Direct Connect vs ExpressRoute vs Interconnect

What dedicated connectivity actually buys you

Compared to a site-to-site VPN over the public internet, a dedicated connection provides four concrete things:

1. Predictable bandwidth. The circuit is provisioned at a specific rate (1 Gbps, 10 Gbps, 100 Gbps) and you get that rate regardless of public internet congestion.
2. Lower and more consistent latency. Typically 2-10 ms lower than VPN, with dramatically lower jitter, because the path is fixed and does not traverse internet peering points.
3. Lower egress pricing. Data leaving the cloud via dedicated connectivity is billed at roughly 30% of the internet egress rate — for example, AWS charges $0.02/GB out via Direct Connect vs $0.09/GB out via the internet (US, first tier).
4. Private path. Traffic never traverses the public internet, which matters for some compliance regimes.

What you do not get for free: encryption. Dedicated circuits are private but not encrypted at layer 3. If you need encryption for compliance, you layer MACsec (link-layer) or IPsec (network-layer) on top — see the encryption section below.

How the three products compare

The two connection models: dedicated vs partner

Dedicated port

You order a physical 1 Gbps, 10 Gbps, or 100 Gbps port at one of the cloud provider's colocation facilities. You (or your network operator) provision a cross-connect from your equipment in that colo to the cloud port. This requires:

• Equipment in a supported colocation facility (Equinix, Coresite, Digital Realty, NTT, etc.).
• A monthly port fee from the cloud provider ($200-2,250/month depending on speed).
• A monthly cross-connect fee from the colo operator ($300-500/month per cross-connect).
• A circuit from your data center to the colo (which may or may not be a separate cost depending on your existing network).

This makes sense for organizations already in colos or running >5 Gbps to a single cloud.

Partner connection (also called hosted, virtual, provider)

A network provider (Megaport, Equinix Fabric, PacketFabric, Console Connect) maintains presence in cloud colos and resells slices of their port capacity as virtual circuits. You connect once to the partner — either via their own colo presence, an MPLS network, or a software-defined fabric — and they extend layer-2 circuits to whichever cloud(s) you need.

This is the right model for almost everyone:

• Bandwidth from 50 Mbps to 10+ Gbps, billed monthly with no minimum.
• No colocation footprint required.
• Can connect to multiple clouds and multiple regions from one partner connection.
• Pricing typically $0.50-2.00 per Mbps/month plus a small port fee.

For a 1 Gbps virtual circuit to AWS, expect $500-1500/month all-in via a partner — versus $2000-4000/month for a dedicated AWS port plus colo.

BGP: the routing layer

All three products use BGP (Border Gateway Protocol) for route exchange between your network and the cloud. The cloud advertises its prefixes (VPC CIDRs you have explicitly attached) to you; you advertise your on-premises prefixes to the cloud. Each side accepts the advertisements and installs routes.

Key BGP concepts for cloud connectivity:

• Private ASN. Use an ASN from 64512-65534 (16-bit private) or 4200000000-4294967294 (32-bit private) for your side. The cloud provider uses its own public ASN.
• Authentication. MD5 BGP authentication is supported by all three. Use it.
• BFD (Bidirectional Forwarding Detection) — sub-second failure detection. Enable it.
• Multiple sessions for HA. Always provision two or more circuits, in different colos when possible, with BGP sessions on each. ECMP load-balances across active sessions; failure of one is invisible.
• AS path prepending. If you advertise the same prefix on multiple circuits, prepend AS numbers on the secondary to make it less preferred (used for active/standby designs).

Choosing between cloud providers

If you are choosing one cloud and want dedicated connectivity, the products are roughly equivalent on technical merits. Pick based on:

• Where you already have a colocation footprint or network presence. If you are already in Equinix DC11, AWS Direct Connect there is one cross-connect away.
• Where your application lives. Connect to the cloud closest to where you run workloads. Multi-region reach products (Direct Connect Gateway, ExpressRoute Global Reach) handle the cross-region case but add hops.
• Egress pricing in your specific case. ExpressRoute's "unlimited" port pricing model can be cheaper than per-GB if you push heavy egress; AWS per-GB Direct Connect pricing wins for low-egress workloads.

Encryption considerations

Dedicated connectivity provides isolation but not confidentiality. The traffic is in plaintext on the circuit. For most workloads this is acceptable — the circuit is physically isolated and the path is not advertised publicly — but specific compliance regimes require encryption.

