Browse through the questions and answers listed below or filter and sort to narrow down your results.
Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways?
Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways?
I'm trying to connect multiple VPCs (VPC-A, VPC-B) and multiple data centers (DC-A, DC-B) using Direct Connect Gateway (DCGW).
Which of the following configurations is better? Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways?
1)
VPC-A, VPC-B <-> DCGW <-> DC-A, DC-B
2)
VPC-A, VPC-B <-> DCGW-A <-> DC-A
VPC-A, VPC-B <-> DCGW-B <-> DC-B
Accepted AnswerAWS Direct Connect
1
answers
0
votes
3
views
asked a month ago
1
answers
0
votes
3
views
asked 3 months ago
How do we correctly link the DC Gateway into the VPC, is a VG required?
I'm struggling to get my head around a lot of the AWS information.
We have a Direct Connection and it's half working. The DC Gateway has a virtual interface that links to my onsite hardware.
Ping works. BGP works.
The DC has no other associated gateways.
I think what I'm supposed to do is create a Virtual Private gateway that links to a VPC. I can do this, and it sort of works, to the extent that the subnets that are in the VPC can be successfully advertised over the BGP session to my hardware.
However, it doesn't actually work because I can't exchange traffic with IP addresses inside the VPC from my onsite hardware anyway.
So what gives me pause here is when I try to create the Private gateway, the string appears:
"A virtual private gateway is the router on the Amazon side of the VPN tunnel."
but I don't want AWS to setup a VPN tunnel. Also that VPG wants an AS configured, which implies that it wants to do BGP peering into the VPC with some device that's talking BGP back to it, which doesn't seem right to me.
So how and where do I configure the VPC side of the DC gateway? Where do I type in a static IP that will be the default gateway for my VPC's subnet, so that the instances can send packets to that IP which will arrive at the hardware end of my AWS DC?
Also -- with no traditional console access to the "router" that forms the AWS side of the DC, how do we do packet captures and other debugging to find out where packets are being lost?
Edited by: DC-Client on Sep 1, 2021 4:25 PM
Accepted AnswerAWS Direct Connect
1
answers
0
votes
11
views
asked 9 months ago
[On-Premise] Best practice on connecting to on-premise
A customer wants to connect AWS with their on-premise network.
Is there a best practice on connecting AWS to on-premise?
I searched Internet but couldn't find any self-help questions or guidance on best practices.
From my research, it seems it's reasonable to enable Site-to-Site VPN (for brevity, S2S) firstly and then enable DirectConnect (DX) when there is need for stable connection. If extra stability is needed, then consider S2S + DX simultaneously. Is this a good approach?
For now, the customer does not have a good estimate on how much the throughput will be and their PoC is just starting. They want to wait and see how it goes.
Could you provide me a good advice?
Thank you!
Accepted AnswerAWS Direct Connect
1
answers
0
votes
7
views
asked a year ago
Direct Connect Failover with two Virtual Interfaces (VIFs)
To test a Direct Connect (DX) failover using two VIFs on the same Direct Connect connection using the documentation [AWS Direct Connect Failover Test](https://docs.aws.amazon.com/directconnect/latest/UserGuide/resilency_failover.html). Does a resiliency model of at least two Direct Connect connections required for this type of failover testing?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
4
views
asked a year ago
Are there any additional costs for cross-Region data transfers through AWS Direct Connect?
We have Direct Connect service in two different AWS Regions. If we trombone traffic from the first Region to the second Region using Direct Connect through our data center, will we get billed for cross-Region network costs?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
3
views
asked a year ago
VPN over Direct Connect with Direct Connect Gateway
Hello
Can Direct Connect Gateway be used to connect multiple on-premise site to multiple AWS VPC.. In addition, is it possible to setup VPN over Direct Connect to encrypt the traffic from on-premise to AWS.
Is this possible via AWS Direct Connect Gateway?
Thanks,
Accepted AnswerAWS Direct Connect
1
answers
0
votes
4
views
asked a year ago
1
answers
0
votes
2
views
asked 2 years ago
Business case for direct connect vs VPN
Hello,
My customer is starting with AWS and is running a few workloads on our cloud already. They are looking at interconnecting their data centers with AWS and we presented the different options VPN vs Direct Connect.
