Configure / Finalize your AWS Cloud connection

Updated 1 week ago by Joseph Thorwest

Prerequisites
General concept of VIFs
Deploy Private VIFs through AWS Direct Connect
- Prerequisites for deploying
- Guide

This guide provides a comprehensive overview of integrating DE-CIX DirectCLOUD with AWS by first explaining the concept of Virtual Interfaces (VIFs) and then deploying and managing Private VIFs through AWS Direct Connect.

Prerequisites

Before you proceed with this guide, ensure you have purchased an AWS Cloud connection via our portal. For details, click here.

General concept of VIFs

After creating the DirectCLOUD connection on the DE-CIX side, it is time to configure the network in AWS to finalize the setup.

Before entering in details, you need to understand some concepts from the AWS cloud to configure the services there.

If you are already familiar with these terms, you can jump directly to the guiding section of this article.

VIF - What is a VIF?

The Direct Connect (DX) connections are only layer two circuits - VLANs. They don´t directly support IP traffic. (We can´t access any resources)

This is why we have VIFs - Virtual Interfaces.

VIFs provide layer three connectivity for inbound and outbound IP traffic.

Thanks to the VIFs, we can access the resources in the cloud.

Types of VIFs

Three different types of VIFs exist, each with its specific use case:

Private VIF: Private VIFs allow us to connect to private AWS networks, in other words, to VPCs, but it has some limitations.
Public VIF: allow us to connect to the public zone, where all public AWS Services are. These services are accessed through the internet, for example, S3.
With the Public VIF, we can privately access all of them.

Transit VIF: Similar to the Private VIF, it allows us to connect to the private zone to our VPCs, but it also helps to bypass and transit data from one VPC to another in combination with a specific gateway (transit gateway).

Configurations

Because a VIF alone does nothing, you need a Gateway to make it work. Different configurations exist:

Private VIF

Private VIF + Virtual Private Gateway (VGW) - LEGACY
Private VIF + VGW + Direct Connect Gateway (DX Gateway) :
Recommended Setup for a simple hybrid architecture

This setup allows us to interconnect between different VPCs, in different regions.

Some limitations exist using this method. You can´t send traffic:

From one associated VPC to another, it is only possible from the customer to the VPC.
From one connected VIF to another (only a single VIF is allowed per session).
From a connected VIF through a VPN connection using an associated VGW.

Transit VIF

Transit VIF + Direct Connect Gateway (DX Gateway) + Transit Gateway

The DX Gateway with the Transit VIF interconnects Transit Gateways (instead of VGW: Virtual Private Gateways).
- Transit Gateways provide a hub and spoke design for connecting VPCs and on-premises networks:

Thanks to the transit gateway, the traffic can flow from point to point, from one associated VPC to another, and can be paired with different networking solutions such as VPN, transit gateway peering...

Now that you have these concepts in mind you are able to create the Recommended Setup.

Deploy Private VIFs through AWS Direct Connect

After reviewing the theoretical concept, you are ready to deploy the solution in the AWS Portal. For this example, we deploy a DX Gateway with a Private VIF and a VPG.

Prerequisites for deploying

Accept the DX Hosted Connection.
Create a Direct Connect Gateway (DX Gateway).
Create a Virtual Private Gateway (VGW) and associate it with the desired VPC.
- The VGW is not a global service; please make sure when creating it that you do it so in the same region as your resources.

Associate the VGW with the DX Gateway.
- You can associate up to 10 VGW
Think about a /30 IP range network for establishing BGP toward AWS

Now all the prerequisites are in place, and you can create a Private VIF and interconnect everything.

Guide

Follow these steps to create a Private VIF.

Go to the Direct Connect Service, and click on Create virtual interface.
Select Private VIF.
1. Add the name you consider to this Virtual interface.
2. In connection, select the DX Connection you have previously ordered and accepted.
3. Select the created Direct Connect Gateway in the pre-requisites.
4. Skip the VLAN field. AWS takes care of it.
5. Fill in the BGP ASN from your router.
Click on Additional settings.
This step is important. Do not skip it.
Complete the following information.
1. Fill in with the BGP IPs from the pre-requisites.
  - The first IP must be yours
  - The second IP is for AWS
2. Add a secret Password.
3. Enable Jumbo MTU size.
4. Click on create virtual interface.
  Please note: If you want resiliency, you should repeat this step, creating another Private VIF with a new DX Hosted Connection, and attaching it to the same DX Gateway:
Check the VIF and establish BGP.
Now AWS creates the VIF. This can take up to 10 minutes.
You can download the configuration file by clicking on Actions, Download Sample Configuration.
Important: You need to edit the VLAN ID from the sample configuration and put the VLAN ID you would like to use towards DE-CIX. We handle the rest.
If you use a different VLAN from the DE-CIX one, this setup doesn’t work.
After applying the configuration with the corrected VLAN, the BGP comes up. You must complete one last step:
Edit the routing table in the VPC to allow connection via DirectConnect.
To allow the traffic from the cloud to our on-premises, you must edit the subnet route table you want to interconnect and add the routes to our network.
1. Activate the routing propagation in the routing table. It automatically adds the received route once the connection is UP.
  Important: The networks can’t overlap, so if you are using the same IP Space as the VPC, it does not work. Also, don’t forget to configure on the on-premises side to redirect the traffic to the Direct Connect path.