Check provider logo

Direct Connect connections span at least two locations per region

directconnect_connection_redundancy

Severitymedium
Servicedirectconnect
by Prowler
resilience

AWS Direct Connect connectivity is provisioned with connection and location redundancy-multiple connections spread across at least two distinct Direct Connect locations in each Region.

Risk

Missing connection/location redundancy creates a single point of failure, degrading availability. A router, fiber, or site outage can sever private paths to AWS, stalling app traffic, data replication, and admin access, leading to timeouts or extended downtime until alternate paths are restored.

Run this check with Prowler CLI

prowler aws --checks directconnect_connection_redundancy

Run in Prowler Cloud

Recommendation

Apply redundancy and defense in depth:

  • Deploy 2 Direct Connect connections across two distinct locations
  • Use dynamic, active/active routing for automatic failover
  • Ensure provider/device diversity
  • Size capacity so one link loss doesn't overload remaining paths
  • Consider a VPN as tertiary backup

Remediation

CLI

aws directconnect create-connection --region <REGION> --location <NEW_DX_LOCATION_CODE> --bandwidth 1Gbps --connection-name <example_resource_name>

Terraform
Other
  1. In the AWS Console, go to Direct Connect > Connections
  2. Click Create connection
  3. Region: select the Region where the existing connection resides
  4. Name: enter <example_resource_name>
  5. Location: select a different Direct Connect location than your existing connection
  6. Bandwidth: choose a supported value (e.g., 1 Gbps)
  7. Click Create connection

Source Code

Resource Type

Other

References