Questions tagged with AWS Direct Connect

Is anyone able to recommend hardware for the on-prem end of a Direct Connect that I need to commission? Needs to support 10Gbps and MACsec. Needs to have at least 6 x 10Gbps SFP+ ports. Needs to be in stock and available for purchase in the UK despite ongoing supply chain issues for network equipment vendors. Thanks.lg...

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/ 1) Going through the document, It tells to reserve a 10.0.0.0/24 cidr block on the transit gateway, what is the relevance of this block? where is it exactly used? It is not shown in the diagram in the document. 2) Do we need to carve out a separate cidr for The tunnel IPs, based on the number of tunnels. Is there any special consideration to be followed when assigning the tunnel outside IPs. 3) Any additional documents available on this topic would be helpful. What does that Cidr block do? are IPs from the block used anywhere ( tunnel headend or tailend IPs?). I understand the block is used for routing. How does one decide the Tunnel headend and tail end IPs? do the IPs subnets have anything to do with the CIDR block? If I have a 10G pipe, I am assuming I would be using 8 tunnels (1.25 cap), where do i know what the IPs would be? The IP Schema is dictated by what? Does the CIDR play a role here?lg...

I am implementing a new feature from AWS called Private IP VPN using Direct connect, My question is that how do i filter routes entering my P2P IPSec tunnel from the transit gateway towards onprem as i would like to receive all the routes that exist in the TG.lg...

Is it possible to have a private VIF and a Transit VIF on the same Direct connect circuit?lg...

I have install and configure the salesforce package (Amazon Connect - Universal Package). Everything looks fine, when using the CTI dialer I am able to make phone calls. However, when I click in the phone icon, the dialer doesnt work. I get a Javascript error: list:1 Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-EcwaM0KV0B3Zx5NUYmA2xbJLMjpPhKRc' chrome-extension: 'unsafe-inline' 'unsafe-eval' *.canary.lwc.dev *.vf.force.com blob: https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.  Any ideas of what I am missing?lg...

Is there any way of detecting VPC to VPC traffic flows via the DX Gateway?lg...

What are some of the strategies to handle Overlapping IP Ranges for various integrations, within AWS as well as while planning hybrid connectivity with on-premises networks using VPN, DX etc. Note: This is a common question asked by AWS customers. Posting it to provide an answer that can benefit everyone.lg...

Good new with this release yesterday, https://aws.amazon.com/about-aws/whats-new/2022/06/aws-site-vpn-introduces-private-ip-security-privacy/ So wanted to confirm the steps to set this up. 1. Create DXG 2. Create Transit VIF - associate with DXG. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-transit-vif The ASN can be private ASN, correct? 3. Create TGW 4. Create VPN attachement https://docs.aws.amazon.com/vpn/latest/s2svpn/create-tgw-vpn-attachment.html All ASN can be private. All need to be unique.lg...

We have DEV and Production servers in different AWS accounts and these account's VPC are connected via Transit Gateway. I want to connect the VPN to the same Transit gateway so that we don't need to create separate VPNs for DEV And Production account. As AWS doesn't support multiple Remote IPv4 network CIDR in to Site to Site VPN. The CIDR range for which both the accounts can be accessible is of size /16. Since it is a very big CIDR and this can cause overlapping of IP addresses for the client's Network they are not allowing it. Also they are not accepting CIDR greater than size /30. AWS support has recommended that we can consider using a dynamic VPN routing. Does anyone has any idea how we can achieve this configuration without setting up Two VPNs.lg...

Hi, I would like to know what would be the best possible option in terms of complexity and cost for the scenario below that we are trying to implement for a client. Customer A has all web apps deployed on-prem and has clients that come through a co-located VPN based network(say ClientNet network) to access those apps. Now all these apps will be deployed in AWS regions(Prod and Non-prod vpc-s) so in essence Customer A will now be on AWS and all these clients will need to access these apps on AWS via this ClientNet network. At the same time, there will be some to and from communication between AWS VPC-s and Customer A's network for stuff that will still be hosted on-prem like Active Directory and other COTS. Can this be achieved without creating 2 separate Direct Connects or 2 separate VPN-s? By 2 separate DC-s I mean - one DC between ClientNet and AWS and one DC between Cutomer A one-prem and AWS and the same applies for VPN if we were to replace DC with VPN. Can TGW be used to consolidate this one just one connection whether its DC or VPN that can assessed later based on requirements for security and bandwidth?lg...

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Riolg...

Hi all, I want to set up a S2S VPN connection using dynamic routing between on-prem and AWS environment. But on-prem engineers are telling me to set up a BGP password on this VPN in AWS side. Is possible to set up a BGP password in AWS side? As I didn't found anything about BGP password on S2S VPN documentation and in console as well, didn't found the field for BGP password. I know that on a Direct Connect is possible to set up a BGP password. I'm only asking is for a S2S VPN is possible as well? Thank you, Valentin.lg...