Questions tagged with AWS Direct Connect

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio

Hi all, I want to set up a S2S VPN connection using dynamic routing between on-prem and AWS environment. But on-prem engineers are telling me to set up a BGP password on this VPN in AWS side. Is possible to set up a BGP password in AWS side? As I didn't found anything about BGP password on S2S VPN documentation and in console as well, didn't found the field for BGP password. I know that on a Direct Connect is possible to set up a BGP password. I'm only asking is for a S2S VPN is possible as well? Thank you, Valentin.

Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways? I'm trying to connect multiple VPCs (VPC-A, VPC-B) and multiple data centers (DC-A, DC-B) using Direct Connect Gateway (DCGW). Which of the following configurations is better? Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways? 1) VPC-A, VPC-B <-> DCGW <-> DC-A, DC-B 2) VPC-A, VPC-B <-> DCGW-A <-> DC-A VPC-A, VPC-B <-> DCGW-B <-> DC-B

Hello, we currently have a Direct Connect Link with a private VIF connecting a few VPCs to our on-prem environment, and it is terminated at a Direct Connect Gateway. We are planning to build some VPN tunnels to connect a few remote sites to one "hub" VPC, so would it be possible for the remote sites to route traffic back to on-prem via the "hub" VPC? Thanks!

I have one Global DXGW. One VIF each in us-east-1, us-east-2, eu-west-1, ap-northeast-1 and eu-central-1. I also have VPC's in each of the regions. I want to engineer the BGP routes in such a way that if us-east-1 is not available, all routes will use us-east-2. if eu-west-1 is not available, all routes will use eu-central-1 is it possible to achieve this failover scenario with one global direct connect gateway us-east-1 = primary us-east-2 = secondary eu-west-1 = primary eu-central-1 = secondary ap-northeast-1 = primary us-east-2 = secondary.

IHAC is using two AWS Direct Connect connections with different co-locations homing same AWS region. And they are wondering the way they could use we AWS 's capability in handling outbound routing. That is, they are expecting to achieve "Active-Active" or "Active-backup(passive)" -- for our outbound traffic -- between the two DX connections, by a few clicks on AWS console. According to our document at https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html : "If you have multiple AWS Direct Connect connections, you can adjust the load-sharing of inbound traffic by advertising prefixes with similar path attributes". So how?

Hi there, I am currently planning for network upgrade on existing Direct Connect from On-Prem to AWS region. Currently we are advertising 50+ prefixes into Transit Gateway through DXG, but I hear that there is a limit on the max number of prefix. Can anyone confirm and advise any work around as we are keep on consolidating our branch network connectivity to use service in AWS cloud.

Trying to use Direct Connect to copy files from on prem to an S3 bucket using direct connect. Looks like this is possible. Have a direct connect connection from a provider Think the next step is set up a public VIF. I'm not sure what I need to specify in 'your router peer ip' and 'amazon router peer ip' Where do these details come from? It says they need to be public IP addresses.

I need a good curated list of all the useful hands-on resource for AWS networking.

Is it possible to connect on-premises and AWS with DX in the same segment? example) ・192.168.10.0/24(AWS) <-> 192.168.10.0/24(On-premises) I searched for DX, but couldn't find the content "This is the answer"

Hi, Can we connect a single Direct connect Gateway to multiple AWS direct-connect links available through different regions? I want my VPC in Oregon region to use it hosted direct-connect in the same region as primary path and hosted direct connect in California region as backup path! For example: DC link-1 hosted in Oregon region DC link-2 hosted in California region Both the direct connect links should have Hosted/Private Virtual Interface with same Direct-connect Gateway Then the DC-GW is associated with VGW(s) I this feasible to do?

Hi, Is it possible to route traffic between VPCs through the direct connect connection - where each VPC is connected with Private VIF to a direct connect connection to the on premise DC. Page 22 - "AWS Direct Connect" can't get my head around it. link below https://d1.awsstatic.com/whitepapers/aws-amazon-vpc-connectivity-options.pdf

I was working with a new ubuntu instance this morning, alternating between a serial console and ssh connection. I took a lunch break. When I came back the EC2 Dashboard is taking me to a bit of a different instances list. Once I select my instance, the connect button no longer gives an option for the serial connection. I checked and EC2 serial console access is still allowed under the account attributes. I would appreciate advice on how to get back to where I was earlier. thanks Cliff

Will AWS Advertise BYOIP addresses over a Dx Private VIF? If so, how?

