VPC Security and Control
Basic Networking Concepts
Introduction to AWS PrivateLink
VPC Sharing using the AWS Resource Access Manager
Inter-Regional and Intra-Regional Communication Patterns
Understanding Direct Connect, Implementation and Configuration
Understanding AWS Direct Connect - Connectivity Options
Examining AWS Routing
DNS & Content Delivery on AWS
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam.
- Get a foundational understanding of VPCs, their security, and connectivity
- Learn about VPC sharing using the AWS Resource Access Manager
- Discover inter-regional and intra-regional communication patterns in AWS
- Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
- Understand routing in AWS, including static and dynamic routing
- Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
- Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront
AWS Direct Connect provides an organization a low latency and high-speed connection to AWS services by bypassing the public Internet to establish a dedicated connection from your location into AWS. However, I must be clear on this point. AWS Direct Connect is not a service by which AWS assumes the entire responsibility for the installation and management of the required physical network connectivity from an AWS region to your location. After ordering an AWS Direct Connect, an AWS representative will not quickly appear at your location with a fiber cable that is connected to the desired AWS region and ready to be plugged into your network infrastructure. When ordering a Direct Connect, what you're actually ordering is access to a 1 Gbps, 10 Gbps, or 100 Gbps network port at a Direct Connect or DX location. AWS then authorizes the customer to connect to that port.
The customer then works with their communications or networking partner to make the connection to the Direct Connect port from their data center. Unlike a VPN connection, Direct Connect requires physical connectivity to a specific DX location and it could take weeks or even months to run the required cabling between the DX location and the customer data center. With that said, let's get an overview of AWS Direct Connect architecture. An AWS Direct Connect typically involves three entities.
One, the business location. This represents the customer's data center which contains the customer-managed router or firewall to be used in connecting to AWS via Direct Connect. Two, the AWS region. The AWS region contains resources that a customer wishes to access via the Direct Connect. Once connectivity is established, a customer will create virtual interfaces or VIs to gain access to AWS services via Direct Connect. VIs, as well as advanced Direct Connect connection options, will be discussed in greater detail in a separate course. Three, the Direct Connect or DX location.
The DX location is usually a large regional colocation facility in which AWS rents space. Within its space, AWS has deployed some number of AWS-managed routers which are used as the endpoints of the DX service. To connect to the authorized DX port, a customer can rent space within this colocation facility to install their own routers. Or to avoid deploying equipment within this colocation facility, the customer can connect to the AWS DX port using routers provided by a DX partner.
There are a few items to note in regard to connectivity. First, the customer is responsible for establishing and managing the required networking from their business location to the DX location. Second, AWS is responsible for establishing and managing the required networking from AWS to the DX location. Third, within the DX location, the colo staff or the DX partners are responsible for the cross-connect which connects the customer or partner-owned router to the AWS authorized Direct Connect port. Let's talk about AWS Direct Connect Prerequisites.
One can easily establish a VPN connection to AWS from their business location with virtually any router or firewall. AWS Direct Connect, however, has specific needs that must be evaluated prior to ordering. Let me give you a list of conditions a customer network must meet prior to ordering a Direct Connect, and for you to remember, prior to taking an AWS exam. One, Direct Connect requires the use of single-mode fiber and specific transceivers based on the connection speed. A 1 GB Direct Connect must use a 1000 base LX transceiver. A 10 GB Direct Connect must use a 10 GBASE-LR transceiver. A 100 GB connection must use a 100 GBASE-LR4 transceiver. Two, though there are some Direct Connect endpoints which require auto-negotiation for a port to be enabled or disabled for 1 GB connections, auto-negotiation must be disabled for ports supporting 10 and/or 100 GB port's speeds.
The port's speed and full duplex mode must be manually set for the ports used for AWS Direct Connect. Three, AWS Direct Connect only supports 802.1Q VLAN encapsulation, thus every device across the entire Direct Connect connection must also support 802.1Q VLAN encapsulation. And four, the customer router serving as the Direct Connect termination point must support Border Gateway Protocol, BGP, and BGP MD5 authentication.
Though the proceeding list constituted the mandatory requirements to support an AWS Direct Connect, also consider the following points. Asynchronous Bidirectional Forwarding Detection, or BFD, a network protocol that is used to detect network failures, is automatically enabled for AWS Direct Connect virtual interfaces, but it does not take effect until it is configured on the customer network. Also, AWS Direct Connect supports both IP version 4 and IP version 6.
And finally, AWS Direct Connect supports an ethernet frame size of 1,522 or 9,023 bytes. Ensure that all equipment across the entire Direct Connect connection supports the frame size that you wish to implement.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.