AWS strengthens its private interconnection in Spain: new Direct Connect point in Madrid (Digital Realty MAD3) with 10 and 100 Gbps links and MACsec

Amazon Web Services has launched a new AWS Direct Connect site at the Digital Realty MAD3 data center, located in the Madrid metropolitan area. With this announcement, the city now has three Direct Connect locations, and Spain reaches a total of four sites, expanding options for companies and government agencies to connect their private networks to AWS via dedicated physical links and MACsec encryption.

This development arrives during a period of strong adoption of hybrid and multi-cloud architectures, AI workloads, real-time analytics, and digital banking, where network consistency and controlled latency have become critical. For many use cases, routing sensitive traffic over private links—instead of going out to the Internet—reduces variability, simplifies compliance, and prevents surprises during demand spikes.

What the new MAD3 Direct Connect site offers

• Private access (Layer 2) from Madrid to all AWS public regions (except China), including AWS GovCloud and Local Zones.
• Dedicated capacities: physical ports of 10 Gbps and 100 Gbps (with LAG options to add links and scale).
• Link encryption: MACsec available between your equipment and AWS port, adding confidentiality and protection against manipulation at the Ethernet level.
• Reduced jitter, less reliance on Internet, and the ability to segment traffic (production, DR, backups, sensitive data) with custom policies.

Typically, clients will request the port via the console, receive the LOA-CFA, set up the cross-connect in the data center, and establish Layer 3 (BGP) over the Virtual Interface to access VPCs, S3, DynamoDB, or other compatible services.

Why it matters (beyond gigabits)

1) Lower variability. Modern applications—such as real-time payments, trading, database replication, or model training—suffer when network behavior is unpredictable. Dedicated circuits provide predictability: no “third-party traffic” competing for bandwidth.

2) Security and compliance. Many regulations value keeping flow out of Internet paths and traveling via private circuits; activating MACsec on physical links also achieves hardware encryption and protection against eavesdropping on the last mile in colocation facilities.

3) Cost control. For high-volume scenarios (e.g., daily backups to S3, intensive ETL, or data lakes in EMR), routing traffic through Direct Connect + data transfer rates can be more efficient than paying for egress internet charges, and it avoids unexpected ISP charges during peaks.

4) Truly hybrid. Mainframes, on-premises infrastructure, and cloud coexist. With Direct Connect, organizations can advertise on-premises prefixes to AWS and route VPC traffic to their data center, orchestrating DR and shared assets with latencies and SLA more predictable than with traditional VPNs.

Madrid as a hub: more resilience, less latency

The third Madrid location enhances geographical redundancy within the market. It’s feasible to terminate two ports at different facilities (e.g., 100 Gbps at MAD3 and another at a different site in Madrid) and deploy redundant VIFs for high availability. Practically, this translates into:

• Plan A/B with physical and logical diversity (two buildings, two cross-connects, two fibers).
• Failover/BGP tuned with timers and policies based on latency or cost.
• Scheduled tests of failover scenarios without affecting production.

For organizations with offices across the Peninsula, this Madrid setup reduces hops and milliseconds compared to other European hubs, benefiting ingestions, virtual desktops, or customer services.

Use cases where Direct Connect shines

• Financial services: core banking, instant payments, reconciliation, and regulatory reporting.
• AI and data: feature stores, distributed training, feature pipelines with continuous flows to/from S3 or Redshift.
• Media and entertainment: raw ingestion (video, audio), render farms, and distribution to partners with SLA.
• Manufacturing and OT: plant telemetry, MES/ERP hybrid systems, digital twins with stable synchronization.
• Public sector and healthcare: medical histories, imaging, and critical services demanding segmentation and encryption.

