AWS Direct Connect: Layer 1 Hardware and Physical Implementation

This study guide focuses on the physical foundation of AWS hybrid networking, covering the hardware requirements, colocation logistics, and the administrative processes required to establish a high-performance link between on-premises environments and the AWS Cloud.

Learning Objectives

After studying this material, you should be able to:

Explain the purpose and workflow of the Letter of Authorization - Connecting Facility Assignment (LOA-CFA).
Identify the specific optical standards and fiber requirements for 1G, 10G, and 100G Direct Connect links.
Describe the role of colocation facilities and AWS Direct Connect Partners in hybrid connectivity.
Configure physical interface settings including 802.1Q tagging, MTU, and auto-negotiation.

Key Terms & Glossary

LOA-CFA (Letter of Authorization - Connecting Facility Assignment): A formal document provided by AWS that grants permission to a data center provider to connect a customer's fiber to the AWS Direct Connect router.
Colocation Facility (DX Location): A third-party data center (e.g., Equinix, Digital Realty) where AWS hosts its Direct Connect hardware.
Cross-connect: The physical fiber optic cable that bridges the gap between the customer/partner's cage and the AWS cage within a colocation facility.
Single-mode Fiber (SMF): The specific type of fiber optic cable required for all Direct Connect physical links due to its high bandwidth and long-distance capabilities.
SFP/SFP+/QSFP: Small Form-factor Pluggable transceivers used to interface a network device to a fiber optic cable.

The "Big Idea"

While AWS is synonymous with "virtual" and "software-defined," high-performance networking ultimately relies on Physical Layer (Layer 1) infrastructure. Direct Connect bypasses the public internet by establishing a dedicated physical circuit. Understanding the "meat and space" requirements—where the fiber goes, what light frequency it uses, and who has the legal right to plug it in—is the critical first step in any enterprise hybrid cloud deployment.

Formula / Concept Box

Feature	Requirement / Specification
Fiber Type	Single-mode fiber (SMF)
Wavelength	1310 nm
Ethernet Encapsulation	802.1Q (VLAN Tagging)
Jumbo Frames	Supported (up to 9023 bytes)
Routing Protocol	BGP (Border Gateway Protocol) with MD5 Authentication

Hierarchical Outline

Physical Requirements (Layer 1)
- Optical Specs: 1000BASE-LX (1G), 10GBASE-LR (10G), or 100GBASE-LR4 (100G).
- Hardware: Single-mode fiber with LC connectors.
- Port Settings: Auto-negotiation must be disabled for speeds > 1 Gbps.
The Provisioning Process
- AWS Console: Request connection $\rightarrow$ Select Location/Speed.
- LOA-CFA Generation: AWS issues the document after the request is processed.
- Deployment: Provide LOA-CFA to the facility provider to pull the cross-connect.
Connectivity Options
- Dedicated Connection: Physical port dedicated to a single customer.
- Hosted Connection: Provided through an AWS Direct Connect Partner; ideal if the customer isn't in a DX facility.

Visual Anchors

The Direct Connect Provisioning Workflow

Loading Diagram...

Physical Colocation Topology

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, align=center, fill=white}] % Nodes \node (aws) [rectangle, fill=orange!20] {AWS Router \ (DX Facility Cage)}; \node (patch) [rectangle, dashed, right=2cm of aws] {Meet-Me Room \ (Patch Panel)}; \node (cust) [rectangle, fill=blue!20, right=2cm of patch] {Customer Router \ (Partner/Cust Cage)};

code

% Connections
\draw [<->, thick, color=red] (aws) -- node[above] {Cross-connect} (patch);
\draw [<->, thick, color=red] (patch) -- node[above] {SMF Fiber} (cust);

% Labels
\node [draw=none, fill=none, below=0.5cm of patch] {\textit{Physical Layer 1 (1310nm Single-mode Fiber)}};

\end{tikzpicture}

Definition-Example Pairs

802.1Q Tagging: A networking standard that allows multiple virtual networks (VLANs) to share a single physical link.
- Example: Using a single 10G Direct Connect link to support a Private VIF (for VPC traffic) and a Public VIF (for S3 traffic) simultaneously by assigning different VLAN IDs to each.
Bidirectional Forwarding Detection (BFD): A protocol used to detect link failures quickly, faster than standard BGP timers.
- Example: If a physical fiber is cut, BFD can detect the loss of "keep-alive" packets in milliseconds, triggering a failover to a backup VPN before applications time out.

Worked Examples

Scenario: Establishing a 10G Connection in a Colocation Center

Preparation: The customer identifies they have equipment in an Equinix facility that also houses an AWS DX location.
Request: In the AWS Console, the customer creates a new Connection, naming it Production-DX-1 and selecting 10 Gbps speed.
LOA-CFA: Within 72 hours, AWS provides an LOA-CFA. The customer downloads the PDF. This PDF contains the specific port assignment on the AWS router (e.g., Panel 4, Port 12).
The Work Order: The customer logs into the Equinix portal and submits a "Cross-Connect" order, attaching the AWS LOA-CFA.
Hardware Sync: The customer ensures their router interface is configured for 10GBASE-LR and that auto-negotiation is turned off.
Verification: Once Equinix completes the cable run, the customer checks the interface status for "Up/Up" and verifies optical signal strength.

Checkpoint Questions

Which fiber type is required for an AWS Direct Connect connection?
What must be done regarding port auto-negotiation when using a 10 Gbps port?
Who is responsible for establishing the physical cross-connect inside the Direct Connect location?
What is the purpose of the LOA-CFA document?

[!TIP] Answers: 1. Single-mode fiber (SMF). 2. It must be disabled. 3. The colocation facility provider. 4. It provides the legal authority and technical assignment for the facility provider to connect the cables.

Muddy Points & Cross-Refs

Accelerated VPN vs. Direct Connect: Students often confuse these. Accelerated VPN uses the AWS Global Accelerator network (public internet entry points), while Direct Connect is a private physical bypass. Accelerated VPNs cannot connect to DX Public VIFs.
Direct Connect Gateway: While this study guide covers Layer 1, the logical connection to multiple regions requires a Direct Connect Gateway (refer to Chapter 8 for Layer 3 routing).
Jumbo Frames: Note that while the physical link supports 9023 bytes, the traffic must also be supported by the Virtual Private Gateway (VGW) or Transit Gateway (TGW) to work end-to-end.

Comparison Tables

Direct Connect Hardware Standards

Link Speed	Standard	Transceiver	Wavelength
1 Gbps	1000BASE-LX	SFP	1310 nm
10 Gbps	10GBASE-LR	SFP+	1310 nm
100 Gbps	100GBASE-LR4	QSFP28	1310 nm

Comparison: Direct Connect vs. Site-to-Site VPN

Feature	Direct Connect	Site-to-Site VPN
Connectivity	Private Physical Link	Public Internet (IPsec)
Performance	Consistent, Low Latency	Variable (Best Effort)
Setup Time	Weeks (Physical install)	Minutes (Software config)
Security	Physical separation	AES-256 Encryption