# Direct Connect gateways
Use Direct Connect gateway to connect your VPCs. You associate an Direct Connect gateway with any of the following:
+ A transit gateway when you have multiple VPCs in the same Region
+ A virtual private gateway
+ An AWS Cloud WAN core network
You can also use a virtual private gateway to extend your Local Zone. This configuration allows the VPC associated with the Local Zone to connect to a Direct Connect gateway. The Direct Connect gateway connects to a Direct Connect location in a Region. The on-premises data center has a Direct Connect connection to the Direct Connect location. For more information, see [Accessing Local Zones using a Direct Connect gateway](https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html#access-local-zone) in the *Amazon VPC User Guide*.
A Direct Connect gateway is a globally available resource. You can connect to any Region globally using a Direct Connect gateway. This includes AWS GovCloud (US), but it does not include the AWS China Regions. A Direct Connect gateway is a virtual component of Direct Connect designed to act as a distributed set of BGP route reflectors. Because it operates outside the data traffic path, it avoids creating a single point of failure or introducing dependencies on specific AWS Regions. High availability is inherently built into its design, eliminating the need for multiple Direct Connect gateways.
Customers using Direct Connect with VPCs that currently bypass a parent Availability Zone will not be able to migrate their Direct Connect connections or virtual interfaces.
The following describe scenarios where you can use a Direct Connect gateway.
A Direct Connect gateway does not allow gateway associations that are on the same Direct Connect gateway to send traffic to each other (for example, a virtual private gateway to another virtual private gateway). An exception to this rule, implemented in November 2021, is when a supernet is advertised across two or more VPCs, which have their attached virtual private gateways (VGWs) associated to the same Direct Connect gateway and on the same virtual interface. In this case, VPCs can communicate with each other via the Direct Connect endpoint. For example, if you advertise a supernet (for example, 10.0.0.0/8 or 0.0.0.0/0) that overlaps with the VPCs attached to a Direct Connect gateway (for example, 10.0.0.0/24 and 10.0.1.0/24), and on the same virtual interface, then from your on-premises network, the VPCs can communicate with each other.
If you want to block VPC-to-VPC communication within a Direct Connect gateway, do the following:
1. Set up security groups on the instances and other resources in the VPC to block traffic between VPCs, also using this as part of the default security group in the VPC.
1. Avoid advertising a supernet from your on- premises network that overlaps with your VPCs. Instead you can advertise more specific routes from your on-premises network that do not overlap with your VPCs.
1. Provision a single Direct Connect Gateway for each VPC that you want to connect to your on-premises network instead of using the same Direct Connect Gateway for multiple VPCs. For example, instead of using a single Direct Connect Gateway for your development and production VPCs, use separate Direct Connect Gateways for each of these VPCs.
A Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself (for example when you have an on-premises supernet route that contains the prefixes from the gateway association). If you have a configuration with multiple VPCs connected to transit gateways associated to same Direct Connect gateway, the VPCs could communicate. To prevent the VPCs from communicating, associate a route table with the VPC attachments that have the **blackhole** option set.
**Topics**
+ [Scenarios](#dx-gateway-scenarios)
+ [Create a Direct Connect gateway](create-direct-connect-gateway.md)
+ [Migrate from a virtual private gateway to a Direct Connect gateway](migrate-to-direct-connect-gateway.md)
+ [Delete a Direct Connect gateway](delete-direct-connect-gateway.md)
## Scenarios
The following describe just a few scenarios for using Direct Connect gateways.
### Scenario: Virtual private gateway associations
In the following diagram, the Direct Connect gateway enables you to use your Direct Connect connection in the US East (N. Virginia) Region to access VPCs in your account in both the US East (N. Virginia) and US West (N. California) Regions.
Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the Direct Connect location. There is an Direct Connect connection from the location to the customer data center.
![\[A Direct Connect gateway that connects VPCs in two AWS Regions and your data center.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dx-gateway.png)
### Scenario: Virtual private gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's virtual private gateway or Account B's virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
![\[A Direct Connect gateway that connects three AWS accounts and your data center.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dx-gateway-shared.png)
### Scenario: Transit gateway associations
The following diagram illustrates how the Direct Connect gateway enables you to create a single connection to your Direct Connect connection that all of your VPCs can use.
