Many enterprises on their journey into the cloud require consistent and highly secure connectivity between their existing data center and AWS footprints. In this session, we walk through the different architecture options for establishing this connectivity using AWS Direct Connect and VPN. With each option, we evaluate the considerations and discuss risk, performance, encryption, and cost. As we walk through these options, we try to answer some of the most common questions that typically arise from enterprises that tackle design and implementation. You'll learn how to make connectivity decisions that are suitable for your workloads, and how to best prepare against business impact in the event of failure.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benjamin Feldon, Solutions Architect, AWS
Sidhartha Chauhan, Solutions Architect, AWS
November 30, 2016
Extending Data Centers to the Cloud
Connectivity Options and Considerations for Hybrid
Environments
NET305

2. Hybrid environments
Intro to VPN & AWS Direct Connect
Connectivity architectures
What are we connecting to?
What to expect from this session

3. What are the options for connecting into AWS?
What is appropriate for my workloads?
How can I start small and grow with time?
What is the meaning of life? (optional)
Key takeaways

4. Connecting to AWS
Hybrid environments

5. Hybrid connectivity
CORP

6. Hybrid connectivity – split architecture
CORP
Web App DB

7. Hybrid connectivity - data streams / replication
CORP
DB
DB
DB
DB

8. Hybrid connectivity – storage / backup / archive
CORP
S3
DB
App
Archive

9. Hybrid connectivity – virtual desktops
CORP
Amazon
WorkSpaces
DB
App

10. Hybrid connectivity – disaster recovery
CORP
DB
App
App

11. Hybrid connectivity
CORP

12. Intro to VPN
• VPC != VPN
• IPsec authentication & encryption
• AWS options
• AWS Managed VPN
• Software VPN (EC2)

13. Intro to AWS Direct Connect (DX)
• Offered since 2011
• Private connection, separate from Internet
• Consistent network experience
• Connect through one of 40 locations
• Each connection connects into 1 AWS Region
• Multiple options for each AWS Region

14. Oregon
N. California
AWS Direct Connect (DX) in the United States
SuperNAP
Equinix SE
CoreSite LA
N. Virginia
CoreSite NY
Equinix DC
CoreSite SV
OhioEquinix CH
QTS Chicago
Equinix DA
CoreSite VA
Equinix LA
Equinix SV
TierPoint
EdgeConneX
Pittock Block

15. Frankfurt
AWS Direct Connect (DX) in Europe and Asia Pacific
Digital RealtyEircom Interxion Frankfurt
Sydney
Ireland
Tokyo
Singapore
Equinix OS
Beijing
Equinix TY
Equinix FR
Equinix SY
Global Switch
Equinix SG
CIDS
Sinnet
Eqinix LDInterxion
Interxion Madrid
Interxion Stockholm
Equinix AM
Global Switch
Mumbai
GPXSify Rabale
Seoul
KINX
Telehouse

16. Connectivity architectures

17. Connectivity architectures
CORP

18. Connectivity architectures
CORP

19. Connectivity architectures
CORP
VPC
VPC
VPC

20. VPC
VPC
VPC
Connectivity architectures
CORP
Internet

21. Connectivity architectures
VPN

22. VPC
VPC
VPC
AWS managed VPN
CORP
Internet

23. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
Customer
Gateway
Virtual Private
Gateway

24. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
Customer
Gateway
VGW

25. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW

26. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW
• AES-256
• SHA-2
• Phase 1 DH groups - 2, 14-18, 22, 23, and 24.
• Phase 2 DH groups - 1, 2, 5, 14-18, 22, 23, and
24.
• NAT-T

27. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW

28. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW
23.22.66.xx
50.16.172.yy

29. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW
23.22.66.xx
50.16.172.yy

30. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW
23.22.66.xx
50.16.172.yy

31. VPC
VPC
VPC
AWS managed VPN
CORP
Internet
VGW
CGW
1 VPN Connection = 2 VPN tunnels
23.22.66.xx
50.16.172.yy

32. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW

33. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

34. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

35. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

36. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW
2 VPN Connections = 4 VPN tunnels

37. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

38. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

39. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

40. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

41. VPC
VPC
VPC
AWS managed VPN, 2 X CGW
CORP
Internet
VGW
CGW
CGW

42. VPC
VPC
VPC
AWS managed VPN, multiple VPCs
CORP
Internet
VGW
CGW
CGW
VGW

43. VPC
VPC
VPC
AWS managed VPN, multiple VPCs
CORP
Internet
VGW
CGW
CGW
VGW

44. VPC
VPC
VPC
AWS managed VPN, multiple VPCs
CORP
Internet
VGW
CGW
CGW
VGW
2 VPCs X 2 CGWs = 8 VPN tunnels

45. VPC
VPC
VPC
AWS managed VPN, multiple VPCs
CORP
Internet
VGW
CGW
CGW
VGW
2 VPCs X 2 CGWs = 8 VPN tunnels

46. AWS managed VPN
Cost
Performance
Flexibility
Resiliency
• Easy install, minutes to setup
• NAT-T, AES-256, SHA-2 and latest
DH groups
• Static (1 prefix) or BGP (<100
prefixes)
• Repeat for every VPC
• $0.05 per VPN connection hour
• Data transfer
• Leverage both VGW endpoints (2
tunnels per VPC)
• Think about CGW redundancy (4
tunnels per VPC)
• Multi Gbps can be achieved per
VPC (limited at VGW)

47. VPC
VPC
VPC
Software VPN (EC2)
CORP
Internet

48. VPC
VPC
Software VPN (EC2)
CORP
Internet

49. VPC
VPC
Software VPN (EC2)
CORP
Internet

50. VPC
VPC
Software VPN (EC2)
CORP
Internet

51. VPC
VPC
Software VPN (EC2)
CORP
Internet

52. VPC
VPC
Software VPN (EC2)
CORP
Internet

53. London DX
Seattle DX
Branch
Remote
workforce
Global HQ
Regional HQ
us-west-2 region
Transit VPCVPC
VPC
eu-west-1 region
Transit VPC VPC
VPC
ap-northeast-1
region
Transit VPC VPC
VPC
VPN
VPN
Transit VPC Global VPN
backbone
https://aws.amazon.com/answers/networking/transit-vpc/

54. Software VPN (EC2)
Cost
Performance
Flexibility
Resiliency
• Any open-source or commercial vendor
• Opens up proprietary feature sets
• Customer responsible for HA and scaling
• Advanced solutions can be built using
automation
• Vendor licensing
• EC2 hourly cost
• High availability cost
• Data transfer
• VPC endpoint HA achieved by
additional EC2 instance in 2nd AZ
• Customer-side HA also recommended
• Defined by EC2 instance size & type
• Multi Gbps can be achieved per
VPN instance (for all tunnels)
• Multiple instances for the same VPC
are possible

55. Connectivity architectures
AWS Direct Connect (DX)

56. Direct Connect
CORP
Internet
VPC
VPC
VPC

57. Direct Connect
CORP
Internet
DX Location
VPC
VPC
VPC

58. Direct Connect
CORP
Internet
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC

59. Direct Connect – physical connectivity

60. Direct Connect – physical connectivity
1) Customer presence in the same DX location

61. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location

62. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location

63. 1) Customer router in colo
CORP
Internet
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

64. AWS Direct Connect
Letter of Authorization and Connecting Facility Assignment
Please consider this letter as notification for connecting facility assignment for the purpose of
establishing or augmenting connectivity between the parties identified above. This document authorizes
a connection to the ports indicated above. All charges for the physical connection are the sole
responsibility of company.
For location specific information on requesting a cross-connect, visit the "Requesting Cross-Connects"
section of the user guide:
http://docs.aws.amazon.com/DirectConnect/latest/UserGuide/Colocation.html
The requester(s) use of AWS services will be governed by the terms of the AWS Customer Agreement
(available at http://aws.amazon.com/agreement), or a separate agreement between the requester(s)
and AWS.
EXPIRATION NOTICE The authorized connectivity must be completed within 90 days of this LOA-CFA's
issue date or this LOA-CFA will expire.
* Amazon Corporate LLC is a subsidiary of Amazon.com, Inc.
Issue Date .
Oct 13, 2016
Issued By* .
Amazon Web Services Spain S.L.
Facility - Meet Me Room .
Interxion MAD2 – MAD2.211
Customer Demarcation/ZSide .
Rack: R77B1.R99B09
Patch Panel: PP2:SOUTH
Strands: 40818
Requested By .
Company requesting name
Issued To .
Interxion, Madrid, ESP
Connection ID ..
MAD50_Test
Optic and Connector Types ..
1000BASE-LX Single Mode Fiber (SMF)
Lucent Connector (LC)
Letter of Authorization
and Connecting
Facility Assignment

