AWS Reference Architecture
Reviewed for technical accuracy October 13, 2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region
MACsec Security in AWS Direct Connect
This method achieves encryption of traffic using MACsec security (IEEE 802.1AE), delivering a native, near line-rate, and
point-to-point encryption for 10 Gbps and 100 Gbps links. With MACsec, you won’t need to create VPN connections on
top of your Direct Connect links to encrypt the traffic.
Spoke VPC route
CIDR Attachment
192.168.0.0/16 DX gateway
EC2 instance
Elastic network interface
EC2 instance
Spoke VPC A route
Destination Target
10.0.0.0/16 local
0.0.0.0/0 tgw-id
Spoke VPC B route
Destination Target
10.1.0.0/16 local
0.0.0.0/0 tgw-id
VPC
association
VPC
association
MACsec
encrypted
Direct Connect route
CIDR Attachment
10.0.0.0/24 spoke VPC A
10.1.0.0/24 spoke VPC B
customer or
partner device
AWS
device
cross-connect
(MACsec encrypted)
D
E
B
A
5
4
3
2
1
To configure MACsec in an AWS Direct Connect
dedicated connection, ensure that the device at
your end supports MACsec. Additionally, the Direct
Connect location also must support MACsec.
Create a transit VIF to a Direct Connect gateway
on the new MACsec-enabled connection,
associated with your AWS Transit Gateway.
Create a Connection Key Name (CKN)/ Connectivity
Association Key (CAK) pair for the MACsec secret
key, making sure that the key-pair is compatible
with your device (or Partner device).
Create a 10G/100G AWS Direct Connect dedicated
connection, choosing the option for a MACsec
enabled port.
Set up the cross-connect and complete the
physical connection to your device (or Partner
device). Update the device at your end with the
CKN/CAK pair.
A client located in the corporate network needs to
route network traffic to the IP address of an EC2
instance in the spoke VPC A, and routes the traffic
to the customer gateway.
The customer gateway determines that the best
route to the VPC is via the transit VIF, indicating
the traffic should be sent over the Direct Connect
connection.
Because MACsec is enabled, the traffic between
the customer gateway and AWS Transit Gateway
is encrypted.
C
Return traffic from the EC2 instance to the client
located in the corporate network follows a reverse
but identical path, as described in steps A-D.
Configuration steps
Sample traffic flow
As per the Transit Gateway Direct Connect route
table, the traffic is forwarded to the spoke VPC A,
and then routed to the EC2 instance.
Associate the CKN/CAK pair with the connection
via the AWS Console, AWS Command Line
Interface (CLI), or API.
6
A
E
D
B
C
AWS Direct Connect
transit VIF
For more information about MACsec in AWS Direct
Connect, see Adding MACsec security to AWS Direct
Connect connections
.
customer
gateway
gateway
association
NOTE:
The connection between the customer or partner device
at the AWS Direct Connect Location and the on-
premises customer gateway is only MACsec enabled if
the Layer-2 circuit was extended all the way.
If the Layer-2 circuit terminates on the customer or
partner device at the AWS Direct Connect Location, the
responsibility for that segment of the circuit lies with
the customer or partner.
AWS Direct
Connect
gateway
spoke VPC B
10.1.0.0/16
spoke VPC A
10.0.0.0/16
Availability Zone A
Availability Zone B
workload subnet
10.0.1.0/24
Transit Gateway
subnet
10.0.0.0/24
elastic network interface
Transit Gateway
subnet
10.1.0.0/24
workload subnet
10.1.1.0/24
AWS Direct Connect
location
AWS Transit Gateway
corporate network
192.168.0.0/16