AWS Direct Connect
AWS Direct Connect links the customer internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. With this connection, customers can create virtual interfaces directly to public AWS services or to Amazon VPC, bypassing internet service providers in their network path. Using AWS Direct Connect, AWS clients can establish private connectivity between AWS and their data-center, office, or colocation environment, which in many cases can reduce the network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
- Using AWS Direct Connect, data will be delivered through a private network connection between AWS and customers datacenter or corporate network.
- All AWS services, including Amazon EC2, Amazon VPC, Amazon S3, and Amazon DynamoDB can be used with AWS Direct Connect.
- Each AWS Direct Connect connection can be configured with one or more virtual interfaces. Virtual interfaces can be configured to access AWS services such as Amazon EC2, Amazon EBS, and Amazon S3 using public IP space, or resources in a VPC using private IP space.
- An AWS Direct Connect location provides access to AWS in the Region with which it is associated. Customers can use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all other public Regions.
AWS Direct Connect Features
AWS Direct Connect reduces customer’s network costs into and out of AWS in two ways.
- By transferring data to and from AWS directly, customers can reduce their bandwidth commitment to the Internet service provider.
- All data transferred over customers dedicated connection is charged at the reduced AWS Direct Connect data transfer rate rather than Internet data transfer rates.
AWS Direct Connect makes it easy to scale your connection to meet customers needs. AWS Direct Connect provides 1 Gbps and 10 Gbps connections, and they can easily provision multiple connections if you need more capacity.
- AWS customers can use AWS Direct Connect instead of establishing a VPN connection over the Internet to their Amazon VPC.
With AWS Direct Connect, customers can transfer their business critical data directly from their datacenter, office, or colocation environment into and from AWS bypassing their Internet service provider, which removes network congestion.
- AWS Direct Connect’s simple pay as-you-go pricing, and no minimum commitment means customers pay only for the network ports they use and the data transferred over the connection.
AWS customers can use AWS Direct Connect to establish a private virtual interface from their on-premise network directly Amazon VPC, that provides them with a private, high bandwidth network connection between the networks their VPC.
- With multiple virtual interfaces, customers can even establish private connectivity to multiple VPCs while maintaining network isolation.
AWS customers can sign up for AWS Direct Connect service quickly and easily using the AWS Management Console.
- The console provides a single view to efficiently manage all customers connections and virtual interfaces.
- Customers can also download customized router templates for their networking equipment after configuring one or more virtual interfaces.
Applications that use real-time data feeds can also benefit from using AWS Direct Connect. Applications like voice and video perform best when network latency remains constant.
- With AWS Direct Connect, customers control how their data is routed, which can provide a more consistent network experience over Internet-based connections.
AWS Direct Connect enables customers to build hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.
- Hybrid environments allow customers to combine the elasticity and economic benefits of AWS with the ability to utilize other infrastructure that they already own.
Direct Connect Resiliency Toolkit
AWS offers its clients the ability to achieve highly resilient network connections between Amazon VPC and their on-premises infrastructure. The Direct Connect Resiliency Toolkit provides a connection wizard with multiple resiliency models. These models help customers to order dedicated connections to achieve their SLA objective. Once customers select the resiliency model, Direct Connect Resiliency Toolkit guides them through the dedicated connection ordering process.
- The resiliency models are designed to ensure that you have the appropriate number of dedicated connections in multiple locations.
The best practice is to use the Connection wizard in the Direct Connect Resiliency Toolkit to order the dedicated connections to achieve your SLA objective. These resiliency models are available in the in AWS Direct Connect Resiliency Toolkit:
- Maximum Resiliency: This model provides customers a way to order dedicated connections to achieve an SLA of 99.99%. It requires them to meet all of the requirements for achieving the SLA that are specified in the AWS Direct Connect Service Level Agreement.
- High Resiliency: This model provides you a way to order dedicated connections to achieve an SLA of 99.9%. It requires customers to meet all of the requirements for achieving the SLA that are specified in the AWS Direct Connect Service Level Agreement.
- Development and Test: This model provides customers a way to achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices in one location.
- Classic. This model is intended for users that have existing connections and want to add additional connections. This model does not provide an SLA.
The Direct Connect Resiliency Toolkit has the following benefits:
- Provides guidance on how AWS clients determine and then order the appropriate redundant AWS Direct Connect dedicated connections.
- Ensures that the redundant dedicated connections have the same speed.
- Automatically configures the dedicated connection names.
- Automatically approves customers dedicated connections when they have an existing AWS account and selects a known AWS Direct Connect Partner. The Letter of Authority (LOA) is available for immediate download.
- Automatically creates a support ticket for the dedicated connection approval when the client is new to AWS services.
- It provides an order summary for the customer’s dedicated connections with the SLA that they can achieve and the port-hour cost for the ordered dedicated connections.
- Creates link aggregation groups (LAGs), and adds the appropriate number of dedicated connections to the LAGs when customers choose a speed other than 1 Gbps or 10 Gbps.
- Provides a LAG summary with the dedicated connection SLA that customers can achieve, and the total port-hour cost for each ordered dedicated connection as part of the LAG.
- Prevents customers from terminating the dedicated connections on the same AWS Direct Connect device.
Types of connection
AWS Direct Connect enables customers to establish a dedicated network connection between their network and one of the AWS Direct Connect locations. There are two types of connections:
After customers have downloaded the Letter of Authorization and Connecting Facility Assignment (LOA-CFA), they need to complete the cross-network connection, also known as a cross connect.
- AWS Direct Connect is available at locations around the world. In some campus settings, AWS Direct Connect is accessible via a standard cross-connect from other data centers operated by the same provider on the same campus.
- With Direct Connect Gateway and global public Virtual Interfaces, customers can access any other AWS Region from their chosen location.
