AWS Direct Connect
Overview
In the early 21st century, cloud computing paved the way for a technological revolution in infrastructure. Once customers adapt to cloud platforms like AWS, they use the AWS Site-2-Site VPN connection to establish secure connections between their on-premise and the AWS data center(AWS region). However, VPN alone did not satisfy all the requirements of AWS customers.
In 2011, AWS released Direct Connect, a new service that uses dedicated Ethernet fiber-optic cable to link customers on-premises to an AWS region by bypassing the public internet.
What is AWS Direct Connect and How Does it Work?
AWS Direct Connect provides a private network connection between the customer's on-premise/data center and an AWS region (the customer’s AWS account).
Direct connect is the standard Ethernet fiber-optic cable connected between the customer data center, office, or colocation environment and the AWS account.
The traffic initiated by customers' on-premises servers to AWS servers/services will be routed through the physical fiber-optic cable (Direct Connect) instead of the public internet.
How does it work?
AWS Direct Connect offers an alternative to accessing AWS cloud services instead of using the public internet. It enables customers to connect to AWS in a low-latency, secure, and private way for AWS workloads that require higher speed or lower latency than the internet.
Once a customer purchases the required bandwidth Direct Connect (DX) connection by completing a Letter of Authorization, AWS will install a physical fiber-optic cable connection between the customer data center, office/colocation, or AWS partner router and the AWS region.
AWS partner routers or customer routers
- This router will be installed at the customer's on-premises or AWS partner location.
AWS Router
- This router is present within the AWS region Direct connect location to campus.
The below image demonstrates the traffic flow from the customer data center to AWS region via the AWS Direct Connect location
Note: AWS Direct connect service providers vary based on location. In India, Tata Communications, Reliance Jio, Sify, and Bharti Airtel are the major partner network service providers for AWS Direct Connect.
Components of AWS Direct Connect
Connection
Once a Letter of Authorization is approved, AWS or AWS Partner Network (APN) will share the connection to your AWS account.
There are two types of connections
1. Dedicated Connection
2. Hosted Connection
| Parameters | Dedicated Connection | Hosted |
|---|---|---|
| Type | A dedicated physical Ethernet connection for a customer to their AWS account region | An AWS Direct Connect Partner will provide a physical ethernet connection on behalf of a customer |
| Access | Customers can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API. | Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, which provides the connection |
| Bandwidth | 1 Gbps ,10 Gbps , 100 Gbps | 50 Mbps to 10 Gbps |
Virtual Interface
There are 3 types of virtual interfaces (VIF) available in AWS Direct Connect. We can opt for any one virtual interface to connect to the provisioned direct connect connection.
- Public VIF
- Private VIF
- Transit VIF
| VIF Type | Public VIF | Private VIF | Transit VIF |
|---|---|---|---|
| Uses | This interface is used to access all AWS public services using public IP addresses | This interface is used to connect to the VPC using private IP addresses | This interface is used to connect transit gateways associated with the Direct Connect gateway |
| Use-case | On-premise server to S3 bucket data transfer through Direct connect | On-premise private or DB servers connect with AWS VPC resources | On-premise to multi-VPC network architecture |
Direct Connect Gateway
We can associate more than one virtual private gateway to the direct connect gateway, which helps to minimize the creation of each VIF for each virtual private gateway.
Features of AWS Direct Connect
Flexible Bandwidth
- AWS provides a starting speed range of 10Mbps and a maximum scaled up to 100Gbps as per the customer requirements based on the Dedicated Connection.
Elasticity
- AWS Direct Connect is elastic. So we can transfer the data seamlessly back and forth to AWS as per our bandwidth requirement.
As an example,
Assume a startup company chose AWS Direct Connect for a 50Mbps hosted connection. If they want to increase or decrease bandwidth in the future, we use the AWS console, CLI, or API to create a new connection with the required bandwidth.
Note: The port speed of an existing connection cannot be changed; we must create new connections to change the port speed.
Encryption
The encryption occurs at Layer 2 devices that are directly connected to Ethernet switches or routers.
What are Layer 2 devices?
- Layer 2 devices will transmit data from source to destination according to the ethernet address or MAC address. These devices are configured in the Direct Connect location.
