPs of TGW or VGW on the AWS end.


  • Layer2 Security – This can be implemented by enabling the MACSec feature while creating a Direct Connect connection.

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Know more about MACSec.

  • MACSec is a security feature available in Direct Connect connection to provide security on Layer2.
  • Encrypts the frames ethertype and payload.
  • It is IEEE 802.1AE Layer2 standard.
  • MACSec also provides data integrity, confidentiality, and authenticity of data origin.
  • MACSec also provides Replay protection by ensuring the frames are not processed out of order.
  • This feature is supported by only selected Direct Connect partners with 10Gbps and 100Gbps.
  • The option to use MACSec can be enabled while creating the new Direct Connect Connection.

MACSec Important Concepts

  • MACSec Secret Key – A pre-shared key used to establish connectivity between the customer’s on-premises router and connection port on the AWS Direct Connect location side.
  • MACSec Key Agreement Protocol (MKA) manages the peer discovery, authentication, and generation of encryption keys required for traffic encryption.


  • Connection Key Name (CKN) and Connectivity Association Key (CAK) – These values generate the MACSec Secret Key. The customer generates these values and should be associated with your Direct Connect connection and provision on your edge device (at your end).

MACSec Values

MACSec can be configured for the values given below.


  • should_encrypt – Connection attempts MKA; if it is successful, the connection will send and receive only encrypted traffic. But if MKA fails or timeouts, then the connection will permit unencrypted traffic to flow over the connection. This is the default value.
  • must_encrypt – Connection attempts MKA; if it is successful, the connection will send and receive only encrypted traffic. But if MKA fails or timeouts, the connection will go down, and the authentication will be retired after some time.
  • no_encrypt – Connection does not perform MKS; any received MKA frames will be ignored. The connection sends and receives only unencrypted frames.

AWS CLI command to set the MACSec value is given below.


Thus, we can conclude that we can secure the Direct Connect connection at different layers using TLS encryption or IPSec VPN. But if you want to encrypt the traffic on Layer2, use the MACSec feature available while creating a Direct Connect connection.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

WRITTEN BY Abhijit Dilip Powar



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!