Hi. We are in the process of setting up a Site-to-Site VPN between a TGW and a Customer Gateway . Having downloaded the configuration file, we have been advised by our networking partner that we need to amend the advertised remote-as BGP value. Creating a new CGW only gives the option to change the 'router bgp' value. How can we change the remote-as value to 12345 (for example)? As we are currently stuck with the IPSEC VPN up, but the overall status as DOWN. **#4: Border Gateway Protocol (BGP) Configuration** ``` router bgp 65001 bgp log-neighbor-changes bgp graceful-restart address-family ipv4 unicast neighbor 169.254.x.x remote-as 65000 ``` Many Thanks.

Hi, IHAC who created a DX few months ago but the person in charge left. When checking the setup now. 1. at the provider side (Megaport) everything seems ok. Connection is active, VIF details can be seen, etc. 2. at the AWS console, we can see a VIF but showing status as down. 3. at the AWS console, under DX, there no connection. I am surprised that the console does not list any connection if there is still a VIF. The customer cannot create a new VIF because there is no active connection. What could be the problem here ? Thanks.

I'm struggling to get my head around a lot of the AWS information. We have a Direct Connection and it's half working. The DC Gateway has a virtual interface that links to my onsite hardware. Ping works. BGP works. The DC has no other associated gateways. I think what I'm supposed to do is create a Virtual Private gateway that links to a VPC. I can do this, and it sort of works, to the extent that the subnets that are in the VPC can be successfully advertised over the BGP session to my hardware. However, it doesn't actually work because I can't exchange traffic with IP addresses inside the VPC from my onsite hardware anyway. So what gives me pause here is when I try to create the Private gateway, the string appears: "A virtual private gateway is the router on the Amazon side of the VPN tunnel." but I don't want AWS to setup a VPN tunnel. Also that VPG wants an AS configured, which implies that it wants to do BGP peering into the VPC with some device that's talking BGP back to it, which doesn't seem right to me. So how and where do I configure the VPC side of the DC gateway? Where do I type in a static IP that will be the default gateway for my VPC's subnet, so that the instances can send packets to that IP which will arrive at the hardware end of my AWS DC? Also -- with no traditional console access to the "router" that forms the AWS side of the DC, how do we do packet captures and other debugging to find out where packets are being lost? Edited by: DC-Client on Sep 1, 2021 4:25 PM

Customer with 2 Transit Gateways, both associated with the same Direct Connect gateway. They are looking to consolidate the prefixes on TGW A. Currently they have: TGW A 10.1.112.0/20, 10.1.144.0/20, 10.1.160.0/20, 10.1.176.0/20, 10.1.204.0/24, 10.1.224.0/20, 10.1.241.0/24 etc TGW B 10.1.0.0/20, 10.1.16.0/20, 10.1.208.0/20 and would like to consolidate down to: TGW A 10.1.0.0/16 TGW B 10.1.0.0/20, 10.1.16.0/20, 10.1.208.0/20 My question is, will prefixes be resolved using the longest prefix first? So routes matching the longer subnet masks on TGW B will still be routed, with everything else under the /16 mask being routed to TGW A?

Hi, I am studying the direct connect service. We are thinking about getting a one-gig DX and we want to peer with using two on-prem routers. My understanding is that, for this one connection, I will have two private VIFs, each with a different Vlan. My routers will have different sub-interfaces (one for each Vlan) and my BGP is like on-prem router1 sub-interface.100 <---vlan100---> private VIF1 on-prem routers sub-interface.200 <---vlan200---> private VIF2 Does this look right? Can I associate both private VIFs to the one VGW for my VPC? Thanks Difan

A customer wants to connect AWS with their on-premise network. Is there a best practice on connecting AWS to on-premise? I searched Internet but couldn't find any self-help questions or guidance on best practices. From my research, it seems it's reasonable to enable Site-to-Site VPN (for brevity, S2S) firstly and then enable DirectConnect (DX) when there is need for stable connection. If extra stability is needed, then consider S2S + DX simultaneously. Is this a good approach? For now, the customer does not have a good estimate on how much the throughput will be and their PoC is just starting. They want to wait and see how it goes. Could you provide me a good advice? Thank you!

