AWS Direct Connect EU Alternative 2026: Private Circuits, BGP Routes, and GDPR Under the CLOUD Act

Post #728 in the sota.io EU Compliance Series

AWS Direct Connect establishes a dedicated, private network connection from an organization's on-premises infrastructure to AWS. Unlike internet-based connectivity, Direct Connect bypasses the public internet: traffic flows through a private circuit leased from a network provider, through a colocation facility hosting a Direct Connect port, and into Amazon's network fabric. European enterprises use Direct Connect for consistent network throughput, reduced latency to AWS workloads, and architectures that require predictable bandwidth to cloud resources.

The marketing narrative around Direct Connect emphasizes privacy through physical isolation. A dedicated circuit is not a tunnel through shared internet infrastructure. The phrase "private connection" appears throughout AWS documentation. European engineering teams sometimes interpret this physical privacy as equivalent to GDPR-compliant data sovereignty — as though a dedicated wire bypasses the jurisdictional problem that makes US cloud services legally complex for EU data controllers.

Physical isolation and jurisdictional isolation are different properties. Amazon Web Services, Inc. is a Delaware corporation headquartered in Seattle, Washington. The CLOUD Act (18 U.S.C. § 2713) compels US companies to produce data stored or processed by them anywhere in the world when ordered by US courts or government agencies. The private circuit carries traffic into Amazon's infrastructure. Amazon's systems process, log, and monitor that connectivity — including BGP routing sessions, connection metrics, virtual interface configurations, and traffic throughput statistics. None of that operational data changes jurisdiction because the circuit is dedicated.

What AWS Direct Connect Stores That Touches GDPR

Direct Connect's GDPR exposure is primarily architectural and operational rather than content-level. The service does not inspect your application traffic — Direct Connect is a Layer 2 connectivity service that moves frames between your network and AWS. But the infrastructure surrounding the connection generates operational and configuration data that is stored by a US-jurisdiction entity and subject to CLOUD Act compulsion.

BGP Route Advertisements: Your Network Topology in AWS Custody

Every Direct Connect connection uses Border Gateway Protocol to establish routing between your network and AWS. BGP sessions run between your on-premises routers and AWS's Direct Connect routers. Through those sessions, your routers advertise IP prefixes — the CIDR blocks that represent your internal network segments — to AWS, and AWS advertises its VPC CIDR blocks back to you.

The IP prefixes your organization advertises over BGP to AWS constitute a precise map of your internal network topology. BGP advertisements reveal:

• Your internal CIDR allocation: Which subnets you route, their size, and their organizational grouping
• Your network segmentation strategy: Separate prefixes for production, staging, and development environments; for different business units; for different geographic sites
• Your routing policy: Which prefixes you choose to advertise (and by omission, which you do not), providing insight into what you consider important to route to AWS
• Your AS number: Your autonomous system number, which identifies your organization in the global routing table and in network intelligence databases

AWS's Direct Connect infrastructure must process these BGP advertisements to establish routing. Amazon stores the routing configuration associated with your virtual interfaces — including your advertised prefixes, your BGP ASN, your BGP peer IP address, and the MD5 authentication key (hashed) used to secure the BGP session.

For European organizations, internal network topology is operational data that does not typically contain personal data in the GDPR sense — no names, no identifiers tied to natural persons. However, BGP-advertised network topology is sensitive business data under GDPR Article 32, which requires appropriate technical and organizational measures to ensure security. Your network architecture — knowing which subnets you operate, how you segment your infrastructure, and what you connect to AWS — is information that, in the hands of a state actor, supports targeted network attacks. Having that architectural data accessible to US government compulsion under the CLOUD Act is a security risk alongside the compliance risk.

Additionally, some organizations advertise prefixes that include employee-facing network ranges — VPN concentrator subnets, office network ranges, remote-access infrastructure. Those prefixes indirectly reveal information about user connectivity infrastructure.

Virtual Interface Configuration: AWS-Managed Records of Your Connectivity

Each Direct Connect connection is segmented into Virtual Interfaces (VIFs) — logical channels that separate traffic destined for different AWS accounts, VPCs, or purposes. Private VIFs connect to VPCs, Public VIFs connect to AWS public services, and Transit VIFs connect to AWS Transit Gateway.

