AWS Direct Connect Connection Security

Direct Connect: An Overview

When customers want to establish hybrid connectivity between their corporate data center and AWS resources using a consistent network with high throughput, they can opt for a Direct Connect connection. This connection can be created and managed by a customer or with the help of a Direct Connect partner. Using this hybrid connection, customers can create various architectures to establish connectivity between on-premises resources and VPC through a Virtual Gateway, Transit Gateway, or Direct Connect Gateway. In this blog, we will try to understand some security features that are available with Direct Connect connection to secure it.

Direct Connect Connection-Security Considerations

We can secure the Direct Connect connections on various layers. Let’s look at some options that can be used for security.

• Layer4 Security – Traffic can be encrypted through the host communicating over a Direct Connect connection using TLS / Layer4 encryption.

• Layer3 Security – Establishing VPN connection using IPSec over the Direct Connect connection. It works only with a Public virtual interface. IPSec tunnels can be set using Public IPs on the customer router and Public IPs of TGW or VGW on the AWS end.

• Layer2 Security – This can be implemented by enabling the MACSec feature while creating a Direct Connect connection.

Know more about MACSec.

• MACSec is a security feature available in Direct Connect connection to provide security on Layer2.
• Encrypts the frames ethertype and payload.
• It is IEEE 802.1AE Layer2 standard.
• MACSec also provides data integrity, confidentiality, and authenticity of data origin.
• MACSec also provides Replay protection by ensuring the frames are not processed out of order.
• This feature is supported by only selected Direct Connect partners with 10Gbps and 100Gbps.
• The option to use MACSec can be enabled while creating the new Direct Connect Connection.

MACSec Important Concepts

• MACSec Secret Key – A pre-shared key used to establish connectivity between the customer’s on-premises router and connection port on the AWS Direct Connect location side.
• MACSec Key Agreement Protocol (MKA) manages the peer discovery, authentication, and generation of encryption keys required for traffic encryption.

• Connection Key Name (CKN) and Connectivity Association Key (CAK) – These values generate the MACSec Secret Key. The customer generates these values and should be associated with your Direct Connect connection and provision on your edge device (at your end).

MACSec Values

MACSec can be configured for the values given below.

• should_encrypt – Connection attempts MKA; if it is successful, the connection will send and receive only encrypted traffic. But if MKA fails or timeouts, then the connection will permit unencrypted traffic to flow over the connection. This is the default value.
• must_encrypt – Connection attempts MKA; if it is successful, the connection will send and receive only encrypted traffic. But if MKA fails or timeouts, the connection will go down, and the authentication will be retired after some time.
• no_encrypt – Connection does not perform MKS; any received MKA frames will be ignored. The connection sends and receives only unencrypted frames.

AWS CLI command to set the MACSec value is given below.

Conclusion

Thus, we can conclude that we can secure the Direct Connect connection at different layers using TLS encryption or IPSec VPN. But if you want to encrypt the traffic on Layer2, use the MACSec feature available while creating a Direct Connect connection.

References

Security in AWS Direct Connect – AWS Direct Connect (amazon.com)

Data protection in AWS Direct Connect – AWS Direct Connect (amazon.com)

Identity and Access Management for Direct Connect – AWS Direct Connect (amazon.com)

About CloudThat