Inquiry Regarding Security and Encryption for Direct Connect (DX) Connection Configuration

0

We have established a hosted connection for Direct Connect (DX), utilizing a Point-to-Point (P2P) topology with our Internet Service Provider (ISP) for initial connectivity. Subsequently, the connection is handed over to a DX partner for further routing.

Questions:-

  1. Is the setup regarded as a private link connecting our on-premises infrastructure to AWS?

  2. How can data traffic encryption be implemented for this type of connection? The DX connection details in the console indicate "no_encrypt," and the Port Encryption status is reported as "down." How can data traffic security be ensured in this scenario?

Ali Md
asked a year ago534 views
2 Answers
2
Accepted Answer

It seems that you have a Hosted Connection and not Dedicated Connection, refer here for more info https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithConnections.html

  1. Yes, this is private link between your on-prem and AWS resources.
  2. Mac Security is a Direct Connect feature used to encrypt the traffic traversing over Direct Connect, however MACsec is only supported over a dedicated direct connect connection. To encrypt the traffic over a hosted connection, for that you would have to use Site-to-Site VPN connection over a public or transit VIF.

Here is a guide on how to accomplish that https://repost.aws/knowledge-center/create-vpn-direct-connect

profile pictureAWS
Matt_E
answered a year ago
0

The accepted answer is good (upvoted) but I'd like to add a little more detail to question (2):

MACsec is designed to encrypt traffic between two adjacent network devices - that is, two devices that are connected directly together. Traffic comes into (say) device A and before it goes to device B (which is directly connected) it is encrypted. Device B receives the traffic and decrypts it before sending it on its way. So while MACsec is excellent at preventing eavesdropping on the physical link between the two devices it does not provide end-to-end protection. The traffic is decrypted at every step of the way (assuming MACsec is enabled on each link). If any of those devices are compromised, so is the data they are carrying.

It is much better to use application layer encryption (TLS normally) to achieve end-to-end encryption. I appreciate that not all protocols (particularly those used by legacy applications) support encryption. Enabling MACsec can help mitigate some risk but it is not an answer to all "encrypt in transit" challenges. I think it would be better to spend the time and money upgrading those legacy applications - that provides a greater degree of security in the long run.

profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions