SYSTEM Cited by 2 sources

AWS Direct Connect

What it is

AWS Direct Connect is AWS's dedicated private network connection service — layer-2/3 circuits terminating in AWS Direct Connect Points of Presence (PoPs), typically provisioned by carriers or colocation partners, providing lower-latency, higher-bandwidth, more-predictable connections than internet-based transit.

Role in cross-partition connectivity

Direct Connect is one of the three named cross-partition network options:

"You can connect AWS partitions in three ways: internet connectivity secured by TLS, IPsec Site-to-Site VPN over the internet, or through an AWS Direct Connect gateway to on-premises routers or using Direct Connect point of presence (PoP) partner connections to another Direct Connect PoP." (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty)

Two sub-shapes for cross-partition Direct Connect:

1. Direct Connect gateway → on-premises customer router → other partition's Direct Connect gateway. The customer routes cross-partition traffic through their own on-prem infrastructure.
2. Direct Connect PoP partner connection. "Partners located in Direct Connect PoPs can provide cross-partition connectivity services. These services can move traffic from one Direct Connect PoP to another. Such a setup enables dedicated lines between the AWS European Sovereign Cloud Direct Connect PoPs and the Direct Connect locations in other partitions."

Role in centralised network inspection

Direct Connect Gateway participates as a TGW attachment in centralised network inspection topologies — attached to the same TGW as workload VPCs and associated with the pre-inspection route table so that on-prem ↔ AWS and on-prem ↔ internet traffic transits the central Network Firewall just like inter-VPC traffic. Canonical wiki reference: sources/2025-11-26-aws-secure-amazon-evs-with-aws-network-firewall.

This means hybrid-cloud posture decisions like "inspect all traffic leaving our AWS footprint to on-prem" and "inspect on-prem ↔ internet flows that transit AWS" are both expressible by adding DXGW to the pre-inspection RT alongside the VPC attachments.

Stub page

Seen in

• sources/2025-11-26-aws-secure-amazon-evs-with-aws-network-firewall — Direct Connect Gateway attached to TGW and placed on the pre-inspection route table so on-prem ↔ AWS and on-prem ↔ internet traffic is inspected by the centralised Network Firewall alongside inter-VPC traffic.
• sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty — Direct Connect as one of three cross-partition connectivity options; PoP-to-PoP partner connections as the dedicated-line shape for regulated workloads.

Related

• systems/aws-transit-gateway — per-partition; does not peer cross-partition
• systems/aws-network-firewall — inspection engine for hybrid traffic in the centralised-inspection shape.
• concepts/aws-partition
• concepts/centralized-network-inspection — DXGW is a first-class attachment in the centralised inspection topology.
• patterns/cross-partition-failover
• patterns/pre-inspection-post-inspection-route-tables — where DXGW sits in the hybrid-inspection case.