AWS Direct Connect supports MACsec encryption for customers who have a dedicated connection with a bandwidth of 10 Gbps or 100 Gbps.
What is MACsec Encryption?
MACSec-Media access control security
- MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity.
Layer 2 devices with MACsec capability will support MACsec encryption. This encryption will occur at the Direct Connect Location Layer 2 devices and customer-opted Layer 2 devices.
MACsec requires that your connection be terminated on a MACsec-capable device on the AWS Direct Connect side of the connection.
Note: MACsec supports 10 Gbps and 100 Gbps dedicated connections. It also supports Direct Connect Sitelink
SiteLink
-
SiteLink is an optional Direct Connect feature available in Direct Connect for virtual private interfaces.
-
Usage of SiteLink will incur additional charges.
-
AWS Sitelink helps to achieve the shortest path between any two Direct Connect points of presence using the AWS backbone network instead of routing via an AWS region.
With Direct Connect
Here we can see the data transfer routed to the region and then passing to the AWS Direct Connect Location.
With Direct Connect Sitelink
Here, we can achieve the data transfer between AWS Direct Connect Locations without being routed toward the AWS region.
Use Cases of AWS Direct Connect
Some enterprise customers opt for AWS Direct Connect for the following 4 reasons:
The AWS Direct Connect service is natively compatible with AWS services
- We can upload and download the data to the AWS public services such as S3 directly from our on-premises infrastructure. We can also connect to the AWS VPC Network from our on-premises infrastructure. In both cases, the traffic will pass through without routing through the public internet.
Cloud and on-premises Hybrid Environments
- Database Migration, Application Migration, and Data Transfer to AWS enhance the hybrid environment.
Transferring large data sets
- Using EFS and Storage Gateway, we can transfer large data sets with less latency and achieve high performance.
Real-time data feeds
- We can set up the data pipeline on AWS or on-premise for real-time data analytics. Direct Connect helps to achieve high performance with resiliency.
Requirements to Use AWS Direct Connect
There is a certain network requirement we must meet to establish Direct Connect.
Network Device:
| Port Capacity | 1 gigabit | 10 gigabit | 100 gigabit |
|---|---|---|---|
| Transceiver | Single-mode fiber with a 1000BASE-LX (1310 nm) | Single-mode fiber with a 10GBASE-LR (1310 nm) | Single-mode fiber with a 100GBASE-LR4 |
Port AutoNegotiation:
For 1 Gbps: Enabled or Disabled depends upon the Direct connect endpoint
For more than 1 Gbps: Must be Disabled
VLAN : IEEE 802.1Q Encapsulation
Protocol : Border Gateway protocol
Authentication : BGP MD5
Those who have the above requirements can opt for Direct Connect.
Those who do not have the requirement still opt for Direct Connect using APN (AWS Partner Network)
AWS Direct Connect Pricing
Three components determine the pricing of AWS Direct Connect irrespective of location. They are:
- Capacity
- Port hour
- Data transfer out
Dedicated Port Connection
| Capacity | Port hour rate excluding Japan | Port hour rate in Japan |
|---|---|---|
| 1 Gbps | $0.30/hour | $0.285/hour |
| 10 Gbps | $2.25/hour | $2.142/hour |
| 100 Gbps | $22.50/hour | $22.50/hour |
Hosted Port Connection
| Capacity | Port hour rate excluding Japan | Port hour rate in Japan |
|---|---|---|
| 50 Mbps | $0.03/hour | $0.029/hour |
| 100 Mbps | $0.06/hour | $0.057/hour |
| 200 Mbps | $0.08/hour | $0.076/hour |
| 300 Mbps | $0.12/hour | $0.114/hour |
| 400 Mbps | $0.16/hour | $0.152/hour |
| 500 Mbps | $0.20/hour | $0.190/hour |
| 1 Gbps* | $0.33/hour | $0.314/hour |
| 2 Gbps* | $0.66/hour | $0.627/hour |
| 5 Gbps* | $1.65/hour | $1.568/hour |
| 10 Gbps* | $2.48/hour | $2.361/hour |
- These capacities are available from selected AWS Direct Connect Partners
For example,
In India, the two partners listed below offer dedicated and hosted connections for Direct Connect Service.