This is what we shared to compare both:
VPN:
- Over the Internet
- Easy to install, set up in minutes
- Bandwidth: 1 VPN tunnel = 1.25 Gbps
- Encryption: Encrypted in transit
- Cost: Charged per hour per VPN connection + data transfer (0.9€/GB)
Direct connect:
- Physical, dedicated connection (not using the internet) = consistent performance, reduced bandwidth costs
- Some set-up time required –can be few days
- Bandwidth: Direct Connect Connection = 50 Mbps–10Gbps
- Encryption: Not encrypted in transit but can be combined with VPN to have encryption
- Cost: Charged per port hour + data transfer (0.2€/GB)
We also said that a VPN is good to start or when the cloud is only used for test and development but that a direct connect is better in case they want to migrate applications to the cloud, use split-tier architecture or want to use our cloud as disaster site for example. Data transfer costs are also lower with direct connect so in case they are transferring a lot of data, a direct connect might be cheaper.
My questions are:
- Is there a white paper or another document comparing direct connect vs vpn that I could share with the customer ?
- Do we have a list of use cases requiring direct connect that my customer could use to justify a direct connect?
- Do we have a business case for direct connect vs VPN? I mean can direct connect becomes cheaper than VPN if there is a lot of data transfer for example.
Thanks for your help
Accepted AnswerAWS Direct Connect
1
answers
0
votes
3
views
asked 2 years ago
port-hour direct connect
Is there a way to check the port-hour of a DX on the console?
Where can the customer/ partner check the current costs of port-hour on the console?
I'd like to know if there is a way to find this info besides from the monthly invoice.
Accepted AnswerAWS Direct Connect
1
answers
0
votes
6
views
asked 2 years ago
Why is AWS Direct Connect advertising prefixes with a minimum path length of 3?
Our public virtual interface routing policies for AWS Direct Connect state that "[**AWS Direct Connect advertises prefixes with a minimum path length of 3.**][1]"
We prepend ASN 7224 to the AS PATH over Direct Connect even twice to reach a minimum path length of 3. AS PATH field for a route learned over public VIF could be "7224 7224 16509".
- Why is AWS Direct Connect advertising prefixes with a minimum path length of 3?
- [Is it correct that we try to make the route look worse compared to other routes for the same network?] [2]
[1]: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#routing-policies
[2]: https://forums.aws.amazon.com/thread.jspa?threadID=290430
Accepted AnswerAWS Direct Connect
1
answers
0
votes
10
views
asked 2 years ago
1
answers
0
votes
5
views
asked 2 years ago
Can I split an AWS Direct Connect connection and assign specific bandwidths to different resources?
We're looking at using AWS Direct Connect to connect our on-premises data center with AWS. Is it possible to split the connection bandwidth between different resources and assign specific bandwidths to each resource?
For example: We have two workloads—production and development. Both workloads are used for ingesting data from on-premises Kafka using a Direct Connect connection. Is there a way to ensure that the development account consumes only 10% of the Direct Connect connection bandwidth and can't consume more, since going over 10% may affect the production workload?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
2
views
asked 2 years ago
Direct Connect Connection Ownership Transfer
My customer has got 2 Direct Connect connections(active/passive) setup in payer master account. The current state network architecture is like :-
DxCon(inside payer master) --> PrivateHostedVIF(hosted VIF to member account) --> DxGWY(inside member account)--> VGW -->VPC
AWS has been engaged to deploy the LZ solution. We would like to transfer ownership of "DxCons" from payer master to a new network account(created via ALZ/CT).
As per the publicly available [doco][1] "DxCon transfer" can be done by opening AWS support cases. I would like to understand the impact of this DxCon transfer on current VIFs. My understanding is that VIFs have to be recreated under new network account.
Has anyone done something similar in the past ? What would be the recommended DxCon migration strategy with minimal impact on customer workloads.