65. 1) Customer router in colo
CORP
Internet
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

66. 2) Partner-built circuit
CORP
Internet
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC

67. APN Partners supporting AWS Direct Connect
https://aws.amazon.com/directconnect/partners/

68. 2) Partner-built circuit
CORP
Internet
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC

69. 3) Service provider network
CORP
Internet
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC

70. 3) Service provider network
CORP
Internet
AWS Direct
Connect
Routers
DX Location
Service Provider
Network
VPC
VPC
VPC

71. 3) Service provider network
CORP
Internet
AWS Direct
Connect
Routers
DX Location
Service Provider
Network
VPC
VPC
VPC

72. DX physical connectivity considerations
AWS account that owns the DX port?
Adding/removing virtual interfaces?
Routing ownership?
End-to-end costs?

73. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location

74. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location
Customer’s AWS account, interface control, routing. Cost: port + data transfer

75. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location
Customer’s AWS account, interface control, routing. Cost: port + data transfer
Same as #1; add circuit cost. Sub 1-Gig can create only 1 virtual interface

76. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location
Customer’s AWS account, interface control, routing. Cost: port + data transfer
Same as #1; add circuit cost. Sub 1-Gig can create only 1 virtual interface
Depends on provider’s offering

77. Direct Connect – physical connectivity
1) Customer presence in the same DX location
2) Circuit between customer data center and DX location
3) Service provider network extending to DX location
Customer’s AWS account, interface control, routing. Cost: port + data transfer
Same as #1; add circuit cost. Sub 1-Gig can create only 1 virtual interface
Depends on provider’s offering

78. Direct Connect cost considerations
Port hour + data transfer
Data in $0; data out differs by region
Factor in circuit costs
Calculate data center Internet costs (VPN)

79. Connectivity architectures
Direct Connect – resiliency

80. Direct Connect
CORP
Internet
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

81. Direct Connect
CORP
Internet
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

82. Direct Connect + VPN
CORP
Internet
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

83. 2 X DX ports
CORP
Internet
Customer
Router
Colocation
DX Location
`
AWS Direct
Connect
Routers
VPC
VPC
VPC

84. Internet
2 X DX ports, 2 X customer routers
CORP
Colocation
DX Location
`
AWS Direct
Connect
Routers
Customer
Routers
`
VPC
VPC
VPC

85. 2 X DX ports, 2 X circuits
CORP
Internet
DX Location
AWS Direct
Connect
Routers
VPC
VPC
VPC

86. CORP
Internet
DX Location
AWS Direct
Connect
Routers
2 X DX ports, 2 X circuits into 2 data centers
VPC
VPC
VPC

87. 2 X DX, active/active
CORP
Internet
DX Location
AWS Direct
Connect
Routers
10 Gbps active
10 Gbps active
20 Gbps
VPC
VPC
VPC

88. 2 X DX, active/standby
CORP
Internet
DX Location
AWS Direct
Connect
Routers
10 Gbps standby
10 Gbps
10 Gbps active
VPC
VPC
VPC

89. 2 X DX, active/active
CORP
Internet
DX Location
AWS Direct
Connect
Routers
10Gbps Active
10 Gbps active
10 Gbps
VPC
VPC
VPC

90. Facility failure
CORP
Internet
DX Location
AWS Direct
Connect
Routers
VPC
VPC
VPC

91. 2 X DX, 2 X DX locations
CORP
Internet
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
AWS Direct
Connect Routers
AWS Direct
Connect Routers
VPC
VPC
VPC

92. 2 X DX, 2 X DX locations
CORP
Internet
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
AWS Direct
Connect Routers
AWS Direct
Connect Routers
VPC
VPC
VPC

93. VPN backup
CORP
Internet
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
AWS Direct
Connect Routers
AWS Direct
Connect Routers
VPC
VPC
VPC