A customer is trying to setup VPC to VPC routing through their on-prem firewall over TGW. The desired behavior is that traffic from VPC-A will route through the on-prem firewall to get to VPC-B. With the current setup, the traffic routes from VPC-A to VPC-B without making it to the on-prem firewall. When we perform a traceroute, the 2nd hop in the path is a 169.254.x.x address, which I believe may be the DXGW or something similar. I can replicate the same behavior If I have a 0.0.0.0 route defined to a nat gateway as well, but in that case the 2nd hop is the nat gateway address. The customer POC setup is as follows: VPC-A - 10.0.0.0/24 VPC-B - 10.0.1.0/24 DXGW connected to DX via TVIF **VPC-A-Route-Table Routes** 10.0.0.0/24, local 0.0.0.0, TGW **VPC-B-Route-Table Routes** 10.0.1.0/24, local 0.0.0.0, TGW **TGW -VPC-Traffic route table** **associations:** VPC-A VPC-B **Propagations:** DXGW **Routes:** On-Prem routes, propagated 0.0.0.0/0, DXGW attachment, static **TGW - On-prem traffic route table** **Associations:** DXGW **Propagations:** VPC-A VPC-B **Routes:** 10.0.0.0/24 10.0.1.0/24 I believe we are missing an explicit route to tell traffic to use the on-prem firewall for routing of VPC to VPC traffic, but I am not exactly sure of the best place to configure that in this scenario.

To test a Direct Connect (DX) failover using two VIFs on the same Direct Connect connection using the documentation [AWS Direct Connect Failover Test](https://docs.aws.amazon.com/directconnect/latest/UserGuide/resilency_failover.html). Does a resiliency model of at least two Direct Connect connections required for this type of failover testing?

We have Direct Connect service in two different AWS Regions. If we trombone traffic from the first Region to the second Region using Direct Connect through our data center, will we get billed for cross-Region network costs?

Hello Can Direct Connect Gateway be used to connect multiple on-premise site to multiple AWS VPC.. In addition, is it possible to setup VPN over Direct Connect to encrypt the traffic from on-premise to AWS. Is this possible via AWS Direct Connect Gateway? Thanks,

We have an existing 1G dedicated Direct Connect and thinking of using LAG to increase the available bandwidth by adding an additional 1Gig port. Do we have to use the same telco provider for link #2 or will LACP only work if the same provider supplies both circuits.

Hello, My customer is starting with AWS and is running a few workloads on our cloud already. They are looking at interconnecting their data centers with AWS and we presented the different options VPN vs Direct Connect. This is what we shared to compare both: VPN: - Over the Internet - Easy to install, set up in minutes - Bandwidth: 1 VPN tunnel = 1.25 Gbps - Encryption: Encrypted in transit - Cost: Charged per hour per VPN connection + data transfer (0.9€/GB) Direct connect: - Physical, dedicated connection (not using the internet) = consistent performance, reduced bandwidth costs - Some set-up time required –can be few days - Bandwidth: Direct Connect Connection = 50 Mbps–10Gbps - Encryption: Not encrypted in transit but can be combined with VPN to have encryption - Cost: Charged per port hour + data transfer (0.2€/GB) We also said that a VPN is good to start or when the cloud is only used for test and development but that a direct connect is better in case they want to migrate applications to the cloud, use split-tier architecture or want to use our cloud as disaster site for example. Data transfer costs are also lower with direct connect so in case they are transferring a lot of data, a direct connect might be cheaper. My questions are: - Is there a white paper or another document comparing direct connect vs vpn that I could share with the customer ? - Do we have a list of use cases requiring direct connect that my customer could use to justify a direct connect? - Do we have a business case for direct connect vs VPN? I mean can direct connect becomes cheaper than VPN if there is a lot of data transfer for example. Thanks for your help

A customer is looking to establish a connectivity between their onPrem DC in Oslo, Norway to our Stockholm region. Currently the only DX provider mentioned [here is][1] **DigiPlex Ulven, Oslo, Norway** and that has associated region as Frankfurt. They prefer to use a DX provider in Norway. Now the question is: - Will using this provider add extra latency via Direct connect gateway when talking to workload in Stockholm region? - Any other approach/options that can be considered here ? [1]: https://aws.amazon.com/directconnect/features/

My customer has a Direct Connect Gateway and an Transit Gateway association. They asked a question if the TGW ASN will be visible on the on-prem side e.g. via the AS path list on received routing updates?

When terminating the VPN on public VIF, if there is an Internet reachable public IP in the path, how can you protect it from things like DDoS?

Two of my customers want to use DX (with VPN) connected to a TGW with an additional VPN failover. They want to avoid routing traffic over that failover link unless the primary DX isn’t routing traffic. All VPN connections seem to default to ECMP if you enable ECMP on the TGW, meaning all traffic is split across all VPN links all the time. Could you do BGP route manipulation on the on-prem side to achieve this? A combination of advertising a lower-cost route for AWS->on-prem traffic, and AS path prepending for on-prem->AWS?

My customer is uing Veritas Netbackup 8.2 and CloudCatalyst to backup to S3 buckets over the internet and they want to leverage existing Direct Connect connection - bandwidth and data transfer rate is not an issue (see below). I see two options, either via Public VIF or an EC2 Proxy instance. What would you recommend? 2x DX = 500Mbps Data Transfer = 200GB/daily

Hello, I have a customer that is looking at migrating their existing PrivateVIF/DXGW/VGW setup to use TGW. The new setup will preferably be using TransitVIF/DXGW/TGW/VPC. Has anyone executed this change? In this case, for minimal downtime, is it feasible to setup transitVIF/DXGW/TGW/VPC as a passive link to the original connection and failover? If it is possible, how do we handle the moving parts such as: 1) VPC Route tables changes, TGW routing 2) Can we use AS-Path prepend, Local pref to make sure that the redundant link of transitVIF/DXGW/TGW/VPC be the passive link until failover? Thanks

Is there a way to check the port-hour of a DX on the console? Where can the customer/ partner check the current costs of port-hour on the console? I'd like to know if there is a way to find this info besides from the monthly invoice.

A little talked about feature I found recently was this https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html If I read this correctly, this seems to act like policies on prefixes to advertise over DXGW back to on-premises, and that this is only available via Direct Connect Gateway. Am I interpreting the docs correctly? The docs are written pretty sparsely.

Our public virtual interface routing policies for AWS Direct Connect state that "[**AWS Direct Connect advertises prefixes with a minimum path length of 3.**][1]" We prepend ASN 7224 to the AS PATH over Direct Connect even twice to reach a minimum path length of 3. AS PATH field for a route learned over public VIF could be "7224 7224 16509". - Why is AWS Direct Connect advertising prefixes with a minimum path length of 3? - [Is it correct that we try to make the route look worse compared to other routes for the same network?] [2] [1]: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#routing-policies [2]: https://forums.aws.amazon.com/thread.jspa?threadID=290430

Customer wants to test that the connection is in place from the their network through the Colocation facility while waiting on the DX to be created, is it possible to give them an IP they can ping to see if all the connectivity is established?

We're looking at using AWS Direct Connect to connect our on-premises data center with AWS. Is it possible to split the connection bandwidth between different resources and assign specific bandwidths to each resource? For example: We have two workloads—production and development. Both workloads are used for ingesting data from on-premises Kafka using a Direct Connect connection. Is there a way to ensure that the development account consumes only 10% of the Direct Connect connection bandwidth and can't consume more, since going over 10% may affect the production workload?

My customer has got 2 Direct Connect connections(active/passive) setup in payer master account. The current state network architecture is like :- DxCon(inside payer master) --> PrivateHostedVIF(hosted VIF to member account) --> DxGWY(inside member account)--> VGW -->VPC AWS has been engaged to deploy the LZ solution. We would like to transfer ownership of "DxCons" from payer master to a new network account(created via ALZ/CT). As per the publicly available [doco][1] "DxCon transfer" can be done by opening AWS support cases. I would like to understand the impact of this DxCon transfer on current VIFs. My understanding is that VIFs have to be recreated under new network account. Has anyone done something similar in the past ? What would be the recommended DxCon migration strategy with minimal impact on customer workloads. **Current Org Setup Details** At present, The customer has got 9 accounts in total with 1 Payer master and 8 member accounts. Out of the 8 member accounts, 2 accounts are prod having live workloads [1]: https://aws.amazon.com/premiumsupport/knowledge-center/transfer-direct-connect/

A customer is asking the following question. "I would like to know if more can be done to verify that physical transit paths are diverse, etc. Our other providers certify that redundant circuits enter the building at different locations and have fully diverse physical paths." The customer currently has two DX connections from a single DX location and was hoping we could provide more information on this. Do we have any documentation on this matter? We have confirmed that they are using two separate devices at the DX location but I wasn't sure if we know about the paths as well. It seems like this would be dependent on the DX provider.

What is the Current max number of 10G for a LAG, are there any document that you can help me out, any pros and cons on the same.

