Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Direct Connect

25,813 views

Published on

Notes on the "AWS Direct Connect" presentation.

  • Be the first to comment

AWS Direct Connect

  1. 1. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Direct Connect Camil Samaha
  2. 2. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Introduction • Technical overview • Use cases • Billing • Questions
  3. 3. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What is AWS Direct Connect? Corporate data centerAWS Cloud Virtual Private Cloud 1 Gb/s 10 Gb/s SESAmazon Glacier Elastic Beanstalk SQS Amazon EMR Amazon Redshift EC2 Direct Connect
  4. 4. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Why use AWS Direct Connect? • Consistent network performance – You choose the data that utilizes the dedicated connection – You decide how the data is routed, which can provide a more consistent network experience over Internet-based connections
  5. 5. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Why use AWS Direct Connect? • Elastic – You can specify the configuration that meets your needs – You can easily provision multiple connections if you need more capacity
  6. 6. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Why use AWS Direct Connect? • Lower bandwidth costs – Consistent cost at $0.02 / GB for data leaving us- east-1 – Costs vary by region $0.000 $0.050 $0.100 First 10TB Next 40TB Next 100TB Next 350TB Direct Internet
  7. 7. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Technical perspective • 10Gbps and 1Gbps service from AWS • Sub-1Gbps service from Direct Connect partners • 802.1Q, 1500B MTU • Connection (i.e., port) is the basic unit of Direct Connect • Virtual Interface built per VLAN on a connection • eBGP peering for route exchange
  8. 8. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 High-level overview VLAN Y VLAN X Virtual private cloud 1 Virtual private cloud 2 Virtual private cloud N … Public endpoints RegionDirect Connect location Private VIF 1 VLAN Z VLAN N AWS Direct Connect router Customer router Each interface can be associated with a different AWS account (hosted virtual interfaces)
  9. 9. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How to connect • Select Direct Connect location(s) – Direct Connect locations are associated with a region – Direct Connect locations are not necessarily adjacent to the region – 15 current Direct Connect locations: US, EU, Asia Pacific, China, South America
  10. 10. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How to connect • Order transport to Direct Connect location(s) – Point to point (DWDM, private line, Ethernet virtual private line) – Multipoint/Mesh (IP-VPN / MPLS or VPLS) • Request LOA/CFA in the Direct Connect console – “Create a Connection” for specific region and location – LOA/CFA sent to primary email address – LOA/CFA valid for 90 days from issuance • Order cross-connect to AWS port – Order must be made by the Direct Connect location provider’s customer – If using a partner, typically the partner is responsible; they have the relationship
  11. 11. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Create a connection
  12. 12. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 A word about LOA/CFA • Standard telecom interconnection approach – Used for hoteling/meet-me/peering • Letter of Authorization – Authorizes provider to cross-connect customer to AWS – Customer provides the LOA to the Direct Connect location provider • Connecting Facility Assignment – Indicates where the cross-connect should terminate – Specific to the AWS end of the connection
  13. 13. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
  14. 14. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How to connect • Build virtual interface(s) (VIF) – Public VIF looks like a private Internet connection to AWS; no VGW, public IPs – Private VIF attaches to a VPC; connects to a single VGW, private IPs – VGW can have multiple VIFs attached (from different connections) – Hosted VIFs are singletons built by a provider, assigned to your account
  15. 15. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Ethernet is Ethernet Direct Connect location AWS Direct Connect router AWS cloud Remote corp office Customer router Customer IPVPN / MPLS Demarc Local corp data center Customer router
  16. 16. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Public virtual interfaces (VIFs) • Customer – Selects an unused VLAN for the VIF – Provides public IP addresses for VIF endpoints – Identifies planned route announcements – Provides public or private Autonomous System Number (ASN) – Specifies BGP authentication key – Determines VIF account assignment • AWS – Confirms customer owns routes and ASN (if in public range) – Announces local region routes • At US Direct Connect locations, all US region routes announced
  17. 17. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
  18. 18. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Private Virtual Interfaces (VIFs) • Customer: – Selects an unused VLAN for the VIF – Provides IP addresses for VIF endpoints – Specifies to which VGW in the Direct Connect local region to attach – Provides public or private Autonomous System Number (ASN) – Specifies BGP authentication key – Determines VIF account assignment • AWS – Announces CIDR of VPC associated with the VGW – Propagates received customer routes to VPC
