1. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Direct Connect
Camil Samaha
2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Agenda
• Introduction
• Technical overview
• Use cases
• Billing
• Questions
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What is AWS Direct Connect?
Corporate data centerAWS Cloud
Virtual Private Cloud
1 Gb/s
10 Gb/s
SESAmazon
Glacier
Elastic
Beanstalk
SQS
Amazon
EMR
Amazon
Redshift
EC2
Direct
Connect
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Why use AWS Direct Connect?
• Consistent network performance
– You choose the data that utilizes the dedicated connection
– You decide how the data is routed, which can provide a
more consistent network experience over Internet-based
connections
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Why use AWS Direct Connect?
• Elastic
– You can specify the configuration that meets your needs
– You can easily provision multiple connections if you need more
capacity
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Why use AWS Direct Connect?
• Lower bandwidth
costs
– Consistent cost at $0.02 /
GB for data leaving us-
east-1
– Costs vary by region
$0.000
$0.050
$0.100
First 10TB
Next 40TB
Next
100TB Next
350TB
Direct
Internet
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Technical perspective
• 10Gbps and 1Gbps service from AWS
• Sub-1Gbps service from Direct Connect partners
• 802.1Q, 1500B MTU
• Connection (i.e., port) is the basic unit of Direct Connect
• Virtual Interface built per VLAN on a connection
• eBGP peering for route exchange
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
High-level overview
VLAN Y
VLAN X
Virtual private cloud 1
Virtual private cloud 2
Virtual private cloud N
…
Public endpoints
RegionDirect Connect location
Private VIF 1
VLAN Z
VLAN N
AWS Direct
Connect router
Customer
router
Each interface can be
associated with a different
AWS account (hosted virtual
interfaces)
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How to connect
• Select Direct Connect location(s)
– Direct Connect locations are associated with a region
– Direct Connect locations are not necessarily adjacent to the region
– 15 current Direct Connect locations: US, EU, Asia Pacific, China, South America
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How to connect
• Order transport to Direct Connect location(s)
– Point to point (DWDM, private line, Ethernet virtual private line)
– Multipoint/Mesh (IP-VPN / MPLS or VPLS)
• Request LOA/CFA in the Direct Connect console
– “Create a Connection” for specific region and location
– LOA/CFA sent to primary email address
– LOA/CFA valid for 90 days from issuance
• Order cross-connect to AWS port
– Order must be made by the Direct Connect location provider’s customer
– If using a partner, typically the partner is responsible; they have the relationship
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Create a connection
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
A word about LOA/CFA
• Standard telecom interconnection approach
– Used for hoteling/meet-me/peering
• Letter of Authorization
– Authorizes provider to cross-connect customer to AWS
– Customer provides the LOA to the Direct Connect location provider
• Connecting Facility Assignment
– Indicates where the cross-connect should terminate
– Specific to the AWS end of the connection
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How to connect
• Build virtual interface(s) (VIF)
– Public VIF looks like a private Internet connection to AWS; no VGW, public IPs
– Private VIF attaches to a VPC; connects to a single VGW, private IPs
– VGW can have multiple VIFs attached (from different connections)
– Hosted VIFs are singletons built by a provider, assigned to your account
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Ethernet is Ethernet
Direct Connect location
AWS Direct
Connect router
AWS cloud
Remote corp office
Customer
router
Customer
IPVPN / MPLS
Demarc
Local corp data center
Customer
router
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Public virtual interfaces (VIFs)
• Customer
– Selects an unused VLAN for the VIF
– Provides public IP addresses for VIF endpoints
– Identifies planned route announcements