A customer is looking to implement Storage Gateway (File Gateway) but has some concerns around security and keeping all traffic away from the internet and going via their DX connection. As per this document https://docs.aws.amazon.com/storagegateway/latest/userguide/using-dx.html it looks supportable but wondered if we have any best practice guidance or if there are any known pit falls (ie does any traffic still go via the internet etc)? thanks

We can associate multiple TGWs to DX GW. Could we route in following scenario? Transit Gateway (account-1) to Direct Connect Gateway (account-2) to Transit Gateway (account-2) , all within same region or inter-region? Initial thoughts are NO, because we can: - Either do TGW to TGW peering (inter-region only?) - Or attach VPC from account-2, direct to TGW in account-1 (same region only?)

A customer has decided to use DirectConnect(DX) and VPN. So if DX failed, they want to fail over to VPN. But it takes about 20~30 seconds. What configuration does it effect to this long fail over time? AWS VPN Configuration is below ``` config vpn ipsec phase1-interface edit "transit-KR.P***" set interface "Loopbk" set local-gw 182.###.###.### set keylife 28800 set proposal aes128-sha1 set dhgrp 2 set remote-gw 15.###.###.### set psksecret . set dpd-retryinterval 1 set dpd enable set comments "aws-transit-****" next edit "transit-KR.****" set interface "Loopbk" set local-gw 182.###.###.### set keylife 28800 set proposal aes128-sha1 set dhgrp 2 set remote-gw 52.###.###.### set psksecret x set dpd-retryinterval 1 set dpd enable set comments "aws-transit-***" next end config vpn ipsec phase2-interface edit "transit-KR.####" set phase1name "transit-KR.####" set proposal aes128-sha1 set dhgrp 2 set keylifeseconds 3600 next edit "transit-KR.****" set phase1name "transit-KR.****" set proposal aes128-sha1 set dhgrp 2 set keylifeseconds 3600 next end config system interface edit "transit-KR.####" set ip 169.###.###.### 255.255.255.255 set allowaccess ping set tcp-mss 1387 set remote-ip 169.###.###.### set description "aws-transit-****" next edit "transit-KR****" set ip 169.###.###.### 255.255.255.255 set allowaccess ping set tcp-mss 1387 set remote-ip 169.###.###.### set description "aws-transit-****" next end config router bgp config neighbor edit "169.###.###.###" set remote-as 64514 set route-map-in aws-transitgw set route-map-out non-transit next edit "169.###.###.###" set remote-as 64514 set route-map-in aws-transitgw set route-map-out non-transit next end end *****-FW-1 $ get router info bgp nei 169.###.###.### routes BGP table version is 6042, local router ID is 182.###.###.### Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 10.80.64.0/18 169.###.###.### 100 0 64514 e *> 10.80.120.0/24 169.###.###.### 100 0 64514 e Total number of prefixes 2 ``` DX bgp configuration is below ``` interface g3/7.30 description AWS_DX_vpc_test logging event subif-link-status no ip redirects encapsulation dot1Q 30 ip address 172.16.1.57 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 ip as-path access-list 92 permit ^64513$ ip prefix-list ***-OUT-IPLIST seq 10 permit 10.56.0.0/13 le 32 ip prefix-list ***-OUT-IPLIST seq 20 permit 10.64.0.0/13 le 32 ip prefix-list ***-OUT-IPLIST seq 30 permit 10.28.0.0/14 le 32 ip prefix-list ***-OUT-IPLIST seq 40 permit 172.16.128.0/23 le 32 ip prefix-list ***-IN-IPLIST seq 10 permit 10.80.0.0/12 le 32 route-map AWS-KR-IN permit 10 match ip address prefix-list ***-IN-IPLIST match as-path 92 set local-preference 100 set community 9710:1493 route-map ***-OUT permit 10 match ip address prefix-list ***-OUT-IPLIST match as-path 1 set community none router bgp 64710 neighbor 172.16.1.58 remote-as 64513 neighbor 172.16.1.58 password ********** neighbor 172.16.1.58 description AWS dx-transitgw test neighbor 172.16.1.58 soft-reconfiguration inbound neighbor 172.16.1.58 route-map ***-IN in neighbor 172.16.1.58 route-map ***-OUT out neighbor 172.16.1.58 fall-over bfd ``` VPN config is downloaded from AWS VPN Config.

