Do you want to learn how to connect to Amazon VPC from your on-premises location by using a hardware VPN connection or AWS Direct Connect? Come learn how to set up your hardware VPN and DX to establish connectivity to your Amazon VPC. We also focus on common customer issues, limitations and how to best identify them, and we perform troubleshooting of DX and VPN connections.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Become an AWS VPN and Direct
Connect Expert
Alan Halachmi
Senior Manager WWPS
Amazon Web Services
N E T 3 0 6
Steve Seymour
Principal Solutions Architect
Amazon Web Services

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-premises
VPN connectivity
Provisioning VPN connections
1. Build your AWS infrastructure
2. Create your Virtual Private Gateway (VGW) and attach to your
Virtual Private Cloud (VPC)
3. Define your Customer Gateway (CGW)
4. Create your VPN connection between the VGW and CGW
5. Download your template configuration
6. Configure your CGW and watch your tunnels come up and enjoy
encrypted connectivity!
Internet access
IPsec Tunnel 1 - Primary
IPsec Tunnel 2 - Secondary
The Internet

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
1. Build your AWS infrastructure
2. Create your Virtual Private Gateway (VGW) and
attach to your Virtual Private Cloud (VPC)
3. Order an AWS Direct Connect from the console or
through a Direct Connect partner
4. Have your cross connect provisioned from the AWS
router to your device or your partners device (or use
a partners NNI)
5. Build connectivity if not already available through
partner back to on-premises
6. Provision your Virtual interfaces (private or public)
and start using your AWS Direct Connect
On-premises
Colocation Facility – e.g. Equinix SV1
Private VIF
Public VIF
VLAN B
VLAN A
AWS Direct Connect
POP
Customer or
Partner Cage
Service provider
network
+ More

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our starting point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge: Adding more VPCs
VPN
WAN
AWS Direct
Connect
Lots of connections
Dev Prod Dev Prod Dev Prod

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
VPC to VPC connections?
Dev Prod Dev Prod Dev Prod

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Connect dev and prod
VPC Peering
Connect the blue environment
How does this scale?
Let’s:

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
Scaling connections?
Scaling VPC peering?

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC VPN
WAN
AWS Direct
Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC: Hub
Availability Zone 1
Subnet 1
VPN Instance
Availability Zone 2
Subnet 2
VPN Instance
• Instances running VPN software
• Deployed in two Availability
Zones
Internet gateway

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC: Routing
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
Border Gateway Protocol
(BGP)
Transit VPC
10.0.0.0/16
10.1.0.0/16
The VGW advertises the VPC CIDR to the VPN
instance (10.1.0.0/16)
Customer Gateway (CGW) So far, this works exactly like a typical VPN

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC: Routing
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Internet
The VPN Instances advertise
routes to each VGW. This can
be a default route or
individual routes.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why doesn’t peering work?
VPC Peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC: Availability
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
BGP and Dead Peer Detection (DPD) detect
the failure
The VGW route automatically fails over to
the other tunnel
Internet

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC: Availability
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
BGP and Dead Peer Detection (DPD) detect
the failure
BGP and Dead Peer Detection (DPD) detect
the failure
Internet

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect to many VPCs
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private Virtual Interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
Location 2

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect: Link aggregation
AWS Region
10.1.0.0/16
WAN
On-premises
Link Aggregation
(LAG)
Private Virtual Interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
10.2.0.0/16
Up to 4 ports in a LAG, each
with 50 VIFs
AWS Direct Connect
Location 2

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
10.2.0.0/16
Up to 10 VGWs per direct
connect gateway
AWS Direct Connect
location 2
Direct Connect
Gateway
Account

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multiple regions
WAN
On-premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
AWS Region
AWS Direct Connect
Location 2
Direct Connect
Gateway
Account
AWS Region

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.0.0/16
virtual private cloud
10.2.0.0/16
virtual private cloud
172.16.0.0/16
virtual private cloud
VPN Internet
gateway
VPC NAT
gateway
customer
gateway
Transit
Gateway
Internet
gateway
10.10.0.0/16
Enter: Transit Gateway

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alan Halachmi & Steve Seymour
halachmi@amazon.com
seymours@amazon.co.uk

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.