| Column 1 | GPX, Mumbai, India | Sify Rabale, Mumbai, India | STT GDC India Pvt. Ltd. VSB, Chennai, India | NetMagic DC2, Bangalore, India | STT Delhi DC2, Delhi, India | STT Hyderabad DC1, Hyderabad, India |
|---|---|---|---|---|---|---|
| Sify | ✔G | ✔G | ✔G | ✔G | ✔G | ✔ |
| Tata Communications | ✔H | ✔H | ✔H | ✔ | ✔H | ✔H |
✔ -Supports Dedicated Connections G -Approved for Hosted Connections of capacities from 50 Mbps to 500 Mbps H - Approved for Hosted Connections of capacities from 50 Mbps to 10 Gbps
Data transfer in
There will be no charges incurred for data transfer towards your AWS account by Direct Connect.
Data transfer out
Each region's data transfer out rate will vary based on the country's location.
SiteLink hours
Fixed $0.50 per hour for each VIF associated with the Direct connect gateway
SiteLink Data Transfer rates
How to Configure AWS Direct Connect?
Assuming we are establishing Direct Connect with an APN partner,
- Once the Letter Of Authorization is completed, the partner will share the network connection. This will show up in the Direct Connect console.
- We should accept and continue the below steps
Connection details
Name: Enter any preferred name
Location: Choose Mumbai (for demo purposes)
Port Speed: 1Gbps or 10Gbps
Service providers: Tata Communication, Bharti Airtel, GPX. (If you choose to use an AWS Direct Connect partner.)
Additional settings (Optional)
MACsec Support : Disabled by default
Existing LAGs: Disabled by default.
-
Once the above steps are finished, we have two options here.
-
To create a new VIF or choose an existing VIF
Creating a VIF
- We should choose the type of VIF, whether it is private, public, or transit.
-
In VIF, we choose either a Direct Connect gateway or a Virtual Private Gateway.
-
We must enter the Virtual Local Area Network (VLAN) and BGP ASN to create a VIF.
- In addition to this, we can configure the following parameters optionally.
Your router's peer IP: CIDR
Amazon router peer IP: CIDR
BGP authentication key: can be up to 126 characters long
Jumbo MTU (MTU size 9001) : MTU Frame size
SiteLink: Disabled by default
- Once the DX connection is created, and VIF is attached to the DX connection, we need to wait for 10 to 15 minutes for the direct connection state to become available.
AWS Direct Connect Locations
-
AWS Direct Connect is available in locations all over the world. Those who lack the necessary equipment for the Direct Connect location can still connect through APN Technology and Consulting Partners.
-
These APN Partners can help you establish network circuits between an AWS Direct Connect location and your data center.
-
To minimize cost and latency, AWS recommends selecting the closest available Direct Connect location and AWS region to the customer's data center.
For example,
If the customer data center is located in Mumbai, there are multiple Direct Connect locations available for the AWS Mumbai region.
AWS suggests choosing the Direct Connect location and AWS region that is nearest to the customer's data center to reduce latency, cost, and management overhead.
Benefits of AWS Direct Connect
- Customers can choose their required bandwidth for data transfer and consistent network performance.
- Bandwidth options include 1 GB, 10 GB, and 100 GB for dedicated connections.
- The cost of direct-connect data transfer will be less when compared to the cost of internet data transfer from AWS to the customer data center.
- It provides a dedicated private network connection to the AWS VPC.
- It supports Ipv4 and IPv6 BGP peering sessions.
- It also supports Jumbo frames with 9001` MTUs.
Note: Jumbo frames are single Ethernet frames with a payload size of more than 1500 bytes. Using Jumbo frames, we can reduce the CPU processing time.
Conclusion
-
AWS Direct Connect establishes a private network link between the customer data center and the AWS region with the help of a standard Ethernet fiber-optic cable.
-
Customers can establish a Direct Connect by opting for either a dedicated connection or a hosted connection.
-
AWS Direct Connect pricing components include capacity, port hours, and data transfer out.
-
It provides MACsec encryption and a flexible bandwidth range from 10 Mbps to 100 Gbps.
-
Using Direct Connect SiteLink, customers can transfer the data without routing toward the AWS region.
-
It provides high availability and resilience. Leveraging AWS Direct Connect will reduce the latency and data transfer costs.