Hello Networking TFC I noticed this in the FAQ for Public VIFs For publicly addressable AWS resources (for example, Amazon S3 buckets, Classic EC2 instances, or EC2 traffic that goes through an internet gateway), if the outbound traffic is destined for public prefixes owned by the same AWS payer account and actively advertised to AWS through an AWS Direct Connect public virtual Interface, the Data Transfer Out (DTO) usage is metered toward the resource owner at AWS Direct Connect data transfer rate. However it leaves the customer wanting to understand some scenarios, is this the same for hosted public VIF, and what if accounts are not in the same AWS organizations (different payer ) Example Scenario - Account A has the DX connection, and its own public VIF - Account B (not in AWS organizations with account A) was given a hosted public VIF from account A - Account C unrelated to Account A or B Scenario billing questions – please just respond with yes or no on the billing items so we can help the customer predict billings. - Scenario 1 - Account B S3 bucket, data transfer out to account B DX on premises. - Account A S3 egress yes/no - Account A DX egress yes/no - Account B S3 egress yes/no - Account B DX egress yes/no - Scenario 2 - Account B S3 bucket, data transfer out to account A DX on premises. - Account A S3 egress yes/no - Account A DX egress yes/no - Account B S3 egress yes/no - Account B DX egress yes/no - Scenario 3 - Account A S3 bucket, data transfer out to account B DX on premises. - Account A S3 egress yes/no - Account A DX egress yes/no - Account B S3 egress yes/no - Account B DX egress yes/no - Scenario 4 - Account C S3 bucket, data transfer out to account B DX on premises. - Account A S3 egress yes/no - Account A DX egress yes/no - Account B S3 egress yes/no - Account B DX egress yes/no Thanks in advance

Customer is currently carving out one subsidiary to a new AWS Organization. We already migrated AWS Accounts to the new Organization and the process was smooth so far. The customer has redundant 10GE dedicated DX connections in a dedicated AWS Networking Account living in the old AWS Organization, mostly using Direct Connect Gateway with associations to VPCs in their AWS Accounts, both in their old and in their new Organization. The migration of AWS Accounts with VPCs associated to the DX Gateways was disruption free, we did not lose a packet, when we migrated these AWS Accounts to the new AWS Organization. We now want to migrate the AWS Networking Account in which we have the DX connections, DX Gateways, etc to the new Organisation. Will this also be possible without disruption? Are there any pitfalls? I am aware of the [process to migrate DX Connections to another Account,](https://aws.amazon.com/premiumsupport/knowledge-center/transfer-direct-connect/) but we actually want to move the whole AWS Account itself to save efforts and time.

We know Direct Connect and the DX Gateway can support Jumbo Frame (8500 for Transit Virtual Interface/9001 for Private Virtual interface), but does the TGW to VPC peering connection support Jumbo Frames? Trying to determine if we could even get jumbo frames all the way from an EC2 instance in a VPC connected to a TGW back to a customer CNF via Direct Connect.

hi, All Customer is try to change from Private VIF direct attach to VGW to direct connect gateway. The question is: during the operation, one VIF will attach to VGW and the other VIF will attache to DX-GW. This VGW is also associated with the DX-GW. How VGW decide the route priority from connected VIF and DX-GW. Will the "as-path" or "community" still work? Thanks

Is it possible to BGP peer DX VIF's across regions, without a dedicated (customer) BGP router? We only have infrastructure in the Cloud, we could spin up a network appliance in the VPC, but it seems like we need something directly on the other end of DX/VPLS for this. This is pretty much the same question as https://forums.aws.amazon.com/click.jspa?searchID=12352637&messageID=814856 raised 2 years ago, just hoping ideas had changed since then. Any direction would be greatly appreciated. Thanks

Are "Bring your own IP" addresses advertised over a DX public VIF? I'm assuming they would be, as the process authorizes Amazon to advertise it outward, but my customer is looking for confirmation.

What is the lag time to move from a 1G to 10G DX connection? Is there a downtime?

I have a question from a customer: > We are planning on installing 2 new DX for the ap-southeast-1 > (Singapore) region. We would prefer to be in Equinix facilities as we > already have a relationship with them. I have earmarked HK1 and SG2 > as possibilities but I notice that they have a different Associated > AWS region but are in the same Direct Connect Geographical Region. > Please can you confirm that these are a valid choice? Is it ok to have a Direct Connect Location such as HK1 connecting to a non "Associated AWS Region" like Singapore?

A customer currently has a VPN connected to a VPC with a VPG using static routing. They would like to switch to have a Direct Connect connected to a Transit Gateway which is connected to the VPC. They are wanting to know how to do this migration with limited downtime. I've tried to find any guides around doing this type of migration, but haven't been able to find anything. I'm assuming that this is a little trickier due to them using static routing on the existing VPN connection, but not sure how or if that would change anything. Any guidance on this process would be helpful. Thanks!

