AWS Direct Connect Cheat Sheet

• Using Direct Connect, data can now be delivered through a private network connection between AWS and your datacenter or corporate network.
• Direct Connect links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to a Direct Connect router. With this connection, you can create virtual interfaces directly to public AWS services or to Amazon VPC.
• 1 Gbps, 10 Gbps, 100 Gbps, and 400 Gbps connections are available.
• Supports hosted connection capacities of 1, 2, 5, 10, and 25 Gbps. Hosted connections will provide customers with higher capacities that were previously only available via dedicated connections.
• Amazon Direct Connect also supports AWS Transit Gateway, aside from configuring Site-to-Site VPN connections. With this feature, customers can connect thousands of Amazon VPCs in multiple AWS Regions to their on-premises networks using 1/2/5/10/25 Gbps AWS Direct Connect connections.

Beneficial Use Cases

• • When transferring large data sets.
  • When developing and using applications that use real-time data feeds.
  • When building hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.

Setting Up Methods

• Recommendation: When configuring your connections, use the AWS Direct Connect Resiliency Toolkit. This wizard guides you through setting up redundant connections to meet specific SLA requirements:

• • Development and Test (Non-critical)

  • High Resiliency (2 connections)

  • Maximum Resiliency (Separate connections in separate locations)

• Components
  • Connections – Create a connection in an AWS Direct Connect location to establish a network connection from your premises to an AWS Region. From Direct Connect you can connect to all AZs within the region.
  • Virtual interfaces – Create a virtual interface to enable access to AWS services. A public virtual interface enables access to public services, such as S3. A private virtual interface enables access to your VPC.
• To access public resources in a remote Region, you must set up a public virtual interface and establish a Border Gateway Protocol session.
• You can create a Direct Connect gateway in any public Region. Use it to connect your Direct Connect connection over a private virtual interface to VPCs in your account that are located in different Regions.
• To provide for failover, request and configure two dedicated connections to AWS. These connections can terminate on one or two routers in your network. There are different configuration choices available: 
  • Active/Active (BGP multipath) – This is the default configuration, where both connections are active. If one connection becomes unavailable, all traffic is routed through the other connection.
  • Active/Passive (failover) – One connection is handling traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.

• Failover Testing

  • Overview: A feature in the console that allows you to temporarily disable a BGP session to verify that traffic automatically routes to your redundant connection.

  • Use Case: Critical for validating “Maximum Resiliency” architectures without physically pulling cables.

• Autonomous System numbers (ASN) are used to identify networks that present a clearly defined external routing policy to the Internet.
• Cross Connects
  • After you have downloaded your Letter of Authorization and Connecting Facility Assignment (LOA-CFA), you must complete your cross-network connection, also known as a cross connect.
  • If you already have equipment located in a Direct Connect location, contact the appropriate provider to complete the cross connect.
  • If you do not already have equipment located in a Direct Connect location, you can work with one of the partners in the AWS Partner Network to help you to connect to an AWS Direct Connect location.
• Virtual Interfaces

  • You must create a virtual interface (VIF) to begin using your Direct Connect connection.
    
    A single Direct Connect connection can support multiple virtual interfaces.

  • Private Virtual Interface: Used to connect to a single VPC, or to multiple VPCs when using a Direct Connect Gateway.

  • Public Virtual Interface: Used to access all AWS public services via public IP routing.

  • Transit Virtual Interface: Required for connecting to an AWS Transit Gateway; one Transit VIF enables connectivity to thousands of VPCs.

    • Prerequisites

      Connection: The Direct Connect connection or link aggregation group you will attach the VIF to.
      
      Virtual Interface Name: A name for the virtual interface.
      
      Virtual Interface Owner: Required if the VIF is created for another AWS account.
      
      (Private VIF only) Connection To: Select the VPC or Direct Connect Gateway.
      
      VLAN: A unique VLAN tag not already in use on the connection.
      
      Address Family: Choose IPv4 or IPv6 for the BGP session.
      
      Peer IP Addresses: Supports one IPv4 and/or one IPv6 BGP peering session (dual-stack allowed). You cannot create multiple BGP sessions of the same IP family on one VIF.
      
      BGP Information: Your side’s ASN (public or private) and an optional MD5 key.
      
      (Public VIF only) Advertised Prefixes: You must advertise at least one public IPv4 or IPv6 prefix through BGP.

      MTU (Maximum Transmission Unit)

    • Private VIF: Supports MTU 1500 or 9001 (jumbo frames).

    • Transit VIF: Supports MTU 1500 or 8500 (jumbo frames).

      • A logical interface that uses the Link Aggregation Control Protocol to aggregate multiple connections at a single Direct Connect endpoint, allowing you to treat them as a single, managed connection.
      • All connections in the LAG must use the same bandwidth.
      • You can have a maximum of four connections in a LAG. Each connection in the LAG counts towards your overall connection limit for the Region.
      • All connections in the LAG must terminate at the same Direct Connect endpoint.
      • Can aggregate up to 4 Direct Connect ports into a single connection using LAG.
      • All connections in a LAG operate in Active/Active mode.
      • AWS now supports LAGs for 100 Gbps and 400 Gbps connections as well.

