AWS Direct Connect (DX) provides the ability to establish a dedicated network connection from sites such as data centers, offices, or colocation environments to AWS. It links your internal network to an AWS Direct Connect location over a standard, Ethernet fiber-optic cable.
One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing Internet service providers in your network.
Direct Connect provides a more consistent network experience than internet-based connections at bandwidths ranging from 50 Mbps to 10 Gbps on a single connection. It allows you to create resilient connections to AWS because you have full control over the network path and network providers between your remote networks and AWS.
AWS Direct Connect requires physical connectivity between the AWS network and your network. This process involves ordering connections, receiving LOA-CFA (Letter Of Authorization – Connecting Facility Assignment), Ordering Cross Connects, and configuring VLANs and BGP.
AWS Direct Connect offers the following benefits:
1) Security: If you choose to monitor on-premises communication, you can span ports or install tools that monitor traffic across a particular VRF. You can place firewalls in line to meet internal security requirements. You can also control communication by enforcing certain IP addresses to communicate across specific VLANs
2) Traffic engineering: You have greater ability to define and control how data moves in to and out of your AWS environment. You can define complex BGP routing rules, filter traffic paths, move data in to and out of one VPC to another VPC. You also have the ability to define which data flows through which VRF. This is particularly important if you need to satisfy specific compliance for data in-transit.
3) Traffic isolation. You can satisfy compliance requirements that call for data segregation. You also have the ability to define a public and private VRF across the same Direct Connect connection, and monitor specific data flows for security and billing requirements
– Direct Connect (DX) has the following requirements :
1) 802.1Q VLANs across I GBPs or 10 GBPs ethernet connection:- (802.1Q is an Ethernet standard that enables Virtual Local Area Networks (VLANs) on an Ethernet network, it uses the addition of a VLAN tag to the header of an Ethernet frame to define membership of a particular VLAN).
2) BGP and BGP MD5 Authentication:- (Border Gateway Protocol (BGP) is a routing protocol used to exchange network routing and reachability information, either within the same AS (iBGP) or a different autonomous system (eBGP).
3) Your network must use single-mode fiber with a 1000BASE-LX (1310nm) transceiver for 1 gigabitEthernet or a 10GBASE-LR (1310nm) transceiver for 10 gigabit Ethernet.
4) Auto-negotiation for the port must be disabled. Port speed and full-duplex mode must be configured manually.
5) BFD (Optional):- (Bidirectional forwarding detection (BFD) is a network fault detection protocol that provides fast failure detection times, which facilitates faster re-convergence for dynamic routing protocols. It is a mechanism used to support fast failover of connections in the event of a failure in the forwarding path between two routers. If a failover occurs, then BFD notifies the associated routing protocols to recalculate available routes).
– AWS Direct Connect is billed based on port hours for the connection and data transfer outbound from AWS. The Data Transfer rates are less than standard internet out rates.
>> VIRTUAL INTERFACES (VIFs) <<
A VIF is a configuration consisting primarily of an 802.1Q VLAN and the options for an associated BGP Session. It contains all the configuration parameters required for both the AWS end of a connection and your end of the connection AWS Direct connect support two types of VIFs:
– Public VIFs
– Private VIFs
1. Public VIFs: Public Virtual interfaces enable your network to reach all of the AWS public IP addresses for the AWS region with which your AWS Direct Connect connection is associated.
Public VIFs are typically used to enable direct network access to services that are not reachable via a private IP address within your own VPC. These include Amazon S3, Amazon DynamoDB and Amazon SQS.
2. Private VIFs: Private Virtual Interfaces enable your network to reach resources that have been provisioned within your VPC via their private IP address. A Private VIF is associated with the VGW for your VPC to enable this connectivity.
Private VIFs are used to enable direct network access to services that are reachable via an IP address within your own VPC. These include Amazon EC2, Amazon RDS and Amazon Redshift.
>> DIRECT CONNECT GATEWAY <<
– A Direct Connect gateway enables you to combine private VIFs with multiple VGWs in local or in the remote regions. You can use this feature to establish connectivity from an AWS Direct Connect location in one geographical zone to an AWS region in a different geographical zone.
-You associate a Direct Connect gateway with the virtual private gateway for the VPC, and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway.
– A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.
For more information about Direct Connect, check the links for the re_invent videos below and the following documentation
- AWS re:Invent 2017: Extending Data Centers to the Cloud: Connectivity Options and Co (NET301): https://www.youtube.com/watch?v=lN2RybC9Vbk&index=12&list=PLhr1KZpdzukewxjrgeVIGw49tiIbkqt0Z&t=9s
- AWS re:Invent 2017: Deep Dive: AWS Direct Connect and VPNs (NET403): https://www.youtube.com/watch?v=eNxPhHTN8gY&index=4&list=PLhr1KZpdzukewxjrgeVIGw49tiIbkqt0Z&t=8s
- AWS Direct Connect Documentation: https://aws.amazon.com/documentation/direct-connect/
- Amazon VPC Network Connectivity Options: https://aws.amazon.com/whitepapers/amazon-vpc-connectivity-options/