# Direct Connect dedicated and hosted connections
Direct Connect enables you to establish a dedicated network connection between your network and one of the Direct Connect locations.
There are two types of connections:
+ **Dedicated Connection**: A physical Ethernet connection associated with a single customer. Customers can request a dedicated connection through the Direct Connect console, the CLI, or the API. For more information, see [Dedicated connections](dedicated_connection.md).
+ **Hosted Connection**: A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer. Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection. For more information, see [Hosted connections](hosted_connection.md).
**Topics**
+ [Dedicated connections](dedicated_connection.md)
+ [Hosted connections](hosted_connection.md)
+ [Delete a connection](deleteconnection.md)
+ [Update a connection](updateconnection.md)
+ [View connection details](viewdetails.md)
# Dedicated Direct Connect connections
To create an Direct Connect dedicated connection, you need the following information:
**Direct Connect location**
Work with a partner in the AWS Direct Connect Partner Program to help you establish network circuits between an Direct Connect location and your data center, office, or colocation environment. They can also help provide colocation space within the same facility as the location. For more information, see [APN Partners Supporting Direct Connect](https://aws.amazon.com/directconnect/partners).
**Port speed**
The possible values are 1 Gbps, 10 Gbps, 100 Gbps, and 400 Gbps.
You can't change the port speed after you create the connection request. To change the port speed, you must create and configure a new connection.
You can create a connection using either the Connection wizard or create a Classic connection. Using the Connection wizard you can set up connections using resiliency recommendations. The wizard is recommended if you're setting up connections for the first time. If you prefer, you can use Classic to create connections one-at-a-time. Classic is recommended if you've already got an existing setup that you want to add connections to. You can create a standalone connection, or you can create a connection to associate with a LAG in your account. If you associate a connection with a LAG, it's created with the same port speed and location that is specified in the LAG.
After you request the connection, we make a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) available to you to download or email you with a request for more information. If you receive a request for more information, you must respond within 7 days or the connection is deleted. The LOA-CFA is the authorization to connect to AWS, and is required by your network provider to order a cross connect for you. If you do not have equipment in the Direct Connect location, you cannot order a cross connect for yourself there.
The following operations are available for dedicated connections:
+ [Create a connection using the Connection wizard](create-connection.md)
+ [Create a Classic connection](#connection-classic)
+ [View Direct Connect connection details](viewdetails.md)
+ [Update an Direct Connect connection](updateconnection.md)
+ [Associate a MACsec CKN/CAK with a connection](associate-key-connection.md)
+ [Remove the association between a MACsec secret key and an Direct Connect connection](disassociate-key-connection.md)
+ [Delete an Direct Connect connection](deleteconnection.md)
You can add a dedicated connection to a link aggregation group (LAG) allowing you to treat multiple connections as a single one. For information, see [Associate a connection with a LAG](associate-connection-with-lag.md).
After you create a connection, create a virtual interface to connect to public and private AWS resources. For more information, see [Virtual interfaces and hosted virtual interfaces](WorkingWithVirtualInterfaces.md).
If you do not have equipment at an Direct Connect location, first contact an AWS Direct Connect Partner at the AWS Direct Connect Partner Program. For more information, see [APN Partners Supporting Direct Connect](https://aws.amazon.com/directconnect/partners).
If you want to create a connection that uses MAC Security (MACsec), review the prerequisites before you create the connection. For more information, see [MACsec prerequisites for dedicated connections](MACsec.md#mac-sec-prerequisites).
## Letter of Authorization and Connecting Facility Assignment (LOA-CFA)
After we have processed your connection request, you can download the LOA-CFA. If the link is not enabled, the LOA-CFA is not yet available for you to download. Check your email for a request for information.
The downloaded LoA is digitally signed and watermarked to validate the authenticity of the LoA issued by AWS. The digital signature and watermark in the LoA. The PDF document prevents a modified or potentially fraudulent LoA from being acted upon by the facilities provider at Direct Connect sites. The digital signature can be authenticated by opening the PDF and reviewing the signature panel. A valid document will show the "Signature is valid" and "Document has not been modified since the signature was applied". The watermark repeats the patch panel and strands assigned across the body of the LoA as a visual, but non-secure, indicator of authenticity.
Billing automatically starts when the port is active or 90 days after the LOA has been issued, whichever comes first. You can avoid billing charges by deleting the port prior to activation or within 90 days of the LOA being issued.
If your connection is not up after 90 days, and the LOA-CFA has not been issued, we will send you an email alerting you that the port will be deleted in 10 days. If you fail to activate the port within the additional 10 day period, the port will automatically be deleted and you'll need to restart the port creation process.
