Direct Connect (DX) allows you to bypass the public Internet to connect directly between your data center and an AWS region. This is a private connection that gives you the benefit of security with a consistent speed at low latency. If you have large volumes of data to transfer, you may achieve lower costs using a direct connection than using the Internet.
AWS Direct Connect is currently available in more than 100 locations, which span nearly 70 cities in 30 different countries. These Direct Connect facilities contain AWS routers that interconnect with customer and telco networks. They are not AWS-owned data centers but hosted in collocation facilities or carrier hotels and serve as a common interconnection location. There are currently 99 partners including companies such as AT&T, CoreSite, Digital Realty, Equinix, and Lumen. The customer must install a router at the interconnection data center and provision a provider data circuit to the Direct Connect facility to complete the end-to-end provisioning. A current list of Direct Connect locations can be found at https://aws.amazon.com/directconnect/locations.
The interconnects are provisioned for either 1 Gbps, 10 Gbps, or 100 Gbps depending on your bandwidth requirements. Most interconnect service providers also offer subrate connections lower than 1 Gbps. The carriers will set up an interconnect with AWS at the peering locations and sell you a subset of that bandwidth. Also, the individual links can be combined or aggregated using the LACP protocol. LACP combines the multiple 1 G, 10 G, or 100 G connections into one logical connection for higher speeds. Link aggregation will be covered later in the chapter.
A DX connection is not inherently encrypted, and no in-flight data security is implied. However, a common security implementation is to use an IPSec site-to-site VPN connection over the DX link to provide encryption of data through the Direct Connect link.
The DX optics are either 1000-Base-LX, 10GBase-LR, or 100GBASE-LR4 for the optical cross-connects between the customer and AWS routers.
Once the physical connection has been made, VIFs are created that can be either private or public. A private VIF is shown in Figure 6.12, connecting to a single VPC using a Virtual Gateway (VGW). The VIF is an 802.1Q tagged VLAN with BGP routing for dynamic route exchange. The second type of interconnection is a public VIF, shown in Figure 6.13, that connects to AWS public services in any region, which includes all AWS public services such as DynamoDB, Route 53, S3, or CloudFront. The public VIF does not connect to the Internet, however. Customers cannot use Direct Connect for their Internet connections. A single Direct Connect can have multiple private VIFs to connect to multiple VPCs in a single region. Multiple accounts can share a VIF, which is referred to as a hosted VIF.
FIGURE 6.12 Direct Connect private VIF
FIGURE 6.13 Direct Connect public VIF
High availability is achieved by adding a Direct Connect backup link from your data center to the interconnection facility or, as a second option, using a VPN connection to back up the direct connection, as shown in Figure 6.14. When using this architecture, the capacity should not exceed 1 Gbps due to AWS VPN throughput limitations.
The AWS data circuits from the hosted interconnection facilities to the AWS regional data centers are redundant with BGP routing providing failover for high availability. It is your responsibility to architect the connection from your data center to the AWS cross-connect site for a dedicated backup link, if desired, or to configure a site-to-site VPN over the Internet to the AWS region terminating the primary DX data circuit. The second high availability connection you are responsible for is the connection in the hosting facility between your router and the AWS router, which is a single point of failure without a redundant cross-connection. Additionally, you need to take into consideration the possibility of router failures. To achieve high availability in this scenario, installing additional routers in your data center and at the collocation facility adds high availability at the router level, as shown in Figure 6.15.
FIGURE 6.15 Hardware high availability connections
To set up a Direct Connect connection to AWS, start by going into the Networking and Content Delivery section of the web console and selecting Direct Connect at https://us-east-1.console.aws.amazon.com/directconnect/v2/home?region=us-west-2#. Notice that even though Direct Connect is a global service, it defaults to the region you specified as default for your account. A prerequisite is that you must pick the location you want to make the interconnection and the bandwidth you require, which will determine the data circuit capacity you provision for the carrier. Select Create Connection and give the connection a name and location. Select a port speed of either 1 Gbps, 10 Gbps, or 100 Gbps and if you are using your own on-premises routers or a service provider’s router. You also can use MACSec for layer 2 encryption and add a tag for your internal tracking requirements. There is also a wizard that you can use that steps you through the process including your desired resiliency level, as shown in Figures 6.16, 6.17, and 6.18. You can select the interconnect location and carrier if you use a service provider partner to create the connection. At this step, AWS will create a support case on your behalf to arrange for your equipment to be installed or work with the service provider to use their routing equipment. The support ticket contains information such as the AWS region to connect to, the connection ID, connection name, your account information, the port speed, jumbo frame capability, and who the service provider is. AWS will then provide you with a letter of authorization and connecting facility assignment that details how to do the actual interconnect, including the optic and connector types, the AWS cage information, your rack location, the optical patch panel, and port number details for the cross-connect.
FIGURE 6.16 Direct Connect configuration wizard
The next step is to create the VIFs between your equipment and the AWS routers, as shown in Figure 6.19. You will specify the VIF type and fill out the interface configuration, including physical interface, account information gateway type, VLAN ID number, and BGP ASN. The additional configuration setting includes the address family of either IPv4 or IPv6, your peer router and the AWS router IP addresses, a BGP authentication key value, and a jumbo frame MTU value.
FIGURE 6.17 Direct Connect configuration dialog
FIGURE 6.18 Direct Connect review and create dialog
FIGURE 6.19 Virtual interface creation
The link aggregation configuration area is where you create a logical grouping of interfaces of either 1 Gbps, 10 Gbps, or 100 Gbps interfaces for additional bandwidth. The grouping creates a single logical endpoint that is treated as one managed connection. Your options include using an existing connection or creating a new connection, the name of the link aggregation group, number of circuits in the group, and a minimum value that determines when to call the link down or unusable. See Figure 6.20 for an example of the LAG configuration dialog.