AWS Direct Connect
AWS Direct Connect is a service that enables you to establish a dedicated network connection from sites — such as data centers, offices, or colocation environments — to AWS. AWS provides dedicated connections for this service at bandwidths of 1 Gbps and 10 Gbps. You are also able to use sub-1 Gbps hosted connections via AWS Direct Connect partners that have already established an interconnect with AWS.
Requirements for networking equipment
You must support 802.1Q VLANs across 1 Gbps or 10 Gbps Ethernet connections. Your network must also support Border Gateway Protocol (BGP) and BGP MD5 authentication.
802.1Q uses the addition of a VLAN tag to the header of an Ethernet frame to define membership of a particular VLAN. Networking equipment that supports this standard is then able to maintain separation for the associated traffic at Layer 2.
Physical connectivity to AWS Direct Connect is established either at an AWS Direct Location or via a Partner.
AWS Direct Connect Locations
All AWS Regions have associated AWS Direct Connect locations. The locations are provided by third-party colocation providers, also known as Carrier Neutral Facilities (CNFs). An authoritative list of these locations is maintained on the AWS website within the AWS Direct Connect Product Details page.
You can establish multiple physical connections to AWS via the same location.An AWS Direct Connect location always has two AWS devices at a minimum.
You can also establish multiple physical connections to multiple AWS Direct Connect locations. This option provides you with geographical diversity for your connections, providing the highest level of redundancy.
Dedicated Connections
Within the AWS Direct Connect location, AWS devices provide dedicated connections with a bandwidth capability of 1 Gbps and 10 Gbps.
The port type used for 1 Gbps connections is 1000base-LX.
The port type used for 10Gbps connections is 10Gbase-LR.
To use a dedicated connection, the equipment that is connected to these ports must support these same capabilities.
Provisioning Process:
You can set up an AWS Direct Connect connection in one of the following ways:
■ At an AWS Direct Connect location.
■ Through a member of the AWS Partner Network (APN) or a network carrier.
A partner in the APN can help you establish network circuits between an AWS Direct Connect location and your data center, office, or colocation environment
■ Through a hosted connection provided by a member of the APN.
Steps to Provision an AWS Direct Connect
- Request a Connection
- Download Your Letter of Authorization (LOA)
- Cross-Connect to the AWS Port
Once the connection is in place, you should see a “link up” and good light levels being received at your equipment. The AWS Management Console will also reflect the status of the connection as either down or available.
Multiple Connections
You may choose to use multiple AWS Direct Connect connections to increase the resilience and bandwidth of your environment. These connections can be one of the following:
■ At the same location, on the same AWS device
■ At the same location, on a different AWS device. This enables a level of resilience to interface failure, device failure, or planned maintenance.
■ At a different location
Hosted Connections
A hosted connection is available via AWS Direct Connect partners at bandwidth increments less than those available from a dedicated 1 Gbps or 10 Gbps connection. These are provided using a physical partner interconnect on which these hosted connections are provisioned.
Logical Connectivity
To begin using your AWS Direct Connect connection you must create a virtual interface. In order to access AWS resources over an AWS Direct Connect connection, a BGP peering relationship must be established between the AWS device and your customer router and then appropriate routes exchanged. In order to enable these actions, you need to create a Virtual Interface (VIF). A VIF is a configuration consisting primarily of an 802.1Q VLAN and the options for an associated BGP session. It contains all of the configuration parameters required for both the AWS end of a connection and your end of the connection. AWS Direct Connect supports two types of VIFs:
Public VIFs
Enables your network to reach all of the AWS public IP addresses on the AWS global backbone network in all regions (with the exception of China). Public VIFs are also enabled for “Global” capabilities, which allows you to receive BGP announcements for all AWS public IPs globally. Public VIFs are typically used to enable direct network access to services that are not reachable via a private IP address within your own VPC (eg: S3, DynamoDB, SQS, public endpoints for AWS managed VPN services, etc). When creating a public VIF with an address family type of IPv4, you must specify public IP addresses for both the Amazon router peer IP and your router peer IP. You must also specify the IP address prefixes you plan to announce to AWS over this type of VIF. This enables AWS to verify that you are the owner of these IP addresses and that you are authorized to announce them. Once AWS receives a BGP announcement from you, all network traffic from AWS destined to the announced prefix will be routed via AWS Direct Connect.
You should configure your routers and firewalls appropriately to accept or reject this traffic per your own routing policies. AWS does not re-advertise customer prefixes to other customers that have been received over AWS Direct Connect public VIFs. The prefixes that AWS announces do change, and a current list can be obtained using the public ip-ranges.json file maintained and available at https://ip-ranges.amazonaws.com/ip-ranges.json . You could use the ip-ranges.json file to build filters on your routers and only install routes for particular services or regions.
Private VIFs
Enables your network to reach resources that have been provisioned within your Virtual Private Cloud (VPC) via their private IP address.
A private VIF is associated with the VGW for your VPC to enable this connectivity.
Private VIFs are used to enable direct network access to services that are reachable via an IP address within your own VPC. These include, but are not limited to, Amazon EC2, Amazon Relational Database Service (Amazon RDS), and Amazon Redshift.
When the BGP session comes up, your peer router will receive announcements for all Classless Inter-Domain Routing (CIDR) address ranges associated with your VPC.
You are able to announce up to 100 prefixes to AWS over a private VIF, including a default (0.0.0.0/0) route.
These routes are used by the VGW and can optionally be propagated into route tables within your VPC. The routes also contribute to CloudHub within the VGW, which enables you to route between multiple AWS Direct Connect private VIFs, VPN connections, and the attached VPC.
You can create multiple VIFs on a dedicated AWS Direct Connect connection.
If you are using a hosted connection from an AWS Direct Connect partner, you can only create a single VIF and may need to request additional hosted connections for future requirements. Each VIF is associated with a single VGW (which is attached to a single VPC or a Direct Connect Gateway).
Direct Connect Gateway
A Direct Connect Gateway enables you to combine Private VIFs with multiple VGWs in the local or in remote regions.
You can use this feature to establish connectivity from an AWS Direct Connect location in one geographical zone to an AWS Region in a different geographical zone. This is in addition to being able to use a single private VIF to access multiple VPCs in multiple AWS Regions (in the same account).
Your router will establish a single BGP session with the Direct Connect Gateway and, from there, receive announcements for all associated VPCs. Note that the Direct Connect Gateway does not enable CloudHub between the associated private VIFs and VGWs.
Hosted Virtual Interfaces
When creating a VIF (both public and private) you are able to choose the VIF owner. This can be “My AWS Account” or “Another AWS Account.” When choosing “Another AWS Account,” you are prompted to provide a 12-digit account number. All of the BGP configuration is still completed in the account that owns the AWS Direct Connect connection; however, when choosing another account, that VIF becomes a hosted VIF.
The recipient of the hosted VIF must choose to accept it and, in the case of a private VIF, choose which VGW to associate it with.
A hosted VIF results in all related data transfer charges being charged to the recipient account holder’s AWS bill.
Note that the port-hour charges are always charged to the owner of the AWS Direct Connect connections.
