AWS Direct Connect Gateway enables the connectivity of multiple Virtual Private Clouds (VPCs) across AWS Regions worldwide.
AWS features and services are ever-evolving in order to keep up with next-generation technologies and solve the ongoing enterprise challenges that come with accessing workloads and moving data across regions. One fundamental aspect of enterprise cloud strategy is dedicated connectivity between on-premises environments and public cloud services. Direct Connect Gateway, the newest interconnect product in the AWS repertoire, builds on the capabilities of Direct Connect which enables you to establish virtual interfaces directly to AWS Cloud. In this post, we explain Direct Connect Gateway, break down the customer benefits, and illustrate its relevance to the recent addition and expansion of the AWS Inter-Region VPC Peering services.
Using Direct Connect prior to Direct Connect Gateway
AWS Direct Connect allows you to establish a dedicated network connection from your premises to AWS. This enables you to directly access AWS services. Previously, a Direct Connect location could only be linked to a single AWS Region creating a challenge for businesses. Enterprise customers have been seeking intra-region connectivity for some time in order to support high availability and redundancy as well as improve network performance between environments.
The main issue was that each VPC’s Virtual Private Gateway (VGW) was linearly connected to Direct Connects via a Private Virtual Interface (VIF). Each of these interfaces required separate Border Gateway Protocol (BGP) sessions between AWS and your private network. This involved time-intensive administration work, potential high costs, and the burden of heavy loads on network devices.
Provisioning Multi-Region Connectivity with Direct Connect Gateway
AWS Direct Connect Gateway enables a simple and powerful solution to overcoming the challenges associated with multi-region AWS connectivity. The service allows you to create connections from a single Direct Connect to multiple VPCs in multiple AWS regions. From any Direct Connect location, users can establish connections to any VPC, in any Region, residing within a single AWS account. You no longer need to establish multiple BGP sessions for each VPC. Connecting from any Direct Connect location provides a more cost-effective way to use AWS services on a cross-region basis. You can benefit from savings by consolidating Direct Connects and streamlining global workloads to your chosen location.
Points to Consider when using Direct Connect Gateway
Single Account: Currently, you cannot use a Direct Connect Gateway in one AWS account to connect to a VPC in a different account. In order to associate a Direct Connect gateway with a virtual private gateway, it must exist within the same account as the virtual private gateway.
Traffic Flow: Sending traffic from one VPC associated with a Direct Connect Gateway to another VPC associated to the same Direct Connect Gateway is not possible with this service. Direct Connect Gateway only supports routing traffic from Direct Connect virtual interfaces to virtual gateways (associated with VPC). Put simply, you cannot create VPC to VPC connections or VIF to VIF connections; Direct Connect Gateways only allow communications between VGWs and a VIF. In order to send traffic between two VPCs, you need to configure a VPC peering connection, as you would today.
In addition, direct communication is not supported between a virtual interface attached to a Direct Connect gateway and a VPN connection on a virtual private gateway that’s associated with the same Direct Connect Gateway.
Location and SLA: Each Direct Connect Gateway is a global object that exists across all of the public AWS Regions. All communication between the Regions via the Gateways takes place across the AWS network backbone. SLAs for Direct Connect Gateway or Direct Connect are not currently provided.
Public Virtual Interfaces: You cannot create a public virtual interface to a Direct Connect Gateway. If you want to connect to public AWS services, such as S3 or Glacier, that aren’t in a VPC then just create a public virtual interface. Public virtual interfaces allow you to access AWS public service endpoints for AWS services running in any AWS Region, (except AWS China Region), over Direct Connect.
IP Addressing: The VPCs that reference a particular Direct Connect Gateway must have IP address ranges that do not overlap.
Inter-Region VPC Peering
Certain workloads may require direct connectivity from one VPC to other VPCs in different Regions. Inter-Region VPC Peering allows this capability. However, it’s important to remember that a VPC peering connection is a one-to-one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own but transitive peering relationships are not supported. This means that you will have no peering relationship with the VPCs that your particular VPC isn’t directly peered with. This may be too restrictive for the workloads you want to deploy.
Provisioning Connectivity between Multi-Region VPCs with Megaport Cloud Router
Direct Connect Gateway has improved the AWS connectivity experience by reducing the number of Direct Connects required and, in turn, easing the BGP management burden. The connectivity benefits of Direct Connect Gateway remain when used alongside the strengths of the Megaport Cloud Router such as VPC to VPC communications and multi-account workloads.
The challenges of connecting multiple VPCs across multiple Regions are easily solved with Megaport Cloud Router (MCR). Our Layer 3 connectivity product equips you with virtual routing capabilities for cloud to cloud networking. You can establish secure, private, and low-latency connections, with an SLA, for multi-region AWS cloud environments.
The connectivity requirements for a Public VIF to AWS are similarly supported with an MCR. However, it’s not required to terminate onto a VGW or Direct Connect Gateway. In order to connect to public resources such as Amazon Simple Storage Service (S3) and Amazon DynamoDB, AWS generally requires you to bring public IP addresses to this connection. The MCR will supply a /31 range that can be utilised for public peering upon which the global AWS route tables will be received.
An MCR instance may be used either with or without a physical Megaport connection. If you combine the MCR functionality with a current or new physical Megaport, you may benefit from reduced latencies for inter-region or cloud to cloud connectivity combined with connecting to a physical Port. Megaport increases the connection options to Cloud Service Provider on-ramps from our 200+ data centre locations. Provisioning connectivity via our global Software Defined Network ensures 100% service availability for extremely low latency networking.
Configuring AWS Direct Connect from the portal.megaport.com is easy. You can self-provision connections via our powerful API integration with AWS. Connecting multiple VPCs requires an MCR plus a VXC per Direct Connect location. Provisioning connections takes less than a minute, however, there are a few points to consider, such as, making sure your IP address ranges across VPCs don’t overlap. You can find in-depth details in our MCR Knowledgebase article.
Scalable connectivity with flexible terms enables significant cost advantages of accessing AWS Direct Connect Gateway with Megaport. You can dial your bandwidth up and down as your businesses demands allowing you to align your network requirements with your cloud consumption. The Direct Connect cost is covered by the VXC from your Port and egress rate charges are reduced for our customers.
Provisioning AWS Direct Connect Gateway with Megaport allows for powerful multi-region and multicloud strategies. For more information on dedicated connectivity to AWS, visit the webpage or fill out the form below.
Author: Paul McGuinness