AWS stores and manages the complete configuration of each virtual interface:

• VLAN ID: The 802.1Q VLAN tag that identifies the virtual interface on the physical circuit
• BGP ASN: Your autonomous system number
• Customer peer IP and Amazon peer IP: The addresses on each side of the point-to-point link
• BGP authentication key: The MD5 key securing the BGP session (stored by AWS, hashed but present)
• Allowed prefixes: The IP prefixes allowed to be advertised through the VIF
• Jumbo frame setting: The maximum transmission unit configuration

This configuration data is held by AWS systems — stored in the same US-jurisdiction infrastructure that stores your S3 buckets and EC2 instance metadata. A US government order compel ing Amazon to produce records about a customer could reach Virtual Interface configuration records.

CloudWatch Metrics: Operational Telemetry Under US Jurisdiction

AWS Direct Connect publishes operational metrics to Amazon CloudWatch. These metrics are available by default without any configuration action from the customer:

• ConnectionBpsIngress / ConnectionBpsEgress: Bits per second flowing into and out of the Direct Connect connection
• ConnectionPpsIngress / ConnectionPpsEgress: Packets per second in each direction
• ConnectionLightLevelTx / ConnectionLightLevelRx: Optical signal level on the physical circuit (for hosted connections)
• ConnectionState: Whether the connection is up or down
• ConnectionErrorCount: Physical-layer error count
• VirtualInterfaceBpsIngress / VirtualInterfaceBpsEgress: Throughput per virtual interface

These metrics are published to CloudWatch, an Amazon-operated service, in the AWS region associated with the Direct Connect location. CloudWatch is subject to US CLOUD Act jurisdiction regardless of which AWS region stores the metrics.

Traffic throughput metrics over time reveal business activity patterns. Peaks in ConnectionBpsEgress correlate with application deployments, data exports, backup jobs, and peak usage periods. For European organizations subject to GDPR, this time-series operational data is stored by a US-jurisdiction entity as a matter of course — no configuration required, no opt-out available.

Direct Connect Gateway: Cross-Region Routing Under AWS Control

AWS Direct Connect Gateway (DXGW) is a globally available resource that associates a single Direct Connect connection with Virtual Private Gateways or Transit Gateways in multiple AWS regions. For European enterprises with AWS deployments in multiple EU regions — for example, eu-central-1 (Frankfurt) as primary and eu-west-1 (Ireland) as disaster recovery — a Direct Connect Gateway allows one physical connection to reach both.

The Direct Connect Gateway itself is an AWS-managed resource. Its association table — which connects your Direct Connect virtual interface to VPCs in different regions — is stored and managed by AWS globally. When AWS processes routing decisions through a Direct Connect Gateway, the routing logic runs on AWS infrastructure, potentially across multiple geographic regions, while remaining under the jurisdiction of Amazon Web Services, Inc.

For organizations that believe EU-region selection satisfies their GDPR obligations, Direct Connect Gateway's global nature introduces an additional complication: the routing resource that connects your private circuit to your EU-region VPCs is not itself a region-specific resource. Its configuration and operational state exist in AWS's global infrastructure layer.

Colocation Facility: The Physical Termination Point

Direct Connect connections do not run between your premises and AWS data centers. They run between your premises and a Direct Connect location — a colocation or carrier hotel facility where AWS maintains network equipment and where your network provider delivers the physical circuit.

AWS Direct Connect locations in Europe include facilities operated by colocation providers such as:

• Equinix — headquartered in Redwood City, California (US corporation, NASDAQ-listed)
• Interxion — now part of Digital Realty Trust, headquartered in Austin, Texas (US corporation)
• Telehouse — European operations, Japanese parent (KDDI Corporation)
• Colo-X — smaller EU-focused colocation operators in Nordic markets

The majority of large European Direct Connect locations use facilities operated by Equinix or Interxion/Digital Realty — US-headquartered corporations. While traffic flows through these facilities at the physical layer, and the colocation operator does not have access to the content of customer traffic, the facility operator's US corporate parentage creates a separate jurisdictional layer on top of AWS's own US jurisdiction.

For European organizations whose GDPR compliance analysis focuses on the corporate jurisdiction of every entity that processes or has access to infrastructure handling personal data, the colocation facility's ownership matters. The cross-connect from your router to AWS's patch panel sits in a cabinet in a US-owned facility.

Maintenance Events and AWS Monitoring Access

AWS performs maintenance on Direct Connect infrastructure — port replacements, router upgrades, facility power maintenance — that temporarily affects connection availability. To manage these events, AWS maintains operational visibility into the state of Direct Connect connections: which connections are up, which are experiencing physical-layer errors, which require intervention.

