Aws Direct Connect Deep Dive 1077328783 181128003427

NET403
AWS Direct Connect: Deep Dive
Justin Davies
Solutions Architect
AWS/Solutions Architecture
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s going on here?
policy-options
policy-statement TO-AWS
term tag-aws
from
route-filter 0.0.0.0/0 exact;
then
community add TAG-TO-AWS;
accept;
community TAG-TO-AWS-HIGH-PREF members 7224:7300;
Agenda
Level set—review
New features and functionality
Route manipulation and traffic engineering
How is AWS Direct Connect billed?
How to manage hybrid DNS scenarios over

AWS Direct Connect
Architectural best practices and resiliency

Level set—Review
On-premises
Level set—Review
On-premises
Amazon Virtual Private Cloud (Amazon VPC)
Level set—Review
On-premises
Availability Zone
Level set—Review
On-premises
Availability Zone
Level set—Review
On-premises
Subnet
Level set—Review
On-premises
Subnet
Virtual private
gateway
Level set—Review
On-premises
Subnet
Virtual Private
Gateway
Level set—Review
Direct
Connect On-premises
Subnet
Virtual Private
Gateway
Level set—Review
Direct Connect On-premises
Amazon
Customer
backbone
Level set—Review
Amazon
Customer
backbone
Level set—Review
Direct Connect
Amazon
Private
Public
…
Level set—Review
Direct Connect
Amazon
Private
Public
…
Amazon Direct Connect specifications
Direct Connect
1G, 10G,
Direct Connect
Direct Connect
Direct Connect
Direct Connect
Private VIF
Virtual Private
Gateway
Private
Physical connection
VLAN ID
VIF name & owner
On-prem ASN
*AWS ASN
Private VIF
Virtual Private
Gateway
Private
Physical connection
VLAN ID
VIF name & owner 50 VIFs
On-prem ASN
*AWS ASN
Public VIF Physical connection
VLAN ID
VIF name & owner
On-prem ASN
Public peer IPs (v4)
Public
Public VIF
…
Public VIF Physical connection
VLAN ID
VIF name & owner
On-prem ASN
Public peer IPs (v4)
Public
Public VIF
…
”Home” region
us-east-1 us-west-2
https://aws.amazon.com/directconnect/features/
Do I need to have a BGP session for every VPC?
Can I connect to VPCs outside of my “home” region?
Can I connect to VPCs outside of my “home” region?
Can I reduce my BGP peers and simplify connectivity?
So what is a Direct Connect Gateway?
You specify: Direct Connect
“name”
Direct Connect Gateway
Attached
1
10
Direct Connect Gateway
Account 1
Account 1
Account 2
Direct Connect
So how does this scale?
Direct Connect Gateway—Scaling
Attach 10
Account 1
Account 1
Account 1
Direct Connect
Attach 10
Account 1
Account 1
Account 2
Direct Connect
Attach 10
Account 1
Account 1
Account 2
Direct Connect
Account 1
Account 1
Account 2
Direct Connect
How do routes work?
How do routes work?
Before Logical Redundancy Direct Connect
Direct Connect Customer

