# Direct Connect link aggregation groups (LAGs)
You can use multiple connections to increase available bandwidth. A link aggregation group (LAG) is a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple connections at a single Direct Connect endpoint, allowing you to treat them as a single, managed connection. LAGs streamline configuration because the LAG configuration applies to all connections in the group.
**Note**
Multi-chassis LAG (MLAG) is not supported by AWS.
In the following diagram, you have four connections, with two connections to each location. You can create a LAG for connections that terminate on the same AWS device and in the same location, and then use the two LAGs instead of the four connections for configuration and management.
![\[Link Aggregation Group\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/LAG_description.png)
You can create a LAG from existing connections, or you can provision new connections. After you've created the LAG, you can associate existing connections (whether standalone or part of another LAG) with the LAG.
The following rules apply:
+ All connections must be dedicated connections and have a port speed of 1 Gbps, 10 Gbps, 100 Gbps, or 400 Gbps.
+ All connections in the LAG must use the same bandwidth.
+ You can have a maximum of two 100 Gbps or 400 Gbps connections, or four connections with a port speed less than 100 Gbps in a LAG. Each connection in the LAG counts towards your overall connection limit for the Region.
+ All connections in the LAG must terminate at the same Direct Connect endpoint.
+ LAGs are supported for all virtual interface types—public, private, and transit.
When you create a LAG, you can download the Letter of Authorization and Connecting Facility Assignment (LOA-CFA) for a new physical connection individually from the Direct Connect console. For more information, see [Letter of Authorization and Connecting Facility Assignment (LOA-CFA)](dedicated_connection.md#create-connection-loa-cfa).
All LAGs have an attribute that determines the minimum number of connections in the LAG that must be operational for the LAG itself to be operational. By default, new LAGs have this attribute set to 0. You can update your LAG to specify a different value—doing so means that your entire LAG becomes non-operational if the number of operational connections falls below this threshold. This attribute can be used to prevent over-utilization of the remaining connections.
All connections in a LAG operate in Active/Active mode.
**Note**
When you create a LAG or associate more connections with the LAG, we may not be able to guarantee enough available ports on a given Direct Connect endpoint.
**Topics**
+ [MACsec considerations](#lag-macsec-considerations)
+ [Create a LAG](create-lag.md)
+ [View LAG details](view-lag.md)
+ [Update a LAG](update-lag.md)
+ [Associate a connection with a LAG](associate-connection-with-lag.md)
+ [Disassociate a connection from a LAG](disassociate-connection-from-lag.md)
+ [Associate a MACsec CKN/CAK with a LAG](associate-key-lag.md)
+ [Remove the association between a MACsec secret key and a LAG](disassociate-key-lag.md)
+ [Delete a LAG](delete-lag.md)
## MACsec considerations for Direct Connect
Take the following into consideration when you want to configure MACsec on LAGs:
+ When you create a LAG from existing connections, we disassociate all of the MACsec keys from the connections. Then we add the connections to the LAG, and associate the LAG MACsec key with the connections.
+ When you associate an existing connection to a LAG, the MACsec keys that are currently associated with the LAG are associated with the connection. Therefore, we disassociate the MACsec keys from the connection, add the connection to the LAG, and then associate the LAG MACsec key with the connection.
+ Only a single MACsec key can be utilized across all LAG links at any time. The ability to support multiple MACsec keys is for key rotation purposes only.
# Create a LAG at an Direct Connect endpoint
You can create a LAG by provisioning new connections, or aggregating existing connections.
You cannot create a LAG with new connections if this results in you exceeding the overall connections limit for the Region.
To create a LAG from existing connections, the connections must be on the same AWS device (terminate at the same Direct Connect endpoint). They must also use the same bandwidth. You cannot migrate a connection from an existing LAG if removing the connection causes the original LAG to fall below its setting for the minimum number of operational connections.
**Important**
For existing connections, connectivity to AWS is interrupted during the creation of the LAG.
**To create a LAG with new connections**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Choose **Create LAG**.
1. Under** Lag creation type**, choose **Request new connections**, and provide the following information:
+ **LAG name**: A name for the LAG.