Who is responsible for data transfer OUT charges when the transfer is originated by a VPC in one account, and that data passes through a Transit Gateway in another account on its way out through a Direct Connect (DX and TGW owned by the same account)? ***Details*** With the recent announcement on Direct Connect granular cost allocation (https://aws.amazon.com/about-aws/whats-new/2019/10/aws-direct-connect-aws-direct-connect-announces-the-support-for-granular-cost-allocation-and-removal-of-payer-id-restriction-for-direct-connect-gateway-association/), it is stated that we now "allocate Data Transfer Out charges to the AWS account responsible for the Data Transfer." I have a customer who acts as a transport service provider, and they own multiple DX connections that they plan to connect to Transit Gateways via a Transit VIF and DX-GW. The customers of my customer have VPCs in separate accounts that will be connected to my customer's TGW. With my customer owning the TGW, I am unclear on whether the cost allocation per the above announcement will consider the owner of the TGW responsible for the data transfer OUT, or whether that responsibility will be attributed to the owner of the VPC that originated the transfer. Also, if traffic routes through a firewall or IPS in Transit VPC owned by the DX an TGW owner on the way out of AWS, will that change the consideration of cost allocation?

How to move from a 1G to 10G Direct Connect (DX) connection and manage the transition to the new link?

My customer wants to connect datacenter in Germany to us-west-2 AWS. They are considering a Direct Connect partner and the question is how to get traffic into us-west-2. Would Direct Connect Gateway solve this problem? As far as I understand Direct Conncet Gateway will allow on-prem to connect to any region on AWS. Any limitations other than what's called out in FAQ?

My customer is a Direct Connect partner that provisioned a Direct Connect service for a customer and tied it into the customer's existing ELAN VPLS WAN. As I write this, I'm not sure what size subnet the customer is using on their WAN, but pretty sure it's shorter than a /30 :) What are the valid subnet sizes that we will accept on a private VIF? Also, if you have any thoughts on this design, I'd be open to hearing them. Concerns I have: 1/ can the customer assign a subnet shorter than a /30 on the VIF, 2/ any spoke on the WAN can hit the Direct Connect; unsure if customer realizes/wants that.

With reference to the Direct Connect limit "[Number of prefixes per AWS Transit Gateway from AWS to on-premise on a transit virtual interface][1]" (20). My interpretation of this is that if you had, say, 25 VPC attachments on a TGW, 5 CIDRs would not be advertised to the Customer Gateway. Are the 5 prefixes just suppressed from BGP Updates? Does the BGP neighbor relationship take a hit (similar to exceeding the inbound prefix limit)? How are others designing around this limitation in situations where the customer has > 20 VPC attachments? [1]: https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

Is there a list of Direct Connect locations supporting jumbo frames? My customer wants jumbo frames enabled for us-west-2; any locations into us-west-2 support that?

I have a customer that is trying to setup a Direct Connect into both a commercial account and a GovCloud account and associate it with a Transit Gateway. It looks like the recommended way to do this is to create a Direct Connect Gateway in the commercial account and that will get automatically propagated to the associated GovCloud account. From there you can associate a Transit Gateway to the corresponding Direct Connect Gateway. My question is how do you set this up if you need to have VPN over Direct Connect for the GovCloud account (and potentially not need it for the commercial account)? I see other posts that talk about configuring VPN over Direct Connect and then associating the VPN with the Transit Gateway. Would you use this method for the GovCloud account and then the DX -> DXGW -> TGW method for the commercial account? Thanks

Is there any way to limit bandwidth consumption per account or application sharing a Direct Connect link. Is bandwidth/traffic shaping possible?

Customer who has a datacentre with no access to internet but is connected to AWS via direct connect. Is it possible to use AWS managed network services to reach the internet? The customer would prefer to consume services provided and managed by AWS instead of looking for third party NAT devices/systems. If this is possible, is it cost effective / best practice?

My customer will have Kubernetes clusters with thousands of pods. Each pod will get a IP address. They don't want all these IPs to be propagated back to on-premises network. Just want the host EC2 IPs to be propagated. Is this possible and how to selectively hide CIDR in VPC when they are using BGP Dynamic routing.

How can you test multiple 10G Direct Connect connection for things like throughput, latency, and path selection?

One of my customer want to connect with their customers in the following scenarios:- Scenario with their Customer A Their Customer A has a Direct Connect and they need to get connectivity to private APIs that are in their Customer A's on premise data center. I think they can use PrivateLink. Need confirmation/validation and also things to watch out for (things that might not be supported etc.). https://aws.amazon.com/blogs/aws/aws-privatelink-update-vpc-endpoints-for-your-own-applications-services/ Scenario with their Customer B Their Customer B has a Direct Connect and wants to leverage Transit Gateway with multiple VPC to achieve something similar. Again need validation if this approach works and things to watch out for. https://aws.amazon.com/blogs/aws/use-aws-transit-gateway-direct-connect-to-centralize-and-streamline-your-network-connectivity/ Also, what should be our recommended option or pros and cons of the two solutions.

