How do I establish an encrypted connection over an AWS Direct Connect connection?

I want to establish an encrypted connection from my local network to my Amazon Virtual Private Cloud (Amazon VPC) over an AWS Direct Connect connection.

Short description

AWS Direct Connect provides a dedicated and private connection, with consistent throughput between your local network and AWS. An AWS Direct Connect connection isn't encrypted by default. To encrypt traffic over AWS Direct Connect connections, use either of these methods:

• Use MAC Security (MACsec). MACsec provides point-to-point encryption over a dedicated direct connect connection. For information on connections that support MACsec, see AWS Direct Connect.
• Create an AWS Site-to-Site VPN over Direct Connect. Site-to-Site VPN provides encryption between a customer gateway and an AWS gateway. The AWS gateway can be an AWS Transit Gateway or a virtual private gateway.

For more information on how to use MACsec encryption, see Get started with MACsec on dedicated connections.

If you don't use MACsec, then use Site-to-Site VPN. Site-to-Site VPN allows VPN tunnels between an on-premises appliance and a virtual private gateway or a Transit Gateway. To build Site-to-Site VPN over Direct Connect to Amazon VPC, use a public virtual interface. To build Site-to-Site VPN between on-premises equipment and AWS Transit Gateway, choose a public or a transit virtual interface.

Resolution

Create a Site-to-Site VPN over a public virtual interface

1. Create your Direct Connect connection.
2. Create a public virtual interface for your Direct Connect connection. For Prefixes you want to advertise, enter your customer gateway device's public IP address and any network prefixes that you want to advertise. Note: Your public virtual interface receives all AWS public IP address prefixes from each AWS Region (except the AWS China Region). These include the public IP addresses of AWS managed VPN endpoints. Use Border Gateway Protocol (BGP) communities to filter prefixes by Local AWS Region or AWS Regions of a continent.
3. Create a new VPN connection to your Virtual Private Gateway or AWS Transit Gateway. In the customer gateway configuration, use the same public IP address that you specified in the previous step. Note: Configure your customer gateway device to create the VPN tunnels. You can download example configurations from the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Create a Site-to-Site VPN over a transit virtual interface

1. Create your Direct Connect connection.
2. Associate an IP CIDR block with your Transit Gateway. You can't associate addresses in the 169.254.0.0/16 range, or ranges that overlap with addresses for your VPC attachments and on-premises networks. You can modify an existing Transit Gateway to add this CIDR block.
3. Create a transit virtual interface. In the transit virtual interface configuration, you can select an existing Direct Connect gateway, or create a new one. Note: A Direct Connect Gateway can't be associated with virtual private gateway and Transit Gateway at same point of time.
4. Associate your Transit Gateway to the Direct Connect gateway. Make sure the Transit Gateway CIDR block configured in the previous step is announced to your local network through allowed prefixes.
5. Create a new VPN connection using private IP addresses to the Transit Gateway.
6. Configure your customer gateway device to create the VPN tunnels. You can download example configurations from the AWS Management Console or the AWS CLI.