+ **Location**: The location for the LAG.
+ **Port speed**: The port speed for the connections.
+ **Number of new connections**: The number of new connections to create. You can have a maximum of four connections when the port speed is 1G or 10G, or two when the port speed is 100 Gbps or 400 Gbps.
+ (Optional) Configure MAC security (MACsec) for the connection. Under **Additional Settings**, select **Request a MACsec capable port**.
MACsec is only available on dedicated connections.
+ (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create LAG**.
**To create a LAG from existing connections**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Choose **Create LAG**.
1. Under** Lag creation type**, choose **Use existing connections**, and provide the following information:
+ **LAG name**: A name for the LAG.
+ **Existing connections**: The Direct Connect connection to use for the LAG.
+ (Optional) **Number of new connections**: The number of new connections to create. You can have a maximum of four connections when the port speed is 1G or 10G, or two when the port speed 100 Gbps or 400 Gbps.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create LAG**.
**To create a LAG using the command line or API**
+ [create-lag](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-lag.html) (AWS CLI)
+ [CreateLag](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateLag.html) (Direct Connect API)
**To describe your LAGs using the command line or API**
+ [describe-lags](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-lags.html) (AWS CLI)
+ [DescribeLags](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeLags.html) (Direct Connect API)
**To download the LOA-CFA using the command line or API**
+ [describe-loa](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-loa.html) (AWS CLI)
+ [DescribeLoa](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeLoa.html) (Direct Connect API)
After you create a LAG, you can associate or disassociate connections from it. For more information, see [Associate a connection with a LAG](associate-connection-with-lag.md) and [Disassociate a connection from a LAG](disassociate-connection-from-lag.md).
# View LAG details at an Direct Connect endpoint
After you create a LAG, you can view its details using either the Direct Connect console or using the command line or API.
**To view information about your LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAG and choose **View details**.
1. You can view information about the LAG, including its ID, and the Direct Connect endpoint on which the connections terminate.
**To view information about your LAG using the command line or API**
+ [describe-lags](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-lags.html) (AWS CLI)
+ [DescribeLags](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeLags.html) (Direct Connect API)
# Update a LAG at an Direct Connect endpoint
You can update the following link aggregation group (LAG) attributes using either the Direct Connect console or using the command line or API:
+ The name of the LAG.
+ The value for the minimum number of connections that must be operational for the LAG itself to be operational.
+ The LAG's MACsec encryption mode.
MACsec is only available on dedicated connections.
AWS assigns this value to each connection that is part of the LAG.
The valid values are:
+ `should_encrypt`
+ `must_encrypt`
When you set the encryption mode to this value, the connections go down when the encryption is down.
+ `no_encrypt`
+ The tags.
**Note**
If you adjust the threshold value for the minimum number of operational connections, ensure that the new value does not cause the LAG to fall below the threshold and become non-operational.
**To update a LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAG, and then choose **Edit**.
1. Modify the LAG
[Change the name] For **LAG Name**, enter a new LAG name.
[Adjust the minimum number of connections] For **Minimum Links**, enter minimum number of operational connections.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Edit LAG**.
**To update a LAG using the command line or API**
+ [update-lag](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-lag.html) (AWS CLI)
+ [UpdateLag](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateLag.html) (Direct Connect API)
# Associate a connection with a LAG at an Direct Connect endpoint
You can associate an existing connection with a LAG using either the Direct Connect console or using the command line or API. The connection can be standalone, or it can be part of another LAG. The connection must be on the same AWS device and must use the same bandwidth as the LAG. If the connection is already associated with another LAG, you cannot re-associate it if removing the connection causes the original LAG to fall below its threshold for the minimum number of operational connections.
Associating a connection to a LAG automatically re-associates its virtual interfaces to the LAG.
**Important**
Connectivity to AWS over the connection is interrupted during association.
**To associate a connection with a LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAG, and then choose **View details**.