This operational monitoring means AWS systems continuously observe the state of your dedicated connection. The connection state data — including error rates, optical levels, and BGP session stability — is part of the operational telemetry that AWS's global network operations center uses to manage the Direct Connect infrastructure. That operational data is held in AWS systems under CLOUD Act jurisdiction.

EU Alternatives to AWS Direct Connect for Enterprise Connectivity

European enterprises requiring dedicated, private connectivity to cloud infrastructure have several alternatives that keep the operational data associated with that connectivity under EU-jurisdiction entities.

OVHcloud Connect

OVHcloud (OVH Groupe SAS) is a French company headquartered in Roubaix, owned by the Klaba family with no US corporate parent. OVHcloud Connect provides dedicated, private Layer 2 and Layer 3 connectivity from customer premises to OVHcloud infrastructure.

OVHcloud Connect Layer 2 establishes a dedicated Ethernet path from a customer colocation facility to OVHcloud's backbone, providing transparent L2 connectivity for VLAN-based architectures. Layer 3 connectivity uses BGP routing between the customer's AS and OVHcloud's network.

The operational data associated with an OVHcloud Connect connection — BGP routes, traffic metrics, VIF equivalents — is stored and managed by OVHcloud's infrastructure, a French entity operating under French and EU law. OVHcloud is not a US corporation. The CLOUD Act's extraterritorial reach does not apply to OVHcloud.

OVHcloud data centers in Europe include Gravelines and Roubaix (France), Strasbourg (France), Frankfurt (Germany), Warsaw (Poland), London (United Kingdom), and others. OVHcloud Connect ports are available at colocation facilities including Equinix (noting the US parentage), Interxion, and OVHcloud's own data centers — for organizations choosing to colocate infrastructure in OVHcloud-owned facilities, the colocation operator's jurisdiction question is eliminated.

Hetzner Colocation with Direct Peering

Hetzner Online GmbH is a German company headquartered in Gunzenhausen, Bavaria. Hetzner operates its own data centers in Nuremberg, Falkenstein, and Helsinki, and offers colocation services for customer hardware in those facilities.

For enterprises that can colocate their own infrastructure in Hetzner data centers, direct cross-connects to Hetzner's network fabric provide private connectivity without traversing the internet. The operational data associated with this connectivity — routing configuration, traffic metrics, BGP session state — is held by Hetzner, a German GmbH without a US parent entity.

Hetzner's colocation offer is more limited in geographic diversity than AWS Direct Connect locations — facilities in Nuremberg, Falkenstein, and Helsinki versus dozens of AWS Direct Connect locations across Europe. For organizations whose geographic footprint aligns with Hetzner's data center locations, Hetzner colocation provides EU-sovereign connectivity to EU-sovereign compute infrastructure in a single organizational jurisdiction.

Deutsche Telekom / T-Systems Dedicated Connectivity

Deutsche Telekom AG is a German corporation headquartered in Bonn, majority-owned by the German federal government. T-Systems, Deutsche Telekom's enterprise IT subsidiary, offers dedicated WAN connectivity and cloud access services for European enterprises.

T-Systems provides managed connectivity services — including MPLS networks, SD-WAN, and dedicated cloud access — for enterprises requiring private circuits to cloud environments. For organizations with existing Deutsche Telekom or T-Systems enterprise contracts, dedicated connectivity options to EU-jurisdiction cloud providers may be available through existing relationship structures.

Deutsche Telekom's infrastructure is German-owned and operated under German and EU law. The routing, BGP, and operational telemetry for dedicated connectivity circuits managed by T-Systems or Deutsche Telekom is within a German corporate entity's operational systems — not subject to CLOUD Act jurisdiction.

Orange Business Cloud Connect

Orange Business is the enterprise services division of Orange S.A., a French telecommunications company headquartered in Paris, partially owned by the French government. Orange Business Cloud Connect provides dedicated, private connectivity from customer premises to cloud providers.

Orange Business's European network presence spans major EU markets including France, Germany, the Netherlands, Belgium, and the Nordic countries. Cloud Connect products offer dedicated Ethernet or MPLS access to cloud resources with SLA-backed bandwidth commitments.

