Encryption in Amazon Direct Connect
Amazon Direct Connect does not encrypt your traffic that is in transit by default. To encrypt the data in transit that traverses Amazon Direct Connect, you must use the transit encryption options for that service. To learn about EC2 instance traffic encryption, see Encryption in Transit in the Amazon EC2 User Guide.
With Amazon Direct Connect and Amazon Site-to-Site VPN, you can combine one or more Amazon Direct Connect dedicated
network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted
private connection that also reduces network costs, increases bandwidth throughput, and
provides a more consistent network experience than internet-based VPN connections. For more
information, see Amazon VPC-to-Amazon VPC Connectivity Options
MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. You can use Amazon Direct Connect connections that support MACsec to encrypt your data from your corporate data center to the Amazon Direct Connect location. For more information, see MAC Security in Amazon Direct Connect.