1. Under **Connections**, choose **Associate connection**.
1. For **Connection**, choose the Direct Connect connection to use for the LAG.
1. Choose **Associate Connection**.
**To associate a connection using the command line or API**
+ [associate-connection-with-lag](https://docs.aws.amazon.com/cli/latest/reference/directconnect/associate-connection-with-lag.html) (AWS CLI)
+ [AssociateConnectionWithLag](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_AssociateConnectionWithLag.html) (Direct Connect API)
# Disassociate a connection from a LAG at an Direct Connect endpoint
Convert a connection to standalone by disassociating it from a LAG using either the Direct Connect console or using the command line or API. You can't disassociate a connection if it causes the LAG to fall below its threshold for the minimum number of operational connections.
Disassociating a connection from a LAG does not automatically disassociate any virtual interfaces.
**Important**
Your connection to AWS is broken off during disassociation.
**To disassociate a connection from a LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the left pane, choose **LAGs**.
1. Select the LAG, and then choose **View details**.
1. Under **Connections**, select the connection from the list of available connections and choose **Disassociate**.
1. In the confirmation dialog box, choose **Disassociate**.
**To disassociate a connection using the command line or API**
+ [disassociate-connection-from-lag](https://docs.aws.amazon.com/cli/latest/reference/directconnect/disassociate-connection-from-lag.html) (AWS CLI)
+ [DisassociateConnectionFromLag](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DisassociateConnectionFromLag.html) (Direct Connect API)
# Associate a MACsec CKN/CAK with an Direct Connect endpoint LAG
After you create the LAG that supports MACsec, you can associate a CKN/CAK with the connection using either the Direct Connect console or using the command line or API.
**Note**
You cannot modify a MACsec secret key after you associate it with a LAG. If you need to modify the key, disassociate the key from the connection, and then associate a new key with the connection. For information about removing an association, see [Remove the association between a MACsec secret key and an Direct Connect endpoint LAG](disassociate-key-lag.md).
**To associate a MACsec key with a LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAG and choose **View details**.
1. Choose **Associate key**.
1. Enter the MACsec key.
[Use the CAK/CKN pair] Choose **Key Pair**, and then do the following:
+ For **Connectivity Association Key (CAK)**, enter the CAK.
+ For **Connectivity Association Key Name (CKN)**, enter the CKN.
[Use the secret] Choose **Existing Secret Manager secret**, and then for **Secret**, select the MACsec secret key.
1. Choose **Associate key**.
**To associate a MACsec key with a LAG using the command line or API**
+ [associate-mac-sec-key](https://docs.aws.amazon.com/cli/latest/reference/directconnect/associate-mac-sec-key.html) (AWS CLI)
+ [AssociateMacSecKey](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_AssociateMacSecKey.html) (Direct Connect API)
# Remove the association between a MACsec secret key and an Direct Connect endpoint LAG
You can remove the association between the LAG and the MACsec key using either the Direct Connect console or using the command line or API.
**To remove an association between a LAG and a MACsec key**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAG and choose **View details**.
1. Select the MACsec secret to remove, and then choose **Disassociate key**.
1. In the confirmation dialog box, enter **disassociate**, and then choose **Disassociate**.
**To remove an association between a LAG and a MACsec key using the command line or API**
+ [disassociate-mac-sec-key](https://docs.aws.amazon.com/cli/latest/reference/directconnect/disassociate-mac-sec-key.html) (AWS CLI)
+ [DisassociateMacSecKey](https://docs.aws.amazon.com/directconnect/latest/APIReference/API__DisassociateMacSecKey.html) (Direct Connect API)
# Delete an Direct Connect endpoint LAG
If you no longer need LAGs, you can delete them. You cannot delete a LAG if it has virtual interfaces associated with it. You must first delete the virtual interfaces, or associate them with a different LAG or connection. Deleting a LAG does not delete the connections in the LAG; you must delete the connections yourself. For more information, see [Delete a connection](deleteconnection.md).
You can delete a LAG using either the Direct Connect console or using the command line or API.
**To delete a LAG**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **LAGs**.
1. Select the LAGs, and then choose **Delete**.
1. In the confirmation dialog box, choose **Delete**.
**To delete a LAG using the command line or API**
+ [delete-lag](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-lag.html) (AWS CLI)
+ [DeleteLag](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteLag.html) (Direct Connect API)