– Provides public or private Autonomous System Number (ASN)
– Specifies BGP authentication key
– Determines VIF account assignment
• AWS
– Confirms customer owns routes and ASN (if in public range)
– Announces local region routes
• At US Direct Connect locations, all US region routes announced
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Private Virtual Interfaces (VIFs)
• Customer:
– Selects an unused VLAN for the VIF
– Provides IP addresses for VIF endpoints
– Specifies to which VGW in the Direct Connect local region to attach
– Provides public or private Autonomous System Number (ASN)
– Specifies BGP authentication key
– Determines VIF account assignment
• AWS
– Announces CIDR of VPC associated with the VGW
– Propagates received customer routes to VPC
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Single router, single port, single region
Customer routers
Customer internal
network
AWS Direct
Connect routers
• Multiple public VIFs allowed on connection
• Multiple private VIFs allowed on connection
Direct Connect location
Region
Instances
Amazon S3
Public traffic
Private traffic
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Dual router, dual port, single region
Customer routers
Customer internal
network
AWS Direct
Connect routers
• Active / active links via BGP multi-pathing
• Active / passive also an option
• AWS ensures different router if same facility
• Can use different facilities and carriers
• Customer can affect return path selection
• AS-PATH prepend*
• More-specific route
DX location(s) Region
Amazon S3
Instances
Public traffic
Private traffic
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Single router, single port + VPN backup
Customer router
Customer internal
network
AWS Direct
Connect router
• Routing selection priority – Static, Direct Connect, VPN
• Overlapping routes only via propagated routes
• Use BGP with VPN configuration for faster failover
• If Direct Connect fails, VPN backup for private VI
• If Direct Connect fails, Internet backup for public VI
Direct Connect location
Region
InstancesInternetCustomer
gateway
VPN
connection
Amazon S3
Public traffic
Private traffic
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Advanced: lollipop routing
• VPC peering is challenging in large mesh
– Subnet route tables grow quickly; may hit limits
– Administratively difficult to manage or maintain
– No automation presently available
• Lollipop allows for hub-and-spoke routing
– Advertise summary (or default) routes to the VGW
– Advertise learned neighbor routes (as-override)
– Maintain centralized routing rules, policies, and ACLs
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC 1
Private Virtual Interface 1
VLAN Tag 101
BGP ASN 7224
BGP Announce 10.1.0.0/16
Interface IP 169.254.251.5/30 10.1.0.0/16
VGW 1
Multiple VPCs over AWS Direct Connect
Customer
switch + router
Customer Interface 0/1.101
VLAN Tag 101
BGP ASN 65001
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.6/30
VLAN 101
VLAN 102
VLAN 103
VPC 2
10.2.0.0/16
VGW 2
VPC 3
10.3.0.0/16
VGW 3
Private Virtual Interface 2
VLAN Tag 102
BGP ASN 7224
BGP Announce 10.2.0.0/16
Interface IP 169.254.251.9/30
Customer Interface 0/1.102
VLAN Tag 102
BGP ASN 65002
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.10/30
Customer Interface 0/1.103
VLAN Tag 103
BGP ASN 65003
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.14/30
Private Virtual Interface 3
VLAN Tag 103
BGP ASN 7224
BGP Announce 10.3.0.0/16
Interface IP 169.254.251.13/30
Route Table
Destination Target
10.1.0.0/16 PVI 1
Customer internal
network
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Direct Connect
Equinix, San Jose
us-west-1
us-west-2
us-east-1
AWS private network
VPN to VGW
Advanced: cross-region via public VIF
In the US, with a public VIF, use the AWS network to:
• Access public resources in remote US regions
• VPN to a remote US region and emulate a private VIF
• Public VIF + VPN is a common GovCloud scenario
Public traffic
Private traffic
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Direct Connect
Equinix, San Jose
us-west-1
us-west-2
us-east-1
Advanced: US multi-region, route selection
Company establishes DX to us-west-1 and us-east-1.
Which path should be taken to an S3 resource in us-west-2?
