To provide network connectivity between AWS VPCs and external networks or potentially between VPCs in certain use-cases you must create a Virtual Private Gateway. VPGs can be attached to a VPC or for some advanced architectures can be detached and are the Amazon managed end-point for terminating IPSEC VPN and AWS Direct Connect connections into your AWS infrastructure.

The VGW behaves like a next-hop router and provides edge routing for external access, this routing is separate from the VPC routing tables. A VGW is the termination point of VPN connections at the AWS end of the tunnel, the VGW does not initiate connections, connections must be initiated from the customer premises. VGWs support two methods of routing static routing and dynamic routing using BGP4.

IPv6 is designed with the goal of being an end-2-end protocol and as such AWS do not support NAT or prefix translation of IPv6 addresses. When you create a resource within a VPC that is IPv6 enabled it is assigned one or more IPv6 address from Amazons GUA allocation. A GUA address is global, unique and routable on the public internet.

The concept of a private VPC as such does not exist when using IPv6. However, there is certainly a need to ensure that certain IPv6 addressed resources are not accessible from the internet in the same way as we have with IPv4 addressed resources by putting them in a private VPC and providing internet access via a NAT gateway. To achieve this similar functionality to IPv4 hosts AWS have created the Egress Only Internet Gateway (EIGW). As with any AWS managed component a EIGW is a scalable and highly redundant VPC component that provides IPv6 addressed resources access to the internet but blocks access from the internet to the resources. The EIGW does not translate the IPv6 address of the resource and the resources assigned GUA address is the address that is visible on the public internet.

To provide internet access from a VPC Amazon provide a service called Internet Gateway.  Internet Gateways are Amazon operated and managed and provide a horizontally-scalable, redundant and highly available method of accessing the internet.  Internet Gateways provide internet access using both IPv4 and IPv6 addressing.  To provide internet access from a VPC you must create and attach a IGW to your VPC.  Create a route entry in the route table for the VPC Subnet to point non-local traffic to the IGW.  This could be a default 0/0 route for either IPv4 or IPv6 traffic or both.  To ensure end-to-end flow of traffic you must ensure that the appropriate Network ACLs and security groups allow the required traffic to and from your VPC.

When using private subnets within a VPC and accessing the internet via an IGW, the IGW will translate the private addresses to public addresses.  The IGW maintains one-to-one mappings of private to public IP ranges.  When a resource is launched it can automatically receive a public IP address or a Elastic IP can be assigned, the IGW maintains these mappings.

IPv6 is designed to be an end-to-end protocol and as such resources within a VPC are assigned IPv6 addresses from the Amazon GUA address assignments.  For outbound IPv6 traffic from the internet the IGW does not need to translate the the source address and it therefore passes through unchanged.  For inbound flows the IGW forwards the traffic to the resource matching the GUA.

A VPC is a logical entity that spans all availability zones in the region where it was created.  VPCs in turn consist of subnets which are logical segments of a VPC but unlike a VPC a subnet does not span availability zones, one or sore subnets may be created in each availability zone.  Upon creating a subnet within a VPC you specify the availability zone and the IPv4 address from the defined VPC CIDR range.  When you create resources they are allocated to one or more subnets.

When a VPC is created a IPv4 CIDR range is allocated with a /16 being the largest possible allocation.  The size of the the CIDR block allocated in-turn determines the sizes of the subnets that can be allocated with a /28 being the smallest possible allocation.  Attention should be paid to the design of the VPC or subnet architecture when determining allocations as AWS reserve some of the usable addresses within a subnet to provide network services and thus the usable addresses are actually less than what are available in pure networking terms.

As you maybe aware when you create a AWS account account a default VPC is created with one public subnet in each availability zone within a region.  This default subnet is a /20 range.

VPCs support both IPv4 and IPv6 where IPv4 is mandatory an IPv6 association is optional.  If you choose to use IPv6 you can associate it to an existing subnet and a fixed length /64 is assigned out of the /56 assigned to the VPC.  When utilising IPv6 Amazon assign a /56 to each VPC out of their public GUA allocation.  Although the IPv6 ranges are fixed length assignments when allocating a subnet you can specify the subnet identifier.

Subnets within a VPC are defined as private, public and VPN only.  The internal IPv4 subnet is always private and not advertised to the internet whereas the IPv6 subnet is GUA and therefore public.  As the names suggest a private subnet is not internet accessible although the IP allocations could be from public or RFC1918 address space.  Public subnets are available on the internet and VPN only subnets are only reachable via VPN endpoints.