With the introduction of the granular Data Transfer Out allocation feature, the AWS account responsible for the Data Transfer Out will be charged for the Data Transfer Out performed over a transit/private virtual interface. The AWS account responsible for the Data Transfer Out will be determined based on the customer’s use of the private/transit virtual interface as follows:
- Private virtual interface(s) is used to interface with Amazon Virtual Private Cloud(s) with or without Direct Connect gateway(s). In the case of the private virtual interface, the AWS account owning the AWS resources responsible for the Data Transfer Out will be charged.
- Transit virtual interface(s) is used to interface with AWS Transit Gateway(s). In the case of the transit virtual interface, the AWS account owning the Amazon Virtual Private Cloud(s) attached to the AWS Transit Gateway associated with the Direct Connect gateway attached to the transit virtual interface will be charged. Please note that all applicable AWS Transit Gateway specific charges (Data Processing and Attachment) will be in addition to the AWS Direct Connect Data Transfer Out.
A physical Ethernet connection associated with a single customer. Customers can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API.
- AWS customers can add a dedicated connection to a link aggregation group (LAG), which allows them to treat multiple connections as a single one.
- After customers create a connection, they need to create a virtual interface to connect to public and private AWS resources
- These are the available operations in Dedicated Connection:
- Creating a connection
- Viewing connection details
- Updating a connection
- Deleting connections
A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer. Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection.
- After receiving the request of a connection, AWS makes a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) available to you to download.
- Once AWS customers accept a connection, they need to create a virtual interface, in order to connect to public and private AWS resources.
- These are the available operations in Hosted connection.
- Creating a connection
- Viewing connection details
- Updating a connection
- Deleting connections
AWS Direct Connect virtual interfaces
In order to begin using AWS Direct Connect connection, customers need to create one of the following virtual interfaces .
- Private virtual interface: Access an Amazon VPC using private IP addresses.
- Public virtual interface: Access AWS services from customers on-premises data center. Allow AWS services, or AWS customers access their public networks over the interface instead of traversing the internet.
- Transit virtual interface: Access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways, and use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.
Link aggregation groups (LAG)
A link aggregation group (LAG) is a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple dedicated connections at a single AWS Direct Connect endpoint, allowing AWS clients to treat them as a single, managed connection. LAGs streamline configuration because the LAG configuration applies to all connections in the group.
The following diagram have four dedicated connections, with two connections to each location. Creating a LAG for the connections that terminate in the same location, and then use the two LAGs instead of the four connections for configuration and management is allowed.
AWS clients can create a LAG from existing dedicated connections, or provision new dedicated connections. After creating the LAG, associate it with existing dedicated connections (whether standalone or part of another LAG) with the LAG.
The following rules apply:
- All connections must be dedicated connections and have a port speed of 1Gbps or 10Gbps.
- All connections in the LAG must use the same bandwidth.
- You can have a maximum of four connections in a LAG. Each connection in the LAG counts towards your overall connection limit for the Region.
- All connections in the LAG must terminate at the same AWS Direct Connect endpoint.
When customers create a LAG, they need to download the Letter of Authorization and Connecting Facility Assignment (LOA-CFA) for each new physical connection individually from the AWS Direct Connect console.
All LAGs have an attribute that determines the minimum number of connections in the LAG that must be operational for the LAG itself to be operational. By default, new LAGs have this attribute set to 0. You can update your LAG to specify a different value—doing so means that your entire LAG becomes non-operational if the number of operational connections falls below this threshold. This attribute can be used to prevent over-utilization of the remaining connections.
All connections in a LAG operate in Active/Active mode.
Use AWS Direct Connect gateway to connect your VPCs. You associate an AWS Direct Connect gateway with either of the following gateways:
- A transit gateway when you have multiple VPCs in the same Region
- A virtual private gateway
Direct Connect gateways
A Direct Connect gateway is a globally available resource. Aws customers can create the Direct Connect gateway in any Region and access it from all other Regions, and use a Direct Connect gateway in the following scenarios.
A Direct Connect gateway does not allow gateway associations that are on the same Direct Connect gateway to send traffic to each other (for example, a virtual private gateway to another virtual private gateway). A Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself (for example when you have an on-premises supernet route that contains the prefixes from the gateway association). If you have a configuration with multiple VPCs connected to the same transit gateway, the VPCs could communicate. To prevent the VPCs from communicating, use separate transit gateway attachments, and then associate a route table with the attachments that have the blackhole option set.
Virtual private gateway associations
In the following diagram, the Direct Connect gateway enables you to use your AWS Direct Connect connection in the US East (N. Virginia) Region to access VPCs in your account in both the US East (N. Virginia) and US West (N. California) Regions.
Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the AWS Direct Connect location. There is an AWS Direct Connect connection from the location to the customer data center.
Virtual private gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A’s virtual private gateway or Account B’s virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
Transit gateway associations
The following diagram illustrates how the Direct Connect gateway enables you to create a single connection to your Direct Connect connection that all of your VPCs can use.
The solution involves the following components:
- A transit gateway that has VPC attachments.
- A Direct Connect gateway.
- An association between the Direct Connect gateway and the transit gateway.
- A transit virtual interface that is attached to the Direct Connect gateway.
This configuration offers the following benefits. You can:
- Manage a single connection for multiple VPCs or VPNs that are in the same Region.
- Advertise prefixes from on-premises to AWS and from AWS to on-premises.
For information about configuring transit gateways, see Working with Transit Gateways in the Amazon VPC Transit Gateways Guide.
Transit gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A owns the transit gateway and wants to use the Direct Connect gateway. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A’s transit gateway. After Account Z accepts the proposals, The VPCs attached to the transit gateway can route traffic from the transit gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.