AWS Direct Connect
Equinix, Ashburn
Customer internal
network
Office
• Customer is responsible for their internal routing behaviors
• AWS provides OOB information on region address blocks
• Use BGP Local Pref, for example, for outbound routing
• Use specific routes for inbound routing, avoid asymmetry
• Use BFD for faster routing recovery on link failure
Public traffic
Private traffic
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
US customer
data center
eu-west-1 region
EU customer
data center
Customer IPVPN
MPLS backbone
Direct Connect PoP
Ireland or London
us-east-1 region
Direct Connect PoP
Virginia or NYC
ap-southeast-1
region
Direct Connect PoP
Singapore
AP customer
data center
Advanced: global multi-region Direct Connect
Public traffic
Private traffic
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Billing
• Customer will have other non-AWS costs
– Transport to Direct Connect location
– Cross-connect
– Others
• Connection account pays port charge
• VIFs may be allocated to other accounts
• Hosted VIF port charges come from Direct Connect provider
29. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Limits and notes
• Limit of 100 routes announced to AWS
• Contact support if VIFs + VPNs > 50/region
• Cannot access Internet via public VIF
• Hosted connections have only one VIF
• You control route propagation in your VPC
• VPCs are still non-transitive, peering won’t work
• Direct Connect port is always 802.1Q Ethernet, no labels
• VLANs are stripped at the Direct Connect edge router
30. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Hinweis der Redaktion
-I want to briefly discuss what we’ll be covering during this presentation.
-For this deep dive talk we are making a few assumptions, that you are all familiar with or aware of most of the AWS services. Many of you may already have an understanding of the benefits of DX but are looking for some technical depth.
-Fear not if you are new to the product though.
-First, We’ll take a high level look at the service, particularly the benefits that you can obtain by using it
-and secondly, a technical deep dive in requirements and basic configuration options.
-Thirdly we’ll consider a few typical and advanced use cases
-Then we’ll briefly touch on billing
-And finally a chance to ask and hear answers to some questions
Amazon Web Services operates a highly reliable and secure technology infrastructure platform on a global basis that is able to support virtually any cloud workload, including web and mobile applications, data processing and warehousing, storage, archive, and many others.
While many companies, such as Netflix, build entire businesses on AWS, many are in different stages of the journey of moving applications to the AWS cloud. Some have existing datacenters they are not ready to retire yet, and these customers are telling us they want to be able to use those existing datacenters alongside AWS. For example, NASDAQ runs their base workloads on-premises, and exports their data to AWS for analytic processing.
AWS Direct Connect is a unique solution that supports customers that need to run these types of important workloads. AWS Direct Connect goes beyond simple connectivity over the Internet; instead, it uses dedicated, private network connections between your on-premises solutions and AWS to provide scale, speed and consistency.
Like all AWS services, you can scale to meet your own demands, whether that is a single 1 Gb port to upload data to be processed by EMR, or multiple 10 Gb ports to handle all of your business applications talking seamlessly between AWS and your on-premises resources.
Direct Connect offers potentially substantial decrease in cost per GB transferred.
Whether using the internet or DX, data transfer into AWS is free, so using DX to copy telematic data from all of your factory machinery to S3 is a no brainer.
But DX can significantly lower the price to bring the operational results, reports and recovery data back on-premises when it’s needed.
In the chart, you can a comparison of data charges being transferred out of the US-East-1 region. AWS DX offers a flat rate of $0.02 / GB no matter the amount of data moved when the cost of internet transit starts at 9 cents / GB.
Anywhere the DX service is offered, while the actual pennies may vary, the saving opportunity is similarly equal.
1500 bytes mtu
LOA/CFA sent to primary email address in <= 72 hours
A VIF can attach to one VGW (one VIF per connection per VGW)
A VGW can have multiple VIFs (from different connections)
Path vector
*AS-PATH prepend not supported with public VIF / private ASN combo
Router on a stick
Private VIFs are basically metered at the interface
Public VIFs are basically metered at the resource
Example: S3 Data Out
Bucket account not owned by/linked to VIF account
Bucket owner pays Internet data-out, no DX data-out charge
Bucket account is owned by/linked to VIF account
Bucket owner pays DX data-out
Bucket is set as requestor pays
VIF account pays DX data-out