AWS Public Sector Blog

Add network agility and security with AWS Direct Connect MACsec encryption and AWS Support

AWS branded background design with text overlay that says "Add network agility and security with AWS Direct Connect MACsec encryption and AWS Support"

Organizations in the public sector space are continuing to move and run workloads in the cloud while maintaining current connectivity back to their on-premises data centers. Maintaining connectivity between current on-premises data centers, remote sites, and the cloud creates a hybrid environment. Public sector customers with sensitive workloads, such as government or healthcare, are choosing the Amazon Web Services (AWS) cloud for their critical hybrid environments to benefit from the security of AWS’ infrastructure, the agility to make changes to their environments’ resources and architectures as needed, and the ability to reduce costs.

Customers with these sensitive hybrid workloads can take advantage of an additional security feature available in AWS Direct Connect dedicated connections: MACsec encryption (IEEE 802.1AE). We’ll explore how Direct Connect can handle architectural changes, such as adding or isolating different networks. We’ll also cover adding an additional account boundary for security purposes, and how customers can move their Direct Connect connection to that new account. Finally, we’ll cover how customers can leverage AWS Support to help execute this change to reduce downtime for their workloads.

Customers with sensitive workloads in hybrid environments have traditionally used virtual private networks (VPNs) to connect their on-premises data centers to AWS. Tunneling traffic using IPsec encryption remains a stable and secure option, but it comes at the cost of bandwidth with a single VPN tunnel supporting a maximum throughput of up to 1.25 Gbps. For higher bandwidth speeds, AWS Direct Connect provides a single line to AWS with speeds up to 400 Gbps Dedicated Connections at select locations. Previously, encryption was not available on AWS Direct Connect. Starting in 2021, AWS offered IEEE 802.1AE MAC Security Standard (MACsec) encryption on 10 Gbps, 100 Gbps and 400 Gbps dedicated connections at select locations. Customers could now encrypt their on-premises connections to AWS Regions without compromising on bandwidth.

When addressing encryption, either protocol should not be thought of as choosing one over the other, but instead as complementary when used together. MACsec is a layer 2 encryption protocol on AWS Direct Connect, extending into the AWS Region using a MACsec capable customer router cross-connected to an AWS router in the Direct Connect colocation cage. IPSec on AWS Site-to-Site VPN is a layer 3 encryption protocol providing end-to-end encryption from the customer gateway site into your AWS destination endpoint. By using both services together, you’re gaining the consistent connectivity experience of a dedicated connection while adding additional encryption protocols at multiple layers, seen in the following diagram.

Figure 1. Common Direct Connect setup for single on-premises network connectivity.

AWS Site-to-Site VPN can be used on AWS Direct Connect’s hosted or dedicated connections, however MACsec encryption on Direct Connect is only available on dedicated connections. When provisioning a Site-to-Site VPN over a MACsec Direct Connect connection, customers were previously allotted only a single transit virtual interface (transit VIF). Virtual interfaces are logically isolated constructs allowing direct access to AWS services over Direct Connect. Connecting a transit VIF with a Direct Connect gateway allows you to connect your on-premises environment to a Transit Gateway within an AWS account. AWS Transit Gateway is a centralized network transit hub for connecting multiple Amazon Virtual Private Clouds (VPCs). With this single transit VIF, if your network topography needed to change due to expansion, changed governance, or to meet updated regulatory requirements, your only prior option was to provision a second Direct Connect dedicated connection with MACsec encryption, as seen in the diagram below. Additionally this second dedicated connection also added a second billable resource, increasing the customer’s spend.

Figure 2. Two Direct Connect connections were a requirement if you needed connectivity and segmentation from two networks, which increases cost.

As of April 2023, being limited to a single transit VIF is no longer an issue. Recall that Transit Gateway is a centralized hub to connect multiple VPCs. While we can connect to multiple VPCs this way, we’re doing so through a single logically isolated transit VIF. For our expanding organization hosting sensitive workloads with different internal data classification requirements, sending all of our data to a single AWS environment over a single transit VIF could introduce compliance challenges for traffic destined for the second AWS environment. To remove concerns around heterogenous data classifications using the same VIF, we can utilize Direct Connect’s increased transit VIF quota capacity by provisioning a second transit VIF. This allows us to isolate our traffic while eliminating additional spend by having to provision a separate Direct Connect dedicated connection.

We can also boost our security posture by separating our Direct Connect connection into its own separate AWS account. An AWS account is the fundamental container and security boundary for all AWS resources that customers create. Moving the Direct Connect connection is not a requirement, but doing so gives us an additional security boundary that a separate AWS account provides. To move Direct Connect connection and MACsec capabilities, we’re going to contact AWS Support by opening a ticket to request a Direct Connect migration.

On a scheduled live call, the customer and AWS Support Engineer will perform the following:

  1. Configure the Direct Connect connection to “should encrypt
  2. Turn off MACsec encryption to the on-premise router
  3. AWS Support will move the Connection to the new account
  4. Customer confirms the connection is present in new account by logging in and verifying
  5. Add the new MACsec key to on-premises router and the Direct Connect connection
  6. Re-enable MACsec encryption on on-premises router
  7. Very traffic is flowing, and re-enable Direct Connect encryption to “must encrypt

Leveraging AWS Support provides several benefits for this use case. First, not having to de-provision a connection in one account to create a new connection in a different account eliminates the associated requirements the customer is responsible for. Since Support is moving a connection and not provisioning a new one, there is no need for the customer to send a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) to the colocation provider, or wait for the colocation provider to make the cross-connection. Second, working with AWS Support helps customers maintain their layer 2 security posture during a connection transfer while minimizing downtime and eliminating sending unencrypted traffic to and from AWS after the connection transfer. The final architecture (Figure 3) will feature a separate, dedicated account for the Direct Connect connection while provisioning a new transit VIF for our second network to complement our current first network transit VIF.

Figure 3. Direct Connect multi transit VIF setup for network segmentation, plus moving the Direct Connect connection to a standalone account for an additional security boundary.

In this post, we covered how organizations with sensitive hybrid workloads can enhance their security posture and network architecture flexibility by taking advantage of AWS Direct Connect with MACsec encryption and AWS Support. By working with AWS Support to move an existing Direct Connect connection to a new AWS account, customers can create an additional security boundary with minimal downtime.

Direct Connect allowing multiple transit VIFs also allows customers to isolate traffic flows over dedicated transit VIFs per compliance requirements. This provides greater flexibility for future network architecture changes while removing the need to provision an additional billable Direct Connect resource.

By combining AWS Direct Connect’s dedicated bandwidth capabilities with MACsec encryption and the ability to have multiple isolated transit VIFs, customers gain a highly secure, high-speed connectivity option for their hybrid environments. As organizations’ cloud strategies mature, these capabilities from AWS allow them to design robust hybrid architectures tailored to their needs.

TAGS: , , , , , ,
David Santore

David Santore

David is a solutions architect on the U.S. Federal Partners team at Amazon Web Services (AWS), where he supports organizations working with the U.S. Federal Government and Department of Defense (DoD). He enjoys spending his free time with his wife and kids, dad-joking, and working on projects in the garage.

Gene Wright

Gene Wright

Gene is a senior technical account manager at Amazon Web Services (AWS), where he supports public sector customers on a global scale. With more than 15 years of experience in the field, Gene is a passionate advocate for security adoption across diverse industries and verticals. He thrives on diving deep into complex challenges to uncover innovative solutions for organizations around the world.