Do we have a blanket prioritization of path for DX over the internet for a public VIF? For example, if a customer advertises a pair of /23 through their ISP, and a single /22 over the DX will we send the traffic to them over the internet, or over the DX? The prefix example is contrived, but does serve to illustrate the larger question- do we weight connection type of DX over public internet routing irrespective of all other traditional routing considerations? The FAQ doc lists the following: *"AS_PATH is used to determine the routing path, and AWS Direct Connect is the preferred path for traffic sourced from Amazon. Only public ASNs are used internally for route selection."*, but being in the AS_PATH section makes me want to double check. Thanks!

A customer is looking to attach DX's to multiple VPC's via Transit Gateway. DX's are connected to Transit Gateways via DX Gateways. DXGW's can receive and propagate routes to a VPC via BGP. Is it correct to say: 1. DXGW and TXGW can exchange routes advertised to DXGW from on-prem to the TXGW route table 2. Since TXGW can't propagate routes to the VPC routing table, one loses the ability to propagate on-prem routes to the VPC routing table via BGP, therefore requiring statics? Looking for guidance on how route propagation flows through the stack.

My customer is expanding an existing VPC by adding secondary CIDR blocks , which is in different range than original (VPC is in 10.xxx range, and expanded CIDR blocks are in 100.xx range). VPC is connected to on premises using Direct Connect . What are the changes required so that the instances in subnets under the secondary CIDR block range can communicate over direct connect and receive traffic back from on premises?

Privatelink (Endpoint services) states support for connections over Direct Connect. I'd like confirmation that this also applies in the cases where the customer's direct connect plugs in Direct Connect Gateway rather than having the VIF plugged directly in the VPC. Scenario Customer A (service provider) exposes SaaS as a privatelink to customer B (service consumer). Customer B requires private connectivity (governance) so they will provision an AWS account and DX for that purpose - rather than just creating the vif and attaching it to the VPC , customer B will connect it to a DX gateway and create the vif at the other side to the VPC, if customer A SaaS needs to DR to another region customer B can also 'DR' their connectivity to the same DR region as the SaaS app. Valid setup/solution?

I have a customer who will have a primary account to host redundant DX connections and utilize hosted VIFs for child accounts. Because the aggregate bandwidth is shared across all VIFs (Dev, Prod, ProgramA, ProgramB), the customer would like to implement some sort of QoS on the VIFs so the programs don't have to worry about their 'noisy neighbors.' From previous posts, i know that customers can utilize the APN to purchase sub 1G connections. I also know that customers need to implement the QoS on their side and avoid utilizing protocols that require configuration on both sides of a duplex link (DiffServ).......but I'm looking to provide more prescriptive guidance. Is the easiest way for customer to get QoS per-VIF on their side of the connection by using VLAN-based QoS? Something like what is described by Cisco here: [https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/qos/521_n1_1/b_5k_QoS_Config_521N11/b_5k_QoS_Config_521N11_chapter_01000.pdf](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/qos/521_n1_1/b_5k_QoS_Config_521N11/b_5k_QoS_Config_521N11_chapter_01000.pdf) Amy I missing anything? Any other ways to do this?

My customer wants to know how to have multiple VPCs in different AWS accounts use the same physical Direct Connect circuit. They can do the VIFs. They just need to know how to have multiple VIFs to a single circuit.

Is there any cost associated with using Direct Connect Gateway?

A customer wants to establish policy based VPN connectivity from AWS to their data center. I looked at various documentation and still cannot determine whether we can support this or not. Here are the links I’ve reviewed so far: http://www.mycodingpains.com/establish-policy-based-vpn-connection-aws-hardware-vpn/ https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6 questions are: Can we do this with AWS What configuration setting makes the VPN setup policy based? Route based? Thank you

What is the approximate timeline for the Direct Connect LOA-CFA to become available once the connection request is submitted?

Can an existing AWS Direct Connect connection be upgraded from 1 Gbps to 10 Gbps or does a new 10 Gbps connection need to be created then the 1 Gbps deleted?

Do VPC Flow Logs capture traffic between the VPC and DX? I would assume yes, but wanted to be 100% correct.