  19. 19. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
  20. 20. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Single router, single port, single region Customer routers Customer internal network AWS Direct Connect routers • Multiple public VIFs allowed on connection • Multiple private VIFs allowed on connection Direct Connect location Region Instances Amazon S3 Public traffic Private traffic
  21. 21. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Dual router, dual port, single region Customer routers Customer internal network AWS Direct Connect routers • Active / active links via BGP multi-pathing • Active / passive also an option • AWS ensures different router if same facility • Can use different facilities and carriers • Customer can affect return path selection • AS-PATH prepend* • More-specific route DX location(s) Region Amazon S3 Instances Public traffic Private traffic
  22. 22. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Single router, single port + VPN backup Customer router Customer internal network AWS Direct Connect router • Routing selection priority – Static, Direct Connect, VPN • Overlapping routes only via propagated routes • Use BGP with VPN configuration for faster failover • If Direct Connect fails, VPN backup for private VI • If Direct Connect fails, Internet backup for public VI Direct Connect location Region InstancesInternetCustomer gateway VPN connection Amazon S3 Public traffic Private traffic
  23. 23. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Advanced: lollipop routing • VPC peering is challenging in large mesh – Subnet route tables grow quickly; may hit limits – Administratively difficult to manage or maintain – No automation presently available • Lollipop allows for hub-and-spoke routing – Advertise summary (or default) routes to the VGW – Advertise learned neighbor routes (as-override) – Maintain centralized routing rules, policies, and ACLs
  24. 24. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC 1 Private Virtual Interface 1 VLAN Tag 101 BGP ASN 7224 BGP Announce 10.1.0.0/16 Interface IP 169.254.251.5/30 10.1.0.0/16 VGW 1 Multiple VPCs over AWS Direct Connect Customer switch + router Customer Interface 0/1.101 VLAN Tag 101 BGP ASN 65001 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.6/30 VLAN 101 VLAN 102 VLAN 103 VPC 2 10.2.0.0/16 VGW 2 VPC 3 10.3.0.0/16 VGW 3 Private Virtual Interface 2 VLAN Tag 102 BGP ASN 7224 BGP Announce 10.2.0.0/16 Interface IP 169.254.251.9/30 Customer Interface 0/1.102 VLAN Tag 102 BGP ASN 65002 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.10/30 Customer Interface 0/1.103 VLAN Tag 103 BGP ASN 65003 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.14/30 Private Virtual Interface 3 VLAN Tag 103 BGP ASN 7224 BGP Announce 10.3.0.0/16 Interface IP 169.254.251.13/30 Route Table Destination Target 10.1.0.0/16 PVI 1 Customer internal network 10.2.0.0/16 PVI 2 10.3.0.0/16 PVI 3
  25. 25. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Direct Connect Equinix, San Jose us-west-1 us-west-2 us-east-1 AWS private network VPN to VGW Advanced: cross-region via public VIF In the US, with a public VIF, use the AWS network to: • Access public resources in remote US regions • VPN to a remote US region and emulate a private VIF • Public VIF + VPN is a common GovCloud scenario Public traffic Private traffic
  26. 26. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Direct Connect Equinix, San Jose us-west-1 us-west-2 us-east-1 Advanced: US multi-region, route selection Company establishes DX to us-west-1 and us-east-1. Which path should be taken to an S3 resource in us-west-2? AWS Direct Connect Equinix, Ashburn Customer internal network Office • Customer is responsible for their internal routing behaviors • AWS provides OOB information on region address blocks • Use BGP Local Pref, for example, for outbound routing • Use specific routes for inbound routing, avoid asymmetry • Use BFD for faster routing recovery on link failure Public traffic Private traffic
  27. 27. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 US customer data center eu-west-1 region EU customer data center Customer IPVPN MPLS backbone Direct Connect PoP Ireland or London us-east-1 region Direct Connect PoP Virginia or NYC ap-southeast-1 region Direct Connect PoP Singapore AP customer data center Advanced: global multi-region Direct Connect Public traffic Private traffic
  28. 28. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Billing • Customer will have other non-AWS costs – Transport to Direct Connect location – Cross-connect – Others • Connection account pays port charge • VIFs may be allocated to other accounts • Hosted VIF port charges come from Direct Connect provider
  29. 29. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Limits and notes • Limit of 100 routes announced to AWS • Contact support if VIFs + VPNs > 50/region • Cannot access Internet via public VIF • Hosted connections have only one VIF • You control route propagation in your VPC • VPCs are still non-transitive, peering won’t work • Direct Connect port is always 802.1Q Ethernet, no labels • VLANs are stripped at the Direct Connect edge router
  30. 30. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

×