Direct Connect as a distraction?

Today is my checkride at AWS. Essentially I will stand in-front of a panel of my peers and present the AWS 101 deck and be asked questions in a real world customer scenario. I wouldn’t say I am nervous but I am anxious to see if I am as far along as I need\hope to be. One of the things I expect to be covered in depth is direct connect (DX), so while I am prepping I figured I would write up a quick post on what DX is and how it works.

Direct Connect is a dedicated connection from customers on-prem or CoLo facilities into AWS. Seems simple enough right? You can get DX connections in 1Gbps or 10Gbps ports and can aggregate multiple ports together. DX is ordered via your AWS console, when you order the connections you will have a couple of things you need to do. First you will have to present the IP space that you will be associating with the DX. You will also need to work with your ISP to create a connection to an AWS peering point with an Amazon Partner Network partner such as Equinix.

AWS will validate that you own your IP addresses and that you have a connection at the peering point. Then an authorization to connect will be issued to the APN partner and the connection will be made. Direct connect requires that you have established 802.1q VLANs and a BGP capable router. AWS will advertise all public Autonomous System Numbers (ASNs) you will want to limit the scope to the regions in which you want to share IP space with for your VPC. Private or public ASNs are allowed.

VLANs extended from your on-prem environment to AWS will travers the DX connection along the VLAN that they are assigned to a designated VPC with the correlating VLAN space. However you will not be able to connect directly across multiple VPC’s unless you have established VPC peering points in AWS, or if you use lollipop networking where your on-prem router acts as the core for VPC to VPC communications. The DX connection is not an internet connection, VPC’s will still require a designated Internet Gateway connection with an elastic IP or can use the on-prem internet connection for internet ingress and egress. Think of it this way, you can use the same security perimeter and monitoring solution with a DX so you don’t have to change the way your business or organization runs their security today.

This is a complex topic and I have only just scratched the surface. For more information check out the AWS Direct Connect FAQ.