Virtual Private Cloud (VPC) is the networking construct for Elastic Cloud Compute (EC2).  With a VPC you can create a virtual network within AWS.  When creating a VPC you are able to configure certain elements such as routing tables, network gateways, subnets and controlling access using ACLS or Security groups.  It is possible to create many VPCs in a AWS region, as long as they will never need to communicate they can share IP address ranges as each VPC is logically isolated.  Once created you can launch resources in the VPC such as EC2 compute resources.

When creating a VPC it must be assigned a IPv4 address range, any CIDR range can be used but Amazon treats it as private and it will not be advertised to the internet.  If required a IPv6 address may also be assigned, Amazon will assign a /56 from their allocation of GUA addresses.  Unlike IPv4 addresses the IPv6 assignments are advertised to the internet and therefore if a internet gateway is attached to the VPC the resources are publicly available.  VPCs operate in dual-stack mode and therefore components for IPv4 and IPV6 need to be configured independently.

VPCs are made up of a number of components and will be described further in the Understanding AWS series.  The components a VPC can consist of are:

  • Subnets and IP addresses IPV4 and IPV6
  • Route Tables
  • Security Groups and Network Access Control Lists (ACLs) ​
  • VPC Flow Logs
  • Internet Gateways
  • Egress Only Internet Gateways (EIGWs) for IPv6
  • NAT Instances and NAT Gateways
  • Virtual Private Gateways (VGWs) and Virtual Private Networks (VPNs)
  • VPC Endpoints
  • VPC Peering
  • Placement Groups
  • Elastic Network Interfaces
  • Dynamic Host Configuration Protocol (DHCP) Option Sets
  • Amazon DNS Server

Amazon web services (AWS) and the features available are advancing and evolving at a very fast pace to keep up with the demands of the next generation of technological requirements. Essentially, AWS services are services that are customized and tailored to solve business enterprises ongoing cloud computing challenges when it comes to moving data and accessing workloads across regions.  AWS direct connect gateway is one of the latest additions to AWS services that is built to enhance the AWS direct connect capabilities for users who want to establish multiple virtual interfaces to AWS VPCs. In this article, we are going to look at what Amazon Direct Connect Gateway is exactly, its features, the underlying users benefits, costs and implementation details.

AWS Direct Connect

Before we continue let’s look at AWS direct connect as well so that you can understand Amazon Direct Connect Gateway properly.  AWS direct connect is the method of connecting AWS infrastructure to your private network or facilities either purchasing directly from Amazon or via APN partners. With Direct Connect, customers are be able to create a dedicated network connection between their premises and Amazon web services (AWS).  A customer is be able to access all of their AWS resources in AWS, transfer critical business data from their offices or data centers directly bypassing the internet, increasing security and eliminating network congestion. Until the release of Direct Connect Gateway AWS Direct Connect only allowed access to resources in the region in which it was provisioned (except in North America) making it difficult for businesses seeking intra-regional connectivity. This is what led to the birth of Amazon Direct Connect Gateway in order to support high redundancy and availability, to enhance security as well as aid in the improvement of network performance between environments.

What is AWS Direct Connect Gateway?

AWS Direct Connect Gateway also referred to as Amazon Direct Connect Gateway is a service that effectively sits on top of AWS Direct Connect.  It gives AWS Direct Connect customers the ability to configure VIFs to their resources in multiple AWS regions. With AWS Direct Connect it was not possible for clients to establish multiple dedicated links to various AWS regions from their enterprise data centers or on-premises.  Direct Connect Gateway makes the establishment of multiple links from the user’s current location to AWS regions possible potentially reducing the overheads of managing multiple Direct Connects and thus reducing costs in the process.

Essentially, Amazon Direct Connect Gateway is a powerful and a simple solution that eliminates the challenges associated with creating and managing multiple links to multiple AWS regions.

AWS Direct Connect Gateway Features

The following are some of the Amazon Direct Gateway features that you should take into consideration when using this service:

  • Single AWS account: it is important to note that users cannot be able to use Amazon Direct Connect Gateway with a single AWS account to establish connections with VPCs. In order for a user to have the ability to associate AWS Direct Connect Gateway with any Virtual Private Gateway, you should ensure that the Virtual Private Gateway exists within the same account. However, Amazon has stated that they have put strategies in place that are meant to make this flexible in the future.
  • Location and Service Level Agreement (SLA): you should note that each Amazon Direct Connect Gateway is an object that exists globally across all of your public AWS regions. In addition, all communications that you wish to establish between your AWS regions via the Direct Connect happens across the existing AWS network backbone. However, service level agreements are not available at the moment for both Direct Connect and Direct Connect Gateway.
  • IP addresses: when establishing multiple connections VPCs must have unique CIDR blocks. When creating connections the VPCs that you establish referencing a particular Direct Connect Gateway should posses IP address ranges without overlapping.
  • Public virtual interfaces: users should note that they cannot create public virtual interfaces on a AWS Direct Connect Gateway.