Device
Logical Redundancy (NEW) Direct Connect
Direct Connect
Logical Redundancy (NEW) Direct Connect
Customer
Direct Connect
How does this change my
physical redundancy?
Logical & Physical Redundancy Direct Connect
Direct Connect
Is logical redundancy available?
Redundant BGP Sessions
VPC & Direct Connect route selection
Route selection
East - DC
172.16.0.0/16
East
65001, 65001, 65001
us-east-1
172.16.0.0/16
65001, 65001 West - DC
West
Route selection
East - DC
172.16.0.0/16
East
65001, 65001, 65001
us-east-1
172.16.0.0/16
65001, 65001 West - DC
*Preferred route
leaving AWS
West
Route selection
East - DC
172.16.0.0/16
East
65001, 65001, 65001
us-east-1
172.16.0.0/16
65001, 65001 West - DC
*Preferred route
leaving AWS 172.16.0.0/16
65001 West
Route selection
East - DC
172.16.0.0/16
East
65001, 65001, 65001
us-east-1
172.16.0.0/16
65001, 65001 West - DC
*Preferred route
65001 West
*Longest prefix match
BGP communities & local—preference
Public VIF communities—Controls your prefix scope
Public VIF communities—Controls AWS prefix scope
Private VIF communities: AWS egress local-pref
Route selection
East - DC
172.16.0.0/16
East
65001, 65001, 65001
us-east-1
172.16.0.0/16
65001, 65001 West - DC
*Preferred route
65001 West
Route selection
East - DC
172.16.0.0/16
7224:7100 (low) East
us-east-1 65001, 65001, 65001
172.16.0.0/16
7224:7100 (Low) West - DC
65001, 65001
*Preferred route
7224:7300 (high) West
65001
Applying communities to prefixes Juniper example
policy-options
policy-statement TO-AWS
term tag-aws
from
route-filter 0.0.0.0/0 exact;
then
community add TAG-TO-AWS;
accept;
community TAG-TO-AWS-HIGH-PREF members 7224:7300;
Applying communities to prefixes Cisco example
ip bgp-community new-format
ip prefix-list TAG-TO-AWS permit 0.0.0.0/0 le 32
route-map TO-AWS permit 10
match ip address prefix-list TAG-TO-AWS
set community 7224:7300
router bgp 65400
address-family ipv4
neighbor 169.254.221.5 send-community
neighbor 169.254.221.5 route-map TO-AWS out
I manage the network.
I’m not sure what all these VPCs are really doing.
How does billing work?
Direct Connect Billing 1G = $0.30/port hour
10G = $2.25/port hour
*All locations except Japan
Data-Transfer-OUT
Source: United States
VPC, S3, DDB …
Destination:
Switch, SUPERNAP
Las Vegas
$0.0200/GB Out
https://aws.amazon.com/directconnect/pricing/
Direct Connect Billing 1G = $0.30/port hour
10G = $2.25/port hour
*All locations except Japan
Data-Transfer-OUT
Source: Ireland
(eu-west-1)
VPC, S3, DDB …
Destination:
Switch, SUPERNAP
Las Vegas
$0.0282/GB Out
Direct Connect: Port cost
Direct Connect: Data-transfer-out cost
What if I have multiple accounts?
Direct Connect Billing
Organization (master payer account)
Account 2
$ Account 3
Account 4 Account 1
Direct Connect Billing
Source account
Account 2
$ Account 3
Account 4 Account 1
I manage DNS servers on-premises today.
How can I resolve resources between
my VPC resources and on-premises?
Hybrid hosted zones
192.168.1.0/24 (myvpc.com)
192.168.1.10
one.myvpc.com 10.0.0.0/16 (mydc.com)
192.168.1.11
two.myvpc.com
Hybrid hosted zones
1. Host one: Where is ”two.myvpc.com”
192.168.1.0/24 (myvpc.com)
192.168.1.10 1
one.myvpc.com
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com
Hybrid hosted zones
192.168.1.0/24 (myvpc.com) 2. Amazon Route 53: Oh, that’s 192.168.1.11
192.168.1.10 1
one.myvpc.com 2
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com
Hybrid hosted zones
192.168.1.0/24 (myvpc.com) 2. Amazon Route 53: Oh, that’s 192.168.1.11
192.168.1.10 1
one.myvpc.com 2
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com
Hybrid hosted zones
1. Client: Where is ”two.myvpc.com”
192.168.1.0/24 (myvpc.com)
192.168.1.10
one.myvpc.com
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com
1
Hybrid hosted zones
192.168.1.0/24 (myvpc.com) 2. On-prem DNS: Conditional forward?
192.168.1.10
2
one.myvpc.com
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com
1
Hybrid hosted zones
192.168.1.0/24 (myvpc.com) 2. On-prem DNS: Conditional forward?
3. I don’t know, can’t reach 192.168.1.2
192.168.1.10
2
one.myvpc.com
192.168.1.2
X mydc.com
192.168.1.11
two.myvpc.com
1
Hybrid hosted zones
192.168.1.0/24 (myvpc.com)
192.168.1.10
one.myvpc.com
192.168.1.2 mydc.com
192.168.1.11
two.myvpc.com Unbound
1
Hybrid hosted zones
192.168.1.0/24 (myvpc.com) 2. On-prem DNS: Forward to Unbound
192.168.1.10
one.myvpc.com
192.168.1.2 mydc.com
2
192.168.1.11
1
Hybrid hosted zones
3. Unbound forward to Route 53
192.168.1.10
one.myvpc.com
3
192.168.1.2 mydc.com
2
192.168.1.11
1
Hybrid hosted zones
3. Unbound forward to Route 53
4. Reply to requester
192.168.1.10
one.myvpc.com
3
192.168.1.2 mydc.com
2
192.168.1.11
4 1
Amazon Route 53 Resolver
Primary Secondary Tertiary
Availability Availability Availability