The connectivity services operated by Orange Business run on infrastructure owned and managed by Orange, a French corporation under French and EU jurisdiction. Operational data — circuit metrics, routing configuration, BGP session state — is processed by Orange's network management systems, not by US-jurisdiction entities.

Scaleway Dedibox with Private Connectivity

Scaleway (Online SAS), owned by Iliad Group and headquartered in Paris, provides Dedibox dedicated servers with private networking options. For organizations that can redesign their hybrid architectures around Scaleway Dedibox as the on-premises-equivalent compute layer, Scaleway's native private networking eliminates the need for external dedicated connectivity entirely.

Rather than running applications on-premises and connecting to cloud with Direct Connect, a Scaleway Dedibox architecture places dedicated server workloads on Scaleway's infrastructure and connects them to Scaleway Public Cloud instances through Scaleway's internal network — a private interconnect entirely within a French-operated entity's infrastructure.

sota.io: Eliminating the Hybrid Architecture Problem

A significant portion of AWS Direct Connect usage by European enterprises exists because workloads are split between on-premises infrastructure and AWS. Applications running on-premises communicate with databases, queues, or APIs running on AWS — or vice versa. Direct Connect provides the private, reliable connectivity that makes this split architecture functional.

sota.io is a European PaaS that deploys applications on Hetzner Cloud and other EU-jurisdiction infrastructure. For European organizations whose Direct Connect usage exists to connect on-premises application tiers to AWS-hosted managed services — databases, caches, queues — migrating those managed services to EU-native equivalents removes the architectural dependency on Direct Connect.

An application that ran on-premises and connected to RDS in an AWS VPC through a Direct Connect private virtual interface can instead connect to a managed PostgreSQL database on Scaleway, Hetzner, or through sota.io's managed database tier — eliminating both the AWS service dependency and the dedicated circuit dependency simultaneously. The connectivity becomes internal to the EU-native cloud environment rather than requiring a dedicated hybrid circuit.

For organizations whose on-premises-to-AWS hybrid architecture exists because migrating to cloud was undertaken incrementally, with some workloads moved to AWS while others remain on-premises, a planned migration of AWS-hosted components to EU-native platforms can eliminate the architectural need for Direct Connect while also resolving the jurisdictional exposure of storing personal data on AWS.

GDPR Risk Assessment for Direct Connect

Direct Connect presents a different GDPR risk profile than most AWS services. Unlike S3 or RDS, Direct Connect does not store your application data. It carries application traffic between your infrastructure and AWS without inspecting that content. The GDPR exposure is operational rather than content-based.

The primary GDPR risks associated with Direct Connect are:

BGP route exposure: Your internal network topology — represented in BGP advertisements to AWS — is business-sensitive data held by a US-jurisdiction entity. While this is not personal data in the GDPR sense for most organizations, it is infrastructure data subject to Art. 32 security obligations and potentially to CLOUD Act compulsion.

CloudWatch operational metrics: Traffic throughput time series stored in CloudWatch reveals business activity patterns — when workloads are active, when data is transferred, when batch jobs run. For organizations processing personal data in the workloads that generate that traffic, the traffic pattern is derivative information about personal data processing. These metrics are automatically stored by AWS without opt-out.

Colocation facility jurisdiction: The physical termination point of Direct Connect circuits in Europe is frequently a US-owned colocation facility (Equinix, Digital Realty). Physical access to the colocation space — separate from the content of traffic — is governed by that colocation operator's policies and subject to its corporate jurisdiction.

Virtual interface configuration: AWS stores the technical configuration of your connectivity — VIF parameters, BGP settings, prefix lists — as managed infrastructure records in its US-jurisdiction systems.

Under GDPR Article 28, when AWS processes data on your behalf, a Data Processing Agreement governs that relationship. AWS provides DPA-compliant contractual terms. However, GDPR Article 46 requires that transfers of personal data to third countries occur under appropriate safeguards. While Standard Contractual Clauses provide a legal mechanism for AWS data transfers, the Schrems II ruling and subsequent EDPB guidance require organizations to assess whether the safeguards are effective in light of the law and practice of the destination country — specifically, whether US surveillance authorities can access the transferred data. The CLOUD Act is precisely the legal mechanism that Schrems II required organizations to assess.

sota.io provides EU-native application hosting on Hetzner and Scaleway infrastructure, eliminating the need for complex hybrid connectivity architectures that create GDPR exposure through US-jurisdiction network services. Start your free trial or read more EU compliance guides.