![\[A Direct Connect gateway associated with a transit gateway with multiple VPC attachments.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/direct-connect-tgw.png)
The solution involves the following components:
+ A transit gateway that has VPC attachments.
+ A Direct Connect gateway.
+ An association between the Direct Connect gateway and the transit gateway.
+ A transit virtual interface that is attached to the Direct Connect gateway.
This configuration offers the following benefits. You can:
+ Manage a single connection for multiple VPCs or VPNs that are in the same Region.
+ Advertise prefixes from on-premises to AWS and from AWS to on-premises.
For information about configuring transit gateways, see [Working with Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html) in the *Amazon VPC Transit Gateways Guide*.
### Scenario: Transit gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A owns the transit gateway and wants to use the Direct Connect gateway. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's transit gateway. After Account Z accepts the proposals, the VPCs attached to the transit gateway can route traffic from the transit gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
![\[A Direct Connect gateway from an AWS account associated with a transit gateway from another AWS account.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/direct-connect-ma-tgw.png)
# Create an Direct Connect gateway
You can create a Direct Connect gateway in any supported Region using either the Direct Connect console or using the command line or API.
**To create a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways**.
1. Choose **Create Direct Connect gateway**.
1. Specify the following information, and choose **Create Direct Connect gateway**.
+ **Name**: Enter a name to help you identify the Direct Connect gateway.
+ **Amazon side ASN**: Specify the ASN for the Amazon side of the BGP session. The ASN must be in the 64,512 to 65,534 range or 4,200,000,000 to 4,294,967,294 range.
**Note**
If you want to create a Direct Connect gateway to use with an AWS Cloud WAN core network. The ASN must not be in the same range as the ASN of the core network.
**To create a Direct Connect gateway using the command line or API**
+ [create-direct-connect-gateway](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway.html) (AWS CLI)
+ [CreateDirectConnectGateway](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGateway.html) (Direct Connect API)
# Migrate from a virtual private gateway to an Direct Connect gateway
You can migrate a virtual private gateway attached to a virtual interface to a Direct Connect gateway.
If you're using Direct Connect with VPCs that currently bypass a parent Availability Zone you won't be able to migrate your Direct Connect connections or virtual interfaces.
The following steps describe the steps you need to take to migrate a virtual private gateway to a Direct Connect gateway.
**To migrate to a Direct Connect gateway**
1. Create a Direct Connect gateway.
If the Direct Connect gateway does not yet exist, you'll need to create it. For the steps to create a Direct Connect gateway, see [Create a Direct Connect gateway](create-direct-connect-gateway.md).
1. Create a virtual interface for the Direct Connect gateway.
A virtual interface is required for migration. If the interface does not exist, you'll need to create it. For the steps to create the virtual interface, see [Virtual interfaces](create-vif.md).
1. Associate the virtual private gateway with the Direct Connect gateway.
Both the Direct Connect gateway and a virtual private gateway need to be associated. For the steps to create the association, see [Associate or disassociate virtual private gateways](associate-vgw-with-direct-connect-gateway.md).
1. Delete the virtual interface that was associated with the virtual private gateway. For more information, see [Delete a virtual interface](deletevif.md).
# Delete an Direct Connect gateway
If you no longer require a Direct Connect gateway, you can delete it. You must first disassociate all associated virtual private gateways and delete the attached private virtual interface. Once you've disassociated any associated virtual private gateways and deleted any attached private virtual interfaces, you can delete the Direct Connect gateway using either the Direct Connect console or using the command line or API.
+ For the steps to disassociate a virutal private gateway, see [Associate or disassociate virtual private gateways](associate-vgw-with-direct-connect-gateway.md).
+ For the steps to delete a virtual interface, see [Delete a virtual interface](deletevif.md).
**To delete a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways**.
1. Select the gateways and choose **Delete**.
**To delete a Direct Connect gateway using the command line or API**
+ [delete-direct-connect-gateway](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway.html) (AWS CLI)
+ [DeleteDirectConnectGateway](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGateway.html) (Direct Connect API)