You should note that Amazon Direct Connect Gateway only supports communications that are between Virtual Private Gateways and the associated private virtual interfaces only. The following is a quick breakdown of traffic flows that are not allowed:

  • Direct communication between a private virtual interface that is attached a Direct Connect Gateway and virtual private network (VPN) connection that is on a virtual private gateway associated with a single Direct Connect Gateway.
  • Virtual private clouds (VPCs) direct communication with associated AWS direct connect gateway
  • Virtual interfaces can communicate directly with the attached direct connect gateway.

Benefits of AWS Direct Connect Gateway

  1. Reduces network costs – Using a Amazon Direct Connect Gateway potentially lowers network costs by reducing the number of Direct Connects required.
  2. Simple – AWS Direct Connect Gateway services can be accessed easily and quickly by signing up for an account using the AWS services management console. AWS management console interface provides you with a single view to manage your virtual interfaces and connections efficiently. In addition, you can access downloadable router templates online for your networking tools when you configure one or a number of virtual interfaces.
  3. Scalability – AWS Direct Connect Gateway is elastic an service that gives you the ability to scale the connections that you establish to your demands. It provides you with connections ranging from 1 to 10 Gbps, and you can even create multiple connections according to the capacity you want.

Implementation details

Getting started with AWS Direct Connect Gateway is straightforward but you must establish an AWS Direct Connect interface on your location first. The following is a step by step guide on how to create a Direct Connect Connection in different scenarios and procedures to create multiple connections using Amazon Direct Connect Gateways.

Scenario 1: Present at an AWS Direct Connect location – In this scenario, you can connect directly to the AWS device from a router that is present at your AWS direct connect location with connection ranges of 1Gbps to 10Gbps.

Scenario 2: Connecting from your premises – You can work with a network provider partner or the AWS partner network (APN) to give you help in connecting a router from your office, colocation environment, or data center to AWS direct connect location. Network provider whom you opt to work should not be an APN member for them to connect you.

Scenario 3: Connection via APN – Lastly, in such a scenario you can choose to work with an APN who will establish a hosted connection that you will use. You can visit AWS services providers and sign up with them, then accept your hosted connection by following the outlined instructions.

Creating an AWS Direct Connect Gateway

  • Click on the Direct Connect Gateway to get started when you open your Direct Connect console. Note that you will find an empty list because you haven’t created any gateways yet.
  • After clicking on Direct Connect Gateways link, enter a private autonomous system number (ASN) for your network and click create. Your new gateway will be visible in your AWS regions immediately.
  • Use your existing Direct Connect connection to create your virtual interface (VIF). The private VIF you create references to your connection and the gateway. It will be ready for use within a few seconds. From there you will have created multiple VPCs that without overlapping CIDRs with a VPG attached to each of them.
  • From there return to your Direct Connect console and select Direct Connect Gateways. Select your gateway and select associate virtual private gateway action from the menu. Select your virtual private gateways and click associate. This can take you a minute or so but you will have a progress bar with associating status state.

When the state of the progress bar reads associated, you will find traffic flow from your premise network and your virtual private clouds flowing over your direct connect connection, no matter where AWS regions are or your virtual private clouds reside. Note that if your VPCs would have been in different AWS regions, similar steps and procedures would apply.

 

AWS Direct Connect is a dedicated network connection from your premises (office, DC, Co-Lo) to AWS.  With AWS Direct you get private semi-secure network connectivity whilst also reducing your network costs, increasing network throughput and experiencing more consistent network performance (latency, Jitter, loss) than IPSEC VPN solutions across the internet.

AWS has a number of direct connect location where you can establish these dedicated links between your infrastructure and AWS.  Direct Connect can be ordered directly from AWS at speeds of 1Gbps or 10Gbps or via AWS APN partners at speeds of less than 1Gbps.  The dedicated Direct connect links provide access to public or private AWS resource through allowing the link to be divided into multiple VLANs using standard 802.1q tagging.

Direct Connect is available to any customer but is best suited to customer with strict regulatory or performance requirements and customer who access large data-sets hosted within AWS.  There are a number of benefits to using direct connect some being:

  • private connectivity to AWS
  • consistent performance
  • reduced bandwidth costs (potentially)
  • privately access AWS services

Direct Connect can be configured in a number of ways to achieve resiliency and high availability all using industry standard protocols such as 802.1q, 802.1ad for VLAN tagging and nesting, IP SEC for encrypted tunnels and BGP for dynamic routing.  These should be largely familiar to most network engineers and as such managing direct connect should not be too much of an additional burden.