AWS Direct Connect

AWS Direct Connect is a service that allows customers to establish a dedicated network connection from their on-premises data center to their environments with AWS. In many cases, this service can reduce network costs, increase bandwidth throughput, reduce latency, increase security, and provide a more consistent network experience than Internet or IP-VPN connections.

Equinix is an AWS Direct Connect Service Delivery program partner. These partners must meet stricter requirements as a Direct Connect partner and also provide additional features and functionality not offered by other Direct Connect partners. This includes higher speed hosted connections with 1, 2, 5 and 10 Gbps bandwidth options.

AWS Direct Connect Types

Equinix supports the two recommended product types for AWS Direct Connect :

Note: AWS recommends customers with workloads sensitive to network congestion use Dedicated Connections or Hosted Connections.

Virtual InterfaceAn interface is a point on a device where data flows in and out. The virtual device is like a physical device because it has some amount of interfaces that allow it to transmit and receive data from the outside world. This can be in the form of an Internet connection, a connection to ECX, a service chain to another virtual device or any other communication. (VIF) is the mechanism for configuring VLAN’s and routing (BGPBorder Gateway Protocol. A standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems on the internet) between the customer edge device and the AWS device. There are two kinds of VIF’s; Public and Private.

For more information on AWS DX Virtual Interfaces

Video Guide

Feel free to follow the simple video tutorial of how to order AWS Direct Connect, or read further for a more detailed guide.

Connection Workflow

Step 1/6: Capture your AWS Account Number

For more information on your AWS Account ID

Step 2/6 Create a Connection

From the success window, you can launch to one the following options:

Step 3/6: Accept Direct Connect Hosted Connection

Step 4/6: (Optional) Create Redundant Direct Connect Connection

Equinix and Amazon Web Services (AWS) offers customers the ability to achieve highly resilient network connections between Amazon Virtual Private Cloud (Amazon VPC) and their on-premises infrastructure.

To configure redundancy, a second Direct Connect link must be created by repeating the same steps from above. It is recommended that redundancy be created over a second port into the ECX FabricECX Fabric is an advanced interconnection solution that improves performance by providing a direct, private network connection (although not required as redundant Virtual Circuits can be created over the same physical port).

There are different configuration choices available when you provision two dedicated connections:

Active/Active (BGP multipath). Network traffic is load balanced across both connections. If one connection becomes unavailable, all traffic is routed through the other. This is the default configuration.

Active/Passive (failover). One connection is handling traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.

How you configure the connections doesn't affect redundancy, but it does affect the policies that determine how your data is routed over both connections. We recommend that you configure both connections as active. AWS will treat return traffic on those links as Active/Active.

To achieve high availability with AWS Direct Connect, each Virtual Private Gateway (“VGW”) should be configured with connections to multiple Direct Connect locations. For maximum resilience, AWS strongly recommends the following:

  1. Ensure that each VGW is associated with a private virtual interface on AWS Direct Connect connections at two or more AWS Direct Connect locations.

  2. Confirm that each private virtual interface advertises the same routes.

  3. For public virtual interfaces, ensure that you have a public virtual interface on each AWS Direct Connect connection at two or more Direct Connect locations.

  4. Regularly test your configuration to ensure proper failover between AWS Direct Connect locations.

A complete guide to configuring your connections for High Availability can be found here: https://aws.amazon.com/directconnect/resiliency-recommendation/

Step 5/6: Configure the Z-Side (AWS) BGP Peering

Before you begin, the following parameters are required:

  • A new, unused VLAN tag that you select.

  • A public or private BGP ASN. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 65000 range.

  • The network prefixes to advertise. Any advertised prefix must include only your ASN in the BGP AS-PATH.

  • The virtual private gateway to connect to. For more information about creating a virtual private gateway, see adding a hardware virtual private gateway to your VPC in the Amazon VPC User Guide.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

Under Define Your New Private Virtual Interface, do the following:

  1. In the Interface Name field, enter a name for the virtual interface.

  2. In Interface Owner, select the My AWS Account option if the virtual interface is for your AWS account ID.

  3. In the VGW list, select the virtual gateway to connect to.

  4. The VLAN # field will already be filled in and grayed out.

  5. To have AWS generate your router IP address and Amazon IP address, select Auto-generate peer IPs.

  6. To specify these IP addresses yourself, clear the Auto-generate peer IPs check box, and then in the Your router peer IP field, enter the destination IPv4Version 4 of the IP protocol providing 32-bit addresses. For standards reference, please see http://www.ietf.org/ rfc/rfc791.txt CIDR address that Amazon should send traffic to. In the Amazon router peer IP field, enter the IPv4 CIDR address you will use to send traffic to Amazon Web Services.

  7. In the BGP ASN field, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your gateway; for example, a number between 1 and 65534.

  8. Select Auto-generate BGP key check box to have AWS generate one.

  9. To provide your own BGP key, clear the Auto-generate BGP key check box, and then in the BGP Authorization KeyThe authorization key typically contains alpha-numeric characters and is a unique identifier authorizing Equinix to provision a connection towards the CSPNote: To Equinix, authorization key is a generic term and is NOT encrypted on ECX. CSPs might use a different name to refer to the same key. For example: Azure ExpressRoute calls the authorization key the “service key” while AWS calls it the “account ID” field, enter your BGP MD5 key.

Note: Public VIF’s are also supported on ECX Fabric


http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted_sub1g_provider.html

View the Router (BGP) Configuration

In the Virtual Interfaces pane, select a virtual interface, click the arrow to show more details,

Step 6/6: Configure A-Side BGP Peering

Varies depending on vendor of customer device (Cisco, Juniper, etc...)

  1. Configure physical port with appropriate protocols/tagging

  2. Configure logical ports (sub-interfaces) with appropriate IP addresses and VLAN tags

  3. Configure BGP peering

AWS provided Cisco and Juniper Config examples:

JunOS Example

Configure physical port with appropriate protocols/tagging

Configure logical ports (sub-interfaces) with appropriate IP addresses and VLAN tags

Configure BGP Peering

How are we doing?