For the steps to download the LoA-CFA, see [Download the LOA-CFA](download-loa-cfa.md).
**Note**
For more information about pricing, see [Direct Connect Pricing](https://aws.amazon.com/directconnect/pricing/). If you no longer want the connection after you have reissued the LOA-CFA, you must delete the connection yourself. For more information, see [Delete an Direct Connect connection](deleteconnection.md).
**Topics**
+ [Letter of Authorization and Connecting Facility Assignment (LOA-CFA)](#create-connection-loa-cfa)
+ [Create a connection using the Connection wizard](create-connection.md)
+ [Create a Classic connection](#connection-classic)
+ [Download the LOA-CFA](download-loa-cfa.md)
+ [Associate a MACsec CKN/CAK with a connection](associate-key-connection.md)
+ [Remove the association between a MACsec secret key and a connection](disassociate-key-connection.md)
# Create an Direct Connect dedicated connection using the Connection wizard
This section describes creating a connection using the Connection wizard. If you prefer to create a Classic connection, see the steps at [Step 2: Request an Direct Connect dedicated connection](toolkit-classic.md#ConnectionRequest).
**To create a Connection wizard connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**, and then choose **Create connection**.
1. On the **Create Connection** page, under **Connection ordering type**, choose **Connection wizard**.
1. Choose a **Resiliency Level** for your network connections. A resiliency level can be one of the following:
+ **Maximum Resiliency**
+ **High Resiliency**
+ **Development and Test**
For descriptions and more detailed information about these resiliency levels, see [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md).
1. Choose **Next**.
1. On the **Configure connections** page, provide the following details.
1. From the **Bandwidth** drop-down list, choose the bandwidth required for the connection. This can be anywhere from **1Gbps** to **400 Gbps**.
1. For **Location**, choose the appropriate Direct Connect location, and then choose the **First location service provider**, select the service provider providing connectivity for the connection at this location.
1. For **Second location**, choose the appropriate Direct Connect at the second location, and then choose the **Second location service provider**, select the service provider providing connectivity for the connection at this second location.
1. (Optional) Configure MAC security (MACsec) for the connection. Under **Additional Settings**, select **Request a MACsec capable port**.
MACsec is only available on dedicated connections.
1. (Optional) Choose **Add tag** to add key/value pairs to further help identify this connection.
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
To remove an existing tag, choose the tag and then choose **Remove tag**. You can't have empty tags.
1. Choose **Next**.
1. On the **Review and create page**, verify the connection. This page also displays estimated costs for port usage and additional data transfer charges.
1. Choose **Create**.
1. Download your Letter of Authorization and Connecting Facility Assignment (LOA-CFA), For more information, see [Letter of Authorization and Connecting Facility Assignment (LOA-CFA)](dedicated_connection.md#create-connection-loa-cfa).
Use one of the following commands.
+ [create-connection](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-connection.html) (AWS CLI)
+ [CreateConnection](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateConnection.html) (Direct Connect API)
## Create an Direct Connect Classic connection
For dedicated connections, you can submit a connection request using the Direct Connect console. For hosted connections, work with an AWS Direct Connect Partner to request a hosted connection. Ensure that you have the following information:
+ The port speed that you require. For dedicated connections, you can't change the port speed after you create the connection request. For hosted connections, your AWS Direct Connect Partner can change the speed.
+ The Direct Connect location at which the connection is to be terminated.
**Note**
You cannot use the Direct Connect console to request a hosted connection. Instead, contact an AWS Direct Connect Partner, who can create a hosted connection for you, which you then accept. Skip the following procedure and go to [Accept your hosted connection](toolkit-classic.md#get-started-accept-hosted-connection).
**To create a new Direct Connect connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. On the **Direct Connect** screen, under **Get started**, choose **Create a connection**.
1. Choose **Classic**.
1. For **Name**, enter a name for the connection.
1. For **Location**, select the appropriate Direct Connect location.
1. If applicable, for **Sub Location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) in multiple floors of the building.
1. For **Port Speed**, choose the connection bandwidth.
1. For **On-premises**, select **Connect through an Direct Connect partner** when you use this connection to connect to your data center.
1. For **Service provider**, select the AWS Direct Connect Partner. If you use a partner that is not in the list, select **Other**.
1. If you selected **Other** for **Service provider**, for** Name of other provider**, enter the name of the partner that you use.
1. (Optional) Choose **Add tag** to add key/value pairs to further help identify this connection.
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
To remove an existing tag, choose the tag and then choose **Remove tag**. You can't have empty tags.