**Current Org Setup Details**
At present, The customer has got 9 accounts in total with 1 Payer master and 8 member accounts. Out of the 8 member accounts, 2 accounts are prod having live workloads
[1]: https://aws.amazon.com/premiumsupport/knowledge-center/transfer-direct-connect/
Accepted AnswerAWS Direct Connect
1
answers
0
votes
3
views
asked 2 years ago
Direct Connect resilience
A customer is asking the following question.
"I would like to know if more can be done to verify that physical transit paths are diverse, etc. Our other providers certify that redundant circuits enter the building at different locations and have fully diverse physical paths."
The customer currently has two DX connections from a single DX location and was hoping we could provide more information on this. Do we have any documentation on this matter? We have confirmed that they are using two separate devices at the DX location but I wasn't sure if we know about the paths as well. It seems like this would be dependent on the DX provider.
Accepted AnswerAWS Direct Connect
1
answers
0
votes
1
views
How can we shorten failover time DX and VPN?
A customer has decided to use DirectConnect(DX) and VPN.
So if DX failed, they want to fail over to VPN.
But it takes about 20~30 seconds.
What configuration does it effect to this long fail over time?
AWS VPN Configuration is below
```
config vpn ipsec phase1-interface
edit "transit-KR.P***"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 15.###.###.###
set psksecret .
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-****"
next
edit "transit-KR.****"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 52.###.###.###
set psksecret x
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-***"
next
end
config vpn ipsec phase2-interface
edit "transit-KR.####"
set phase1name "transit-KR.####"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "transit-KR.****"
set phase1name "transit-KR.****"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system interface
edit "transit-KR.####"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
edit "transit-KR****"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
end
config router bgp
config neighbor
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
end
end
*****-FW-1 $ get router info bgp nei 169.###.###.### routes
BGP table version is 6042, local router ID is 182.###.###.###
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.80.64.0/18 169.###.###.### 100 0 64514 e
*> 10.80.120.0/24 169.###.###.### 100 0 64514 e
Total number of prefixes 2
```
DX bgp configuration is below
```
interface g3/7.30
description AWS_DX_vpc_test
logging event subif-link-status
no ip redirects
encapsulation dot1Q 30
ip address 172.16.1.57 255.255.255.252
bfd interval 100 min_rx 100 multiplier 3
ip as-path access-list 92 permit ^64513$
ip prefix-list ***-OUT-IPLIST seq 10 permit 10.56.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 20 permit 10.64.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 30 permit 10.28.0.0/14 le 32
ip prefix-list ***-OUT-IPLIST seq 40 permit 172.16.128.0/23 le 32
ip prefix-list ***-IN-IPLIST seq 10 permit 10.80.0.0/12 le 32
route-map AWS-KR-IN permit 10
match ip address prefix-list ***-IN-IPLIST
match as-path 92
set local-preference 100
set community 9710:1493
route-map ***-OUT permit 10
match ip address prefix-list ***-OUT-IPLIST
match as-path 1
set community none
router bgp 64710
neighbor 172.16.1.58 remote-as 64513
neighbor 172.16.1.58 password **********
neighbor 172.16.1.58 description AWS dx-transitgw test
neighbor 172.16.1.58 soft-reconfiguration inbound
neighbor 172.16.1.58 route-map ***-IN in
neighbor 172.16.1.58 route-map ***-OUT out
neighbor 172.16.1.58 fall-over bfd
```
VPN config is downloaded from AWS VPN Config.
Accepted AnswerAWS Direct Connect
1
answers
0
votes
4
views
asked 2 years ago
hosted public VIF data transfer egress billing scenario clarification
Hello Networking TFC
I noticed this in the FAQ for Public VIFs
For publicly addressable AWS resources (for example, Amazon S3 buckets, Classic EC2 instances, or EC2 traffic that goes through an internet gateway), if the outbound traffic is destined for public prefixes owned by the same AWS payer account and actively advertised to AWS through an AWS Direct Connect public virtual Interface, the Data Transfer Out (DTO) usage is metered toward the resource owner at AWS Direct Connect data transfer rate.