Deployment models: dedicated, hosted, and partner

• Dedicated Connection (10/100 Gbps): physical port in the rack at AWS within the colocation site (MAD3). Requires cabling and own equipment.
• Hosted Connection: bandwidth “subleased” via a partner present at the colocation. Suitable for testing, gradual scaling, or when a full port isn’t needed.
• LAG and multiple VIFs: aggregate multiple ports for scaling and resilience; create separate Virtual Interfaces for prod, dev, transit, or different accounts (multi-account).

Operational tip: treat Direct Connect like any critical WAN circuit: use two paths, SNMP/NetFlow monitoring, playbooks for switchover, and quarterly tests.

Security: MACsec isn’t TLS (and that’s good)

MACsec (IEEE 802.1AE) encrypts Ethernet frames point-to-point between your edge equipment and the AWS port in the colocation. It doesn’t replace application-level encryption (TLS in HTTPS, IPsec, KMS), but complements it:

• Covers the physical segment of the cross-connect and port, mitigating local interception attacks.
• Provides integrity and authentication at the link layer with minimal latency.
• Transparent to BGP/VLAN and the rest of the stack.

For workloads requiring end-to-end encryption, retain TLS, client-side encryption, and KMS policies; consider PrivateLink and VPC endpoints to keep service traffic within the private mesh.

And costs?

Direct Connect typically incurs costs in three main blocks:

1. Port or hosted capacity: physical port in the rack (10/100 Gbps) at the colocation facility.
2. Data transfer: ingress/egress billed under Direct Connect fees (usually more predictable than internet egress).
3. Colocation: cross-connect wiring and rack-side cabling (contracted with the data center).

The savings equation depends on volume and patterns. For small to medium enterprises with moderate traffic, a site-to-site VPN may suffice. For organizations sending tens of terabytes monthly or with regular peaks, Direct Connect usually pays off due to consistent performance and cost per GB.

Getting started (quick checklist)

1. Assess the business case (latency, GB/month, compliance, peaks).
2. Select the model: dedicated (10/100 Gbps) or hosted via partner.
3. Request the port via the console and download the LOA-CFA.
4. Arrange the cross-connect with Digital Realty (MAD3).
5. Implement BGP and VLANs (VIFs) towards desired accounts/VRFs.
6. Test: failover, throughput, MACsec, monitoring.
7. Document and automate (Infrastructure as Code for VIFs, alerts, dashboards).

The Spanish context: more locations, more options

With three sites in Madrid and four across Spain, private interconnection with AWS becomes more pervasive. For clients present in Catalonia, Valencian Community, Andalusia, or Basque Country, the network of colo and carriers enables backhaul to MAD3 and other sites, offering diverse paths and SLAs aligned with critical needs.

Conclusion

The new Direct Connect in MAD3 cement’s Madrid’s role as a connectivity hub in the Peninsula, providing organizations with an additional pathway to build hybrid networks with consistency, link security (MACsec), and scalability (10/100 Gbps). While not a magic wand—still requiring design, redundancy, and monitoring)—it makes a significant difference for those moving large-scale data or who cannot tolerate Internet variability, bridging the gap between “mostly working” and “always working.”

Frequently Asked Questions

What’s the practical difference between AWS Direct Connect and a site-to-site VPN over the Internet?
Direct Connect offers dedicated physical links with lower jitter and more predictable SLAs. VPNs traverse the Internet and are subject to congestion and variability. Often, they are combined: Direct Connect + IPsec over the link provides additional encryption.

Can I use MACsec together with application encryption (TLS/KMS)?
Yes, and it’s recommended. MACsec protects the link segment; TLS/KMS secures the end-to-end content at higher layers. They are complementary.

How do I size 10 Gbps versus 100 Gbps links and when should I use LAG?
It depends on peaks and growth. Many companies start with 10 Gbps and add links via LAG as they expand. If your baseline nears 10 Gbps sustained or you need many VIFs, a 100 Gbps connection might simplify and provide margin.

What downtime is involved during deployment?
The turn-up of the port doesn’t cut your current production; the impact depends on how you change routing. With well-planned BGP (preferences/med), you can migrate traffic gradually with minimal or no outages.