Zone 1 Zone 2 Zone 3
Route 53 Resolver
192.168.1.0/24 (myvpc.com)
192.168.1.10
one.myvpc.com
192.168.1.xyz mydc.com
192.168.1.11
two.myvpc.com 1
Route 53 Resolver
192.168.1.0/24 (myvpc.com) 2. On-prem DNS: Forward to AWS resolver
192.168.1.10
one.myvpc.com 2
192.168.1.11
two.myvpc.com 1
Route 53 Resolver
192.168.1.0/24 (myvpc.com) 2. On-prem DNS: Forward to AWS resolver
192.168.1.10
one.myvpc.com 2
3
192.168.1.11
two.myvpc.com 1
Route 53 Resolver 1. Host one: Where is ”client.mydc.com”
192.168.1.0/24 (myvpc.com)
192.168.1.10 1
one.myvpc.com
192.168.1.11
two.myvpc.com
10.0.0.7
2. Route 53: Forward *.mydc.com to on-prem DNS
192.168.1.0/24 (myvpc.com)
192.168.1.10 1
one.myvpc.com
2
192.168.1.11
two.myvpc.com
10.0.0.7
192.168.1.0/24 (myvpc.com) 3. On-prem DNS: Oh, that’s 10.0.0.7
192.168.1.10 1
one.myvpc.com
2
3
192.168.1.11
two.myvpc.com
10.0.0.7
192.168.1.0/24 (myvpc.com) 3. On-prem DNS: Oh, that’s 10.0.0.7
192.168.1.10 1
one.myvpc.com
2
4 192.168.1.xyz mydc.com
3
192.168.1.11
two.myvpc.com
10.0.0.7
“Everything fails all the time.”
Werner Vogels
VP & CTO, AWS
Start with the application
Availability Zone 1
Availability Zone 2
us-east-1
us-west-2
us-east-1
us-west-2
Consider the ingress and egress points
Availability Zone 1
Availability Zone 2
Availability Zone 1
Availability Zone 2
Know your traffic profile
Know your dependencies
Everything API
Understand impact
Understand impact
Guilty until proven innocent

Test it! Test it often!
Understand impact

Understand impact

Thank you!
Justin Davies
@mrjustind

Aws Direct Connect Deep Dive 1077328783 181128003427

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws Direct Connect Deep Dive 1077328783 181128003427

Uploaded by

Copyright:

Available Formats

NET403

AWS Direct Connect: Deep Dive

route-filter 0.0.0.0/0 exact;

community add TAG-TO-AWS;

community TAG-TO-AWS-HIGH-PREF members 7224:7300;

New features and functionality

Route manipulation and traffic engineering

How is AWS Direct Connect billed?

How to manage hybrid DNS scenarios over

Architectural best practices and resiliency

Direct Connect Customer

Direct Connect Customer

Direct Connect Customer

Direct Connect Customer

route-filter 0.0.0.0/0 exact;

community add TAG-TO-AWS;

community TAG-TO-AWS-HIGH-PREF members 7224:7300;

ip prefix-list TAG-TO-AWS permit 0.0.0.0/0 le 32

route-map TO-AWS permit 10

match ip address prefix-list TAG-TO-AWS

set community 7224:7300

router bgp 65400

neighbor 169.254.221.5 send-community

neighbor 169.254.221.5 route-map TO-AWS out

Primary Secondary Tertiary

Availability Availability Availability

Guilty until proven innocent

Guilty until proven innocent

Guilty until proven innocent

You might also like