        Public VIF: Does not support jumbo frames (MTU 1500 only).
        
        Jumbo frames apply only to propagated routes over Direct Connect.Link Aggregation Groups (LAG)

• Direct Connect Gateways

  • Use a Direct Connect gateway to connect your Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different Regions.

    • It is a globally available resource.

    • Direct Connect gateway also enables you to connect between your on-premises networks and Amazon Virtual Private Cloud (Amazon VPC) in any commercial AWS Region except in China regions.

    • Limits: You can associate up to 20 Amazon VPCs (via Virtual Private Gateways) with a single Direct Connect Gateway.

    • Transit Gateway Support: You can also associate up to 6 Transit Gateways with a single Direct Connect Gateway.

    Note: Multi-account support allows you to associate VPCs and Transit Gateways from multiple AWS accounts with a single Direct Connect gateway. The previous requirement for accounts to be under the same AWS Payer ID has been removed.

• AWS Direct Connect SiteLink
  • The SiteLink feature makes it easy to create a private network connection between your on-premises locations to AWS. This is done by connecting your AWS resources to Direct Connect locations (e.g. offices, data centers) around the globe.
  • Using the feature, you can link your on-premises data centers to Direct Connect and send data between them over the shortest path between your AWS Direct Connect locations.
• AWS Direct Connect Security
  • Use IAM for controlling access.
• MACsec (Layer 2 Encryption)
  
  • Overview: Provides point-to-point encryption between your on-premises router and the AWS Direct Connect port.

    • Supported Speeds: Available for 10 Gbps, 100 Gbps, and 400 Gbps dedicated connections.

    • Key Difference: Unlike VPN (Layer 3 IPsec), MACsec encrypts data at the ethernet level (Layer 2), offering higher performance and lower latency for high-speed links.

• AWS Direct Connect Monitoring
  • You can optionally assign tags to your Direct Connect resources to categorize or manage them. A tag consists of a key and an optional value, both of which you define.
  • CloudTrail captures all API calls for AWS Direct Connect as events.
  • Set up CloudWatch alarms to monitor metrics.
• AWS Direct Connect Pricing
  • You pay for the dedicated or hosted ports you use and the data transferred over the connection.
  • Pricing is based on port-hours for each port capacity and data transfer out (DTO) per GB. Data transfer into AWS via Direct Connect is $0.00 per GB in all locations.
  • Port Hour: Charged per hour based on port type and capacity (Dedicated or Hosted, e.g., 1 Gbps, 10 Gbps, 100 Gbps).
  • Data Transfer Out: Charged per GB for data flowing out of AWS (rates vary by AWS Region). Data Transfer IN is free.
  • SiteLink: If enabled, you pay an additional hourly charge per participating port plus a per-GB fee for traffic sent between your on-premises sites using the AWS global network.
• AWS Direct Connect Deep Dive:
• AWS Direct Connect-related Cheat Sheets:
• S3 Transfer Acceleration vs Direct Connect vs VPN vs Snowball vs Snowmobile
• Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.
• 
• Validate Your Knowledge
• Question 1
• A leading insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.
• As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?

1. Establish a Direct Connect connection between the VPC in US East (N. Virginia) region to the on-premises data center in Chicago and then establish another Direct Connect connection between the VPC in US West (N. California) region to the on-premises data center.
2. Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions. Integrate the Direct Connect connection to the Direct Connect Gateway.
3. Set up an AWS VPN managed connection between the VPC in US East (N. Virginia) region and the on-premises data center in Chicago.
4. Set up two separate VPC peering connections for the two VPCs and for the on-premises data center.

• Show me the answer!
• Correct Answer: 2
• You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway. A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.
• 
• Hence, the correct answer is: Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions. Integrate the Direct Connect connection to the Direct Connect Gateway.
• Establishing a Direct Connect connection between the VPC in US East (N. Virginia) region to the on-premises data center in Chicago and then establishing another Direct Connect connection between the VPC in US West (N. California) region to the on-premises data center is incorrect because establishing two separate Direct Connect connections is expensive and hence, not a cost-effective option. It is better to establish a Direct Connect gateway, which just uses one Direct Connect connection to integrate the 2 VPCs and the on-premises data center.
• Setting up an AWS VPN managed connection between the VPC in US East (N. Virginia) region and the on-premises data center in Chicago is incorrect because a VPN Connection is a more suitable solution for low to modest bandwidth requirements and can tolerate the inherent variability in Internet-based connectivity.
• Setting up two separate VPC peering connections for the two VPCs and for the on-premises data center is incorrect because VPC Peering is used to connect 2 VPCs together and not to connect your on-premises data center.
• References:
• https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html
  https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
• Note: This question was extracted from our AWS Certified SysOps Administrator Associate Practice Exams.