1. Choose **Create Connection**.
It can take up to 72 business hours for AWS to review your request and provision a port for your connection. During this time, you might receive an email with a request for more information about your use case or the specified location. The email is sent to the email address that you used when you signed up for AWS. You must respond within 7 days or the connection is deleted.
For more information, see [Dedicated and hosted connections](WorkingWithConnections.md).
# Download the Direct Connect LOA-CFA
You can download the LOA-CFA using either the Direct Connect console or through the command line. Once you've downloadeded the LOA-CFA and provided that to your network or colocation provider, that provider can order the cross-connect for you.
**To download the LOA-CFA**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the connection, and then choose **View details**.
1. Choose **Download LOA-CFA**.
**Note**
If the link is not enabled, the LOA-CFA is not yet available for you to download. A Support case will be created requesting additional information. Once you've responded to the request, and the request processed, the LOA-CFA will be available for download. If it's still unavailable, contact [AWS Support](https://aws.amazon.com/support/createCase).
1. Send the LOA-CFA to your network provider or colocation provider so that they can order a cross connect for you. The contact process can vary for each colocation provider. For more information, see [Requesting cross connects at Direct Connect locations](Colocation.md).
**To download the LOA-CFA using the command line or API**
+ [describe-loa](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-loa.html) (AWS CLI)
+ [DescribeLoa](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeLoa.html) (Direct Connect API)
# Associate a MACsec CKN/CAK with an Direct Connect connection
After you create the connection that supports MACsec, you can associate a CKN/CAK with the connection. You can create the association using either the Direct Connect console or through the command-line or API.
**Note**
You cannot modify a MACsec secret key after you associate it with a connection. If you need to modify the key, disassociate the key from the connection, and then associate a new key with the connection. For information about removing an association, see [Remove the association between a MACsec secret key and a connection](disassociate-key-connection.md).
**To associate a MACsec key with a connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the left pane, choose **Connections**.
1. Select a connection, and then choose **View details**.
1. Choose **Associate key**.
1. Enter the MACsec key.
[Use the CAK/CKN pair] Choose **Key Pair**, and then do the following:
+ For **Connectivity Association Key (CAK)**, enter the CAK.
+ For **Connectivity Association Key Name (CKN)**, enter the CKN.
[Use the secret] Choose **Existing Secret Manager secret**, and then for **Secret**, select the MACsec secret key.
1. Choose **Associate key**.
**To associate a MACsec key with a connection using the command line or API**
+ [associate-mac-sec-key](https://docs.aws.amazon.com/cli/latest/reference/directconnect/associate-mac-sec-key.html) (AWS CLI)
+ [AssociateMacSecKey](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_AssociateMacSecKey.html) (Direct Connect API)
# Remove the association between a MACsec secret key and an Direct Connect connection
You can remove the association between the connection and the MACsec key using either the Direct Connect console or through the command-line or API.
**To remove an association between a connection and a MACsec key**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1.
1. In the left pane, choose **Connections**.
1. Select a connection, and then choose **View details**.
1. Select the MACsec secret to remove, and then choose **Disassociate key**.
1. In the confirmation dialog box, enter **disassociate**, and then choose **Disassociate**.
**To remove an association between a connection and a MACsec key using the command line or API**
+ [disassociate-mac-sec-key](https://docs.aws.amazon.com/cli/latest/reference/directconnect/disassociate-mac-sec-key.html) (AWS CLI)
+ [DisassociateMacSecKey](https://docs.aws.amazon.com/directconnect/latest/APIReference/API__DisassociateMacSecKey.html) (Direct Connect API)
# Hosted Direct Connect connections
To create an Direct Connect hosted connection, you need the following information:
**Direct Connect location**
Work with an AWS Direct Connect Partner in the AWS Direct Connect Partner Program to help you establish network circuits between an Direct Connect location and your data center, office, or colocation environment. They can also help provide colocation space within the same facility as the location. For more information, see [Direct Connect Delivery Partners](https://aws.amazon.com/directconnect/partners).
You can't request a hosted connection through the Direct Connect console. However, an AWS Direct Connect Partner can create and configure a hosted connection for you. Once configured, the connection appears in the **Connections** pane in the console.
You must accept the hosted connection before you can use it. For more information, see [Accept a hosted connection](accept-hosted-connection.md).
**Port speed**
For hosted connections, the possible values are 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 25 Gbps. Note that only those Direct Connect partners who have met specific requirements may create a 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, or 25 Gbps hosted connection. 25 Gbps connections are available only in Direct Connect locations where 100 Gbps port speeds are available.
Note the following:
+ Connection port speeds can only be changed by your AWS Direct Connect Partner. Please check with your AWS Direct Connect Partner to see if they support upgrade or downgrade of an existing connection. If your Partner supports upgrade/downgrade of your connection, you are no longer required to delete and then recreate a connection in order to upgrade or downgrade an existing hosted connection's bandwidth.
