AWS DirectConnect with L2 Switch

Normally, I'd say "no, you can't do that" because you only get two usable IP addresses on a Direct Connect circuit (one for the AWS-side router; one for the customer side). Having a second customer-side router would require another IP address and a larger subnet and another BGP peer - none of those things are offered with Direct Connect.

However, if the ASAs were set up so that the customer-side IP address was shared between the firewalls (active firewall using it; then it shifts to the redundant firewall) then you could make this work. However, I'm unsure in the ASA world whether the IP address that the firewalls share has to be on the same subnet as the interface IP addresses. If it does then you can't do this at all because (as above) the subnet only supports two usable IP addresses.

That said: I would not do this anyway.

In the event of an ASA failover the MAC address would probably change (which would require the AWS router to relearn the MAC address - that won't take too long) and the BGP session would need to be reestablished and routes propagated. All up, less than a minute at best; perhaps longer. So as a "fast" failover method it would not be suitable.

Plus, you're only moving the single point of failure from the ASA to the L2 switch. If you want redundancy, we strongly recommend a second Direct Connect circuit to a separate Direct Point of Presence: https://aws.amazon.com/directconnect/resiliency-recommendation/