5. Amazon Virtual Private Cloud (VPC)

VPC Peering

AWS Privatelink

VPC Endpoints

Difference between VPC Peering, PrivateLink, and VPC Endpoints

AWS Managed VPN

AWS VPN CloudHub

AWS Direct Connect (DX)

VPC Flow Logs

Misc

Explore

AWS Direct Connect (DX)

AWS Transit Gateway

Direct Connect Gateway

Direct Connect Plus VPN

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet service providers in your network path. An AWS Direct Connect location provides access to AWS in the Region with which it is associated. You can use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all other public Regions.

AWS Direct Connect makes it easy to establish a dedicated connection from an on-premises network to Amazon VPC.

Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or collocated environment.

This private connection can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

AWS Direct Connect lets you establish 1 Gbps or 10 Gbps dedicated network connections (or multiple connections) between AWS networks and one of the AWS Direct Connect locations.

It uses industry standard VLANs to access Amazon Elastic Compute Cloud (Amazon EC2) instances running within an Amazon VPC using private IP addresses.

AWS Direct Connect does not encrypt your traffic that is in transit.

You can use the encryption options for the services that traverse AWS Direct Connect.

⁠

AWS Direct Connect components

The following are the key components that you use for AWS Direct Connect:

Connections: Create a connection in an AWS Direct Connect location to establish a network connection from your premises to an AWS Region. For more information, see

AWS Direct Connect connections⁠

Virtual interfaces: Create a virtual interface to enable access to AWS services.

A public virtual interface enables access to public services, such as Amazon S3.

A private virtual interface enables access to your VPC. For more information, see

AWS Direct Connect virtual interfaces⁠

and

Prerequisites for virtual interfaces⁠

⁠

Overview

Definition: AWS Direct Connect is a network service providing a dedicated connection from a customer's on-premises site to AWS.

Data Transmission: Through a private network connection between AWS and a customer’s datacenter or corporate network.

Benefits

Cost Reduction: Lower cost for large volumes of traffic.

Reliability: Predictable performance.

Bandwidth: Predictable bandwidth.

Latency: Decreased latency.

Configuration and Interfaces

Virtual Interfaces (VIFs):

Public VIFs: Access to public AWS services (e.g., S3, EC2, DynamoDB).

Private VIFs: Access to VPC resources.

IP Addresses: Public IPs for public VIFs, private IPs for private VIFs.

Technical Details

Layer Support: Only Layer 3 (no Layer 2).

Region Connection: Connects to all AZs within the region.

Inter-Region Connections: IPSec connections over public VIFs to remote regions.

Route Propagation: Sends customer routes to the VPC.

Routing: Only one 0.0.0.0/0 entry per route table.

Port Aggregation: Multiple ports can be bound for higher bandwidth.

Virtual Interfaces: Configured for either AWS public services or private services.

Charges: By port hours and data transfer.

Bandwidth and Speeds

Port Speeds: Available in 1 Gbps, 10 Gbps, and 100 Gbps (limited regions).

Additional Speeds: 50 Mbps to 500 Mbps through AWS Direct Connect Partners (APN Partners).

VLANs: Uses 802.1q VLANs.

Connection Details

Dedicated Connection: Between customer router and Amazon router.

High Availability (HA): Requires 2x Direct Connect connections (active/active or active/standby).

Route Tables: Must be updated to point to Direct Connect.

VPN Backup: VPN can be used as a backup with higher BGP priority.

BFD: Recommended for faster detection and failover.

Limitations and Capabilities

VLANs: Cannot extend on-premises VLANs into AWS cloud.

Link Aggregation Groups (LAG): Up to 4 Direct Connect ports can be aggregated.

IP Support: Supports IPv4 and dual stack (IPv4/IPv6) on public and private VIFs.

Requirements for Connecting VIFs

ASN: Public or private ASN required (public ASN must be owned, private ASN range 64512-65535).

VLAN Tag: New, unused VLAN tag.

Private Connection: VPC Virtual Private Gateway (VGW) ID.

Public Connection: Public IPs (/30) for the BGP session.

Encryption

Direct Connect Encryption: Not natively offered.

VPN Over Direct Connect: Establish a VPN tunnel over Direct Connect for encryption.

VPN Consistency: Provides consistent throughput and encryption algorithms.

Exam Tips:

The most resilient solution is to configure DX connections at multiple DX locations. This ensures that any issues impacting a single DX location do not affect availability of the network connectivity to AWS.

Take note of the following AWS recommendations for resiliency:

AWS recommends connecting from multiple data centers for physical location redundancy. When designing remote connections, consider using redundant hardware and telecommunications providers. Additionally, it is a best practice to use dynamically routed, active/active connections for automatic load balancing and failover across redundant network connections. Provision sufficient network capacity to ensure that the failure of one network connection does not overwhelm and degrade redundant connections.

The diagram below is an example of an architecture that offers high resiliency:

⁠
⁠
⁠

⁠

What is AWS Direct Connect? - AWS Direct Connect AWS Direct Connect links your internal network to an AWS Direct Connect location over fiber-optic cable. One end of the cable is connected to your router and the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS cloud (for example, to Amazon EC2 and Amazon S3), bypassing Internet service providers in your network path. docs.aws.amazon.com⁠

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.