+ AWS uses traffic policing on hosted connections, which means that when the traffic rate reaches the configured maximum rate, excess traffic is dropped. This might result in bursty traffic having a lower throughput than non-bursty traffic.
+ Jumbo frames can be enabled on connections only if originally enabled on the Direct Connect hosted parent connection. If Jumbo frames isn't enabled on that parent connection, then it can't be enabled on any connection.
The following console operations are available after you've requested a hosted connection and accepted it:
+ [Delete a connection](deleteconnection.md)
+ [Update a connection](updateconnection.md)
+ [View connection details](viewdetails.md)
After you accept a connection, create a virtual interface to connect to public and private AWS resources. For more information, see [Virtual interfaces and hosted virtual interfaces](WorkingWithVirtualInterfaces.md).
# Accept an Direct Connect hosted connection
If you are interested in purchasing a hosted connection, you must contact an AWS Direct Connect Partner in the AWS Direct Connect Partner Program. The partner provisions the connection for you. After the connection is configured, it appears in the **Connections** pane in the Direct Connect console.
Before you can begin using a hosted connection, you must accept the connection. You can accept a hosted connection using either the Direct Connect console or using the command line or API.
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the hosted connection and choose **View details**.
1. Select the confirmation check box and choose **Accept**.
**To accept a hosted connection using the command line or API**
+ [confirm-connection](https://docs.aws.amazon.com/cli/latest/reference/directconnect/confirm-connection.html) (AWS CLI)
+ [ConfirmConnection](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_ConfirmConnection.html) (Direct Connect API)
# Delete an Direct Connect connection
You can delete a connection as long as there are no virtual interfaces attached to it. Deleting your connection stops all port hour charges for this connection, but you may still incur cross-connect or network circuit charges (see below). Direct Connectdata transfer charges are associated with virtual interfaces. For more information about how to delete a virtual interface, see [Delete a virtual interface](deletevif.md).
Before deleting a connection, download the LOA for the connection containing the cross-account information so you have the relevant information about the circuits being disconnected. For the steps to download the connection LOA, see [Letter of Authorization and Connecting Facility Assignment (LOA-CFA)](dedicated_connection.md#create-connection-loa-cfa).
When you delete a connection, AWS will instruct the colocation provider to disconnect your network device from the Direct Connect router by removing the fiber-optic cross-connect cable from the applicable AWS patch panel. However, your colocation or circuit provider may still charge you cross-connect or network circuit charges because the cross-connect cable may still be connected to your network device. These charges for the cross-connect are independent of Direct Connect, and must be cancelled with the colocation or circuit provider using information from the LOA.
If the connection is part of a link aggregation group (LAG), you cannot delete the connection if doing so causes the LAG to fall below its setting for the minimum number of operational connections.
You can delete a connection using either the Direct Connect console or using the command line or API.
**To delete a connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the connections and choose **Delete**.
1. In the **Delete confirmation** dialog box, choose **Delete**.
**To delete a connection using the command line or API**
+ [delete-connection](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-connection.html) (AWS CLI)
+ [DeleteConnection](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteConnection.html) (Direct Connect API)
# Update an Direct Connect connection
You can update the following connection attribute using either the Direct Connect console or using the command line or API.
+ The name of the connection.
+ The connection's MACsec encryption mode.
**Note**
While you cannot directly modify MACSec properties on hosted connections, partners can enable MACSec on their own interconnects to provide secure hosted connections to their customers.
The valid values are:
+ `should_encrypt`
+ `must_encrypt`
When you set the encryption mode to this value, the connection goes down when the encryption is down.
+ `no_encrypt`
**To update a connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the connection, and then choose **Edit**.
1. Modify the connection:
[Change the name] For **Name**, enter a new connection name.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Edit connection**.
**To update a connection using the command line or API**
+ [update-connection](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-connection.html) (AWS CLI)
+ [UpdateConnection](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateConnection.html) (Direct Connect API)
# View Direct Connect connection details
You can view the current status of your connection using either the Direct Connect console or using the command line or API. You can also view your connection ID (for example, `dxcon-12nikabc`) and verify that it matches the connection ID on the LOA-CFA that you received or downloaded.
For information on monitoring connections, see [Monitor Direct Connect resources](monitoring-overview.md).
**To view details about a connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the left pane, choose **Connections**.
1. Select a connection, and then choose **View details**.
**To describe a connection using the command line or API**
+ [describe-connections](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-connections.html) (AWS CLI)
+ [DescribeConnections](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeConnections.html) (Direct Connect API)