AWS Direct Connect vs Public/Private peering at IXP

The short answer to the first question is "yes". It's arguable that option (1) is "better" in the sense that peering directly with AWS means that the IXP network is taken out of the equation; and you're also not sharing the bandwidth from the IXP to AWS with anyone else. However, the setup time is longer and it's likely to have other costs associated with it.

To the second and third questions: Yes, Direct Connect is a dedicated connection for you. Yes, it does deliver private access to VPCs (and Transit Gateway) rather than public access (which as you mention, means a VPN is required). Note that Direct Connect Public VIF provides for public connections as well.

Why would you use Direct Connect? Because most customers are not set up to handle peering arrangements and they want private connections. It makes sense for large network providers to peer with AWS; but for most customers (not all, but definitely in the vast majority), Direct Connect is the best way forward.

It's also offered as a service with many network partners meaning that hosted connections can be up and running in minutes (assuming the customer has some sort of existing connectivity with the network partner); or days (if they haven't or need to do cross-connects in points of presence).

Do take a look at this very recent blog that touches upon some of these concepts, see the 2 relevant sections from the blog:

https://aws.amazon.com/blogs/networking-and-content-delivery/growing-aws-internet-peering-with-400-gbe/

AWS peers with Internet Service Providers (ISP) either over an Internet Exchange (IX) or with private network interconnects (PNIs) directly in our border routers. The AWS Network has been built out over the course of more than a decade. Our goal is to peer with ISPs that operate infrastructure connecting end-users in every country in the world as locally and closely to their market as possible to reduce latency and increase capacity to the end-users. One of the primary internal users of our global network backbone is Amazon CloudFront

In contrast to peering and the peering points described here, Direct Connect has a global footprint as well, operating in over 115 different locations around the world and offering connection speeds starting at 50 Mbps and scaling up to 100 Gbps. When AWS customers require the reliability and predictability of a private connection, Direct Connect is the answer. AWS customers that also operate peering networks are discouraged from transferring significant volumes of their own data over peering connections. This is because we acknowledge that peering connections aren’t individually maintained in the same robust manner as the Direct Connect service. Instead, they achieve resiliency through a meshed collection of direct and indirect peering paths.

Direct Connect also offers features that peering simply doesn’t. Importantly, Direct Connect offers three different types of virtual interfaces. Private and Transit virtual interfaces allow direct access to customer VPCs. This means that there is no need to expose their AWS resources to the public internet if you don’t want to. A Public virtual interface provides access to public endpoints such as Amazon Simple Storage Service (Amazon S3), but customers are in control of the AWS Regions that they allow access. This last point is where there is a key and distinct difference between internet peering and Direct Connect.