Menu
AWS GovCloud (US)
User Guide

AWS Direct Connect

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • To set up an AWS Direct Connect connection to the AWS GovCloud (US) Region, you must use the AWS GovCloud (US) console and the AWS GovCloud (US) credentials associated with your AWS GovCloud (US) account. For instructions about how to provision and configure AWS Direct Connect, see the AWS Direct Connect User Guide.

  • Alternatively, you can set up an AWS Direct Connect connection, in a different region and connect to the AWS GovCloud (US) using a public virtual interface and a VPN connection. For more information, see Setting Up AWS Direct Connect with a VPN Connection.

  • When you create a public virtual interface on your AWS Direct Connect connection, a data path to AWS GovCloud (US) is made available.

  • To access your VPC without using an Amazon VPC VPN (for non-ITAR uses), create an AWS Direct Connect private virtual interface in the AWS GovCloud (US) Region (us-gov-west-1) only.

  • Use the Amazon VPC section of the AWS GovCloud (US) console to set up hardware VPN access to the AWS GovCloud (US) Region over a public virtual interface.

  • If you are processing ITAR-regulated workloads, you must configure your AWS Direct Connect connection with a VPN to encrypt data in transit. For detailed instructions about how to create your VPC and VPN, see Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon VPC User Guide. For instructions about how to configure your on-premises VPN hardware, see the Amazon VPC Network Administrator Guide.

For more information about AWS Direct Connect, see the AWS Direct Connect documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • If you are transferring any type of ITAR-regulated data through the AWS Direct Connect connection, you must encrypt the data that is being transferred by using a VPN tunnel.

  • AWS Direct Connect metadata is not permitted to contain ITAR-regulated data. This metadata includes all of the configuration data that you enter when creating and maintaining AWS Direct Connect, such as connection names.

  • Do not enter ITAR-regulated data in the following console fields:

    • Connection Name

    • VIF Name

Setting Up AWS Direct Connect with a VPN Connection

You can create an AWS Direct Connect connection in a different region and use a VPN on top of the connection to encrypt all data in transit from your AWS GovCloud (US) virtual private cloud (VPC) to your own network.

Step 1: Create a AWS Direct Connect Connection and Virtual Interface

To provision a connection and public virtual interface, follow the steps in the Getting Started with AWS Direct Connect with AWS Direct Connect section of the AWS Direct Connect user guide and ensure that you do the following:

  • Submit a connection request at a location in any other supported region.

  • Create a public virtual interface (not a private virtual interface).

Step 2: Enable the Virtual Public Interface for AWS GovCloud (US) Access

In order to enable your virtual public interface for AWS GovCloud (US), create a customer support case via Support Center on the standard AWS Management Console. Note: You cannot use your AWS GovCloud (US) credentials to log in. You must use your standard AWS credentials. If you do not have access to the standard AWS Management Console and Support Center, please contact your AWS Business Representative to enable your virtual interface.

Step 3: Verify Your Virtual Public Interface

After you have established virtual public interfaces to the AWS GovCloud (US) Region, verify your virtual public interface connection to the AWS GovCloud (US) Region by running a traceroute from your on-premises router and verifying that the AWS Direct Connect identifier is in the network trace.

Step 4: Set Up Your VPN Over Your Public Virtual Interface

Create your AWS GovCloud (US) VPC and VPN. For detailed instructions on how to create your VPC and VPN, see Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon Virtual Private Cloud User Guide. For instructions on how to configure your on-premises VPN hardware, see Amazon Virtual Private Cloud Network Administrator Guide.