94. Direct Connect (DX)
Cost
Performance
Flexibility
Resiliency
• 14 AWS regions, 40 POPs worldwide
• LOA provided within up to 72 hours
• Lead time of circuit build-out could take
weeks
• Port hours
• Data out transfer
• Service provider circuit / MPLS
• Colo cage (if applicable)
2 x DX in 2 locations + VPN
2 x DX in 2 separate locations
2 x DX in 1 DX location
DX + VPN
DX
• 1 Gbps or 10 Gbps ports
• 100, 200, 300, 400 or 500 Mbps
ports available through partners
• Equal-cost multipath via BGP means
2x10 G = 20 Gbps

95. Adapting the architecture
• Start with 1 AWS managed VPN
• Use VPN while DX is being built out
• Port hour charges begin when DX is up or 90 days
• DX is favored over VPN when both exist
• Add additional DX ports for resiliency / bandwidth
• Plan for failure, including facility failure
• Control traffic flow both ways using BGP and routing
• Raise support cases with AWS with any questions

96. Connectivity architectures
What are we connecting to?

97. Internet
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC

98. Multiple VPCs
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router

99. Multiple VPCs
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev

100. Multiple VPCs
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

101. Multiple VPCs – VPC Peering
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

102. Multiple VPCs – VPC Peering
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

103. Multiple VPCs – VPC Peering
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

104. Connecting to VPC over DX
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

105. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

106. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VLAN
400

107. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VLAN
400
BGP
BGP

108. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VLAN
500
VLAN
400

109. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VLAN
500
VLAN
400
VLAN
600

110. Private virtual interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
BGP
BGP
BGP
BGP
BGP

111. Access to VPC resources
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

112. Access to VPC resources
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

113. Access to VPC resources
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

114. Access to VPC resources
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

115. Access to VPC resources
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd
VPC Peering

116. Hairpinning
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

117. Hairpinning
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
Prod
Test
Dev
VPC
VPC
VPC
Non-ProdProd

118. Access to S3 using VPC Endpoints
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
Non-ProdProd
VPC Endpoints

119. Access to S3 using VPC Endpoints
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
Non-ProdProd
VPC Endpoints

120. Access to S3 using VPC Endpoints
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
Non-ProdProd
VPC Endpoints

121. Public Virtual Interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC

122. Public Virtual Interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
VLAN
800
BGP
BGP

123. Public Virtual Interface – Filtering prefixes
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
VLAN
800
BGP
BGP
PROMPT> ec2-describe-prefix-lists
PREFIXLIST pl-12345678 com.amazonaws.us-east-1.s3
CIDR 54.123.456.7/19

124. Public Virtual Interface
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC
VLAN
800
BGP
BGP

125. Public Virtual Interface + VPN
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC

126. Public Virtual Interface – US Regions
AWS Direct
Connect
Routers
DX Location
VPC
VPC
VPC
Customer
Router
VPC
VPC
VPC

127. AWS Direct
Connect
Routers
DX Location
VPC
VPC
Customer
Router
VPC
VPC
VPC VPC
us-east-1
us-west-1 us-west-2

128. AWS Direct
Connect
Routers
DX Location
VPC
VPC
Customer
Router
VPC
VPC
VPC VPC
us-east-1
us-west-1 us-west-2

129. AWS Direct
Connect
Routers
DX Location
VPC
VPC
Customer
Router
VPC
VPC
VPC VPC
us-east-1
us-west-1 us-west-2

130. AWS Direct Connect in the United States
Equinix SV
us-west-1
us-west-2
us-east-1
AWS Private Network
VPN to VGW

131. What are the options for connecting into AWS?
What is appropriate for my workloads?
How can I start small and grow with time?
What is the meaning of life? (optional)
Review

132. What are the options for connecting into AWS?
Review
• AWS-managed VPN
• Software VPN (EC2)
• Private virtual interface
• Public virtual interface
VPN Direct Connect

133. Review
Flexibility
What is appropriate for my workloads?
Cost
Resiliency
Performance

134. How can I start small and grow with time?
Review
• Connect using VPN in parallel to DX build out
• More DX locations = more resiliency
• Plan and test for resiliency, and repeat
periodically
• Talk to your AWS team

135. What is the meaning of life? (optional)
Review

136. Related Sessions
• NET402 Deep Dive - AWS Direct Connect and VPNs
• NET301 - Cloud Agility and Faster Connectivity with
AT&T NetBond and AWS
• ARC401 - From One to Many: Evolving VPC Design

137. Remember to complete
your evaluations!

138. Thank you!