VPC Security and Control
Basic Networking Concepts
VPC Sharing using the AWS Resource Access Manager
Inter-Regional and Intra-Regional Communication Patterns
Understanding Direct Connect, Implementation and Configuration
Understanding AWS Direct Connect - Connectivity Options
Examining AWS Routing
DNS & Content Delivery on AWS
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
The course is part of this learning path
Instructor: David Ball
Virtual Interfaces (VIFs)
In order to use an AWS Direct Connect, you must create at least (1) virtual interface, or VIF. A VIF contains the configuration parameters necessary to support a BGP peering connection between the AWS DX port and the customer router, thereby allowing route information to be exchanged between them. AWS currently supports (3) types of VIFs: Public, Private, and Transit
1. Public VIF
- Public VIFs are used to access AWS public services using public IP addresses via the AWS backbone network
2. Private VIF
- Private VIFs are used to access resources within an Amazon VPC using private IP addressing
Note: A single DX connection can support up to 50 Public and Private VIFs
3. Transit VIF
- Transit VIFs are used when you wish to access one or more Amazon VPCs via a Transit Gateway that is associated with a Direct Connect Gateway
- A DX connection can support only (1) Transit VIF
Within the AWS Management Console, a VIF is created using the Virtual Interface page of the Direct Connect service dashboard.
Though each type of VIF has its own unique purpose, they all share the following configuration options:
1. VIF name
- Here you can specify any arbitrary name, however, it is a best practice to use a naming strategy that allows your resources to be easily identified
2. VIF owner
- Here you specify the AWS account that owns the DX connection.
- You can select any VLAN ID but note that for a given AWS DX connection, the same VLAN ID cannot be used for multiple VIFs.
4. