VPC Security and Control
Basic Networking Concepts
VPC Sharing using the AWS Resource Access Manager
Inter-Regional and Intra-Regional Communication Patterns
Understanding Direct Connect, Implementation and Configuration
Understanding AWS Direct Connect - Connectivity Options
Examining AWS Routing
DNS & Content Delivery on AWS
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
The course is part of this learning path
Instructor: David Ball
Welcome to the final lecture of this course where I will summarize the key points from the previous lectures.
The Connection Process:
I started this lecture talking about how an organization would obtain an AWS Direct Connect connection. The high-level steps for that process are:
- An AWS customer requests a DX connection in a DX location.
- Once the connection request has been received, AWS will allocate a DX port for the customer on one of their AWS-owned DX routers in the specified DX location.
- Once the DX port has been allocated, the customer downloads the Letter of Authorization Customer Facility Access (LOA-CFA) form which authorizes the DX location support staff to connect the customer environment to the specified AWS DX port.
- The customer completes the LOA-CFA form and sends it to the DX location to authorize the DX location support staff to physically access the customer-owned equipment for the purposes of establishing the cross-connect with the AWS DX port.
- With the LOA-CFA form in hand, the DX location support staff run the cross-connect cable from the customer-owned equipment to the AWS-owned DX port.
- Physical connectivity is now established and the Direct Connect is now available for use.
Direct Connect Virtual Interfaces:
In order to use an AWS Direct Connect, you must create at least (1) virtual interface, or VIF. A VIF contains the configuration parameters necessary to support a BGP peering connection between the AWS DX port and the customer router, thereby allowing route information to be exchanged between them. AWS currently supports (3) types of VIFs: Public, Private, and Transit
1. Public VIF
- Public VIFs are used to access AWS public services using public IP addresses via the AWS backbone network
2. Private VIF
- Private VIFs are used to access resources within an Amazon VPC using private IP addressing
3. Transit VIF
- Transit VIFs are used when you wish to access one or more Amazon VPCs via a Transit Gateway that is associated with a Direct Connect Gateway
- A DX connection can support only (1) Transit VIF
Direct Connect Advanced Connectivity:
AWS Direct Connect Resiliency Toolkit
We then looked at some advanced Direct Connect connectivity architectures starting with those available via the AWS Direct Connect Resiliency Toolkit.
The AWS Direct Connect Resiliency Toolkit assists cloud administrators with the creation of an advanced DX architecture that is in alignment with an organization's SLA objective.
The Resiliency Toolkit provides (3) resiliency models to choose from:
- Maximum Resiliency - this model (shown on the screenshot) creates multiple DX connections in multiple DX locations
- High Resiliency - this model creates a single DX connection in multiple DX locations
- Development and Test - this model creates multiple DX connections in a single DX location
Link Aggregation Groups
Within this section, we looked at Link Aggregation Groups or LAGs. LAGs enable multiple physical DX connections to function as a single connection of their aggregated bandwidth. For example, four (4) physical 1GB DX connections, configured as a LAG, would function as a single 4GB DX connection.
Remember that though LAGs provide a measure of resiliency, such as the failure of a single DX switch port or cross-connect cable, they do not provide any benefit in regards to the failure of an entire DX location datacenter. The primary benefit of a LAG is increased network performance via the consolidated bandwidth of the individual LAG members.
Transit VIFs and AWS Transit Gateways
Finally, we did a quick recap on VPC Peering and how the Transit Gateway has simplified the setup and operation of a global AWS network.
The AWS Transit Gateway is a regional resource that introduces a hub and spoke architecture to support highly scalable, and easy to manage networks. The Transit Gateway functions as the hub through which traffic is routed to each connected network, or spoke. A spoke can be a VPC, an on-prem data center, or a remote office.
To support global networks, inter-region peering can be used to connect Transit Gateways in multiple regions.
When an organization uses Direct Connect, a Transit VIF, Direct Connect Gateways, and Transit Gateways they have the opportunity to establish connectivity to any resource in your network, regardless of physical location or AWS region. Transit VIFs allow for some truly remarkable network designs and has become the standard for many of the clients I have personally worked with.
Remember the following bullet points:
- Each Transit VIF supports up to (3) Transit Gateways
- Each Transit Gateway can be attached to 20 Direct Connect Gateways
- Each Transit Gateway can support up to 5,000 attachments and 50 peering connections
- A single Direct Connect supports (1) Transit VIF and up to 50 Public/Private VIFs
That now brings me to the end of this lecture and to the end of this course, and so you should now have a greater understanding of the AWS Direct Connect connectivity options available to you..
Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you could contact firstname.lastname@example.org.
Thank you for your time and good luck with your continued learning of cloud computing. Have a great day.
This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam.
- Get a foundational understanding of VPCs, their security, and connectivity
- Learn about VPC sharing using the AWS Resource Access Manager
- Discover inter-regional and intra-regional communication patterns in AWS
- Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
- Understand routing in AWS, including static and dynamic routing
- Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
- Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.