MACsec (IEEE 802.1AE)

Link-layer encryption between your router and the cloud's edge router. Negligible performance impact (hardware-accelerated). Supported on:

• AWS Direct Connect dedicated 10/100 Gbps ports.
• Azure ExpressRoute Direct 10/100 Gbps ports.
• GCP Dedicated Interconnect.

Not available on partner / hosted connections — those traverse the partner's network before reaching the cloud's edge, so the cloud cannot guarantee MACsec on the whole path.

IPsec VPN over the dedicated circuit

You can run a regular IPsec VPN on top of a Direct Connect / ExpressRoute / Interconnect. The VPN gateway sits in your VPC and your on-premises router establishes a tunnel to it, but the tunnel travels over the dedicated circuit rather than the internet. This combines circuit performance with VPN encryption at the cost of one extra hop and IPsec MTU handling.

High availability designs

A single dedicated circuit is a single point of failure. Production designs use at least two:

• Two circuits in the same colo — protects against equipment failure but not site failure.
• Two circuits in different colos in the same region — protects against site failure. AWS, Azure, and GCP all publish recommended diverse-path pairings.
• Two circuits to two different regions — protects against entire-region failure. Most expensive but highest availability.
• Active/active with ECMP — BGP advertises the same prefixes on both circuits; traffic balances across them. Failure of one is transparent.
• Active/standby with AS path prepending — secondary circuit is less preferred; only used if primary fails. Simpler but less efficient.

For a hard cost minimum, the entry-level HA design is two partner-based 1 Gbps virtual circuits with diverse paths — total cost typically $1500-3000/month depending on partner and region.

When dedicated connectivity is NOT worth it

• Low bandwidth needs. Under 1 TB/month of cloud-to-on-prem egress, a site-to-site VPN is dramatically cheaper. See Site-to-Site VPN to Cloud.
• Burst traffic only. If you need 10 Gbps for one hour a week, you cannot economically size dedicated connectivity for that peak. Internet egress with bursting headroom is more economical.
• Multiple clouds with low per-cloud traffic. Multiple dedicated circuits to multiple clouds, each lightly used, costs more than VPN to each cloud.
• Greenfield deployments without an on-premises anchor. If everything is in the cloud, there is no on-premises endpoint to connect to in the first place.

Frequently Asked Questions

When is Direct Connect cheaper than a VPN?

The break-even is typically 1-3 TB of egress per month. Direct Connect has high fixed monthly costs (port + colocation + circuit) — roughly $300-2000/month before any data transfer — but per-GB egress pricing is roughly 70% lower than internet egress via VPN. At 5+ TB/month of cloud-to-on-prem traffic, Direct Connect saves money. Below 1 TB/month, VPN is almost always cheaper. The crossover depends on circuit pricing in your region.

What is the latency difference between Direct Connect and VPN?

Direct Connect typically delivers 2-10 ms lower latency than IPsec VPN over the same geographic distance, and 5-10x lower jitter. The reason is path — Direct Connect bypasses the public internet entirely, traveling on a fixed-bandwidth circuit through a cloud provider colocation facility. VPN traffic crosses the public internet with variable routing. For latency-sensitive workloads (database replication, real-time control planes), Direct Connect is the right tool.

Do I need to own equipment in a colocation facility for Direct Connect?

No — most users connect via a Direct Connect partner. Partners (Megaport, Equinix Fabric, PacketFabric, etc.) maintain presence in the cloud provider's colocation facilities and resell sub-port virtual circuits at any bandwidth from 50 Mbps upward. You connect to the partner's nearest point of presence, and they extend the layer-2 circuit to the cloud. This is far cheaper than provisioning your own port and cross-connect.

Does ExpressRoute encrypt traffic?

No — ExpressRoute (and Direct Connect, and Interconnect) provides a private connection that does not traverse the public internet, but the data itself is not encrypted at the network layer. If encryption is required for compliance (PCI, HIPAA), you must add MACsec at the link layer or run an IPsec tunnel on top of the dedicated circuit. Azure offers ExpressRoute with MACsec on supported ports; AWS Direct Connect added MACsec for 10/100 Gbps ports in 2021.

What is the minimum bandwidth I can order for dedicated cloud connectivity?

With a partner-based connection: 50 Mbps on most providers. With a dedicated port: 1 Gbps minimum on AWS Direct Connect and Azure ExpressRoute, 10 Gbps on Google Cloud Interconnect dedicated. The partner option exists specifically so smaller organizations can use dedicated connectivity without committing to a full 1 Gbps circuit and the colocation costs that come with it.