However it leaves the customer wanting to understand some scenarios, is this the same for hosted public VIF, and what if accounts are not in the same AWS organizations (different payer )
Example Scenario
- Account A has the DX connection, and its own public VIF
- Account B (not in AWS organizations with account A) was given a hosted public VIF from account A
- Account C unrelated to Account A or B
Scenario billing questions – please just respond with yes or no on the billing items so we can help the customer predict billings.
- Scenario 1
- Account B S3 bucket, data transfer out to account B DX on premises.
- Account A S3 egress yes/no
- Account A DX egress yes/no
- Account B S3 egress yes/no
- Account B DX egress yes/no
- Scenario 2
- Account B S3 bucket, data transfer out to account A DX on premises.
- Account A S3 egress yes/no
- Account A DX egress yes/no
- Account B S3 egress yes/no
- Account B DX egress yes/no
- Scenario 3
- Account A S3 bucket, data transfer out to account B DX on premises.
- Account A S3 egress yes/no
- Account A DX egress yes/no
- Account B S3 egress yes/no
- Account B DX egress yes/no
- Scenario 4
- Account C S3 bucket, data transfer out to account B DX on premises.
- Account A S3 egress yes/no
- Account A DX egress yes/no
- Account B S3 egress yes/no
- Account B DX egress yes/no
Thanks in advance
Accepted AnswerAWS Direct Connect
1
answers
0
votes
2
views
asked 2 years ago
Direct Connect Location with different associated AWS Region
I have a question from a customer:
> We are planning on installing 2 new DX for the ap-southeast-1
> (Singapore) region. We would prefer to be in Equinix facilities as we
> already have a relationship with them. I have earmarked HK1 and SG2
> as possibilities but I notice that they have a different Associated
> AWS region but are in the same Direct Connect Geographical Region.
> Please can you confirm that these are a valid choice?
Is it ok to have a Direct Connect Location such as HK1 connecting to a non "Associated AWS Region" like Singapore?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
3
views
asked 2 years ago
AWS Direct Connect traffic from on-prem DC to remote AWS Region
My customer wants to connect datacenter in Germany to us-west-2 AWS. They are considering a Direct Connect partner and the question is how to get traffic into us-west-2.
Would Direct Connect Gateway solve this problem? As far as I understand Direct Conncet Gateway will allow on-prem to connect to any region on AWS.
Any limitations other than what's called out in FAQ?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
4
views
asked 3 years ago
QoS for Hosted VIFs
I have a customer who will have a primary account to host redundant DX connections and utilize hosted VIFs for child accounts. Because the aggregate bandwidth is shared across all VIFs (Dev, Prod, ProgramA, ProgramB), the customer would like to implement some sort of QoS on the VIFs so the programs don't have to worry about their 'noisy neighbors.'
From previous posts, i know that customers can utilize the APN to purchase sub 1G connections. I also know that customers need to implement the QoS on their side and avoid utilizing protocols that require configuration on both sides of a duplex link (DiffServ).......but I'm looking to provide more prescriptive guidance.
Is the easiest way for customer to get QoS per-VIF on their side of the connection by using VLAN-based QoS? Something like what is described by Cisco here: [https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/qos/521_n1_1/b_5k_QoS_Config_521N11/b_5k_QoS_Config_521N11_chapter_01000.pdf](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/qos/521_n1_1/b_5k_QoS_Config_521N11/b_5k_QoS_Config_521N11_chapter_01000.pdf)
Amy I missing anything? Any other ways to do this?
Accepted AnswerAWS Direct Connect
1
answers
0
votes
2
views
asked 4 years ago
1
answers
0
votes
8
views
asked 4 years ago
Policy based VPN in AWS
A customer wants to establish policy based VPN connectivity from AWS to their data center. I looked at various documentation and still cannot determine whether we can support this or not. Here are the links I’ve reviewed so far:
http://www.mycodingpains.com/establish-policy-based-vpn-connection-aws-hardware-vpn/
https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6
questions are:
Can we do this with AWS
What configuration setting makes the VPN setup policy based? Route based?
Thank you
Accepted AnswerAWS Direct Connect
1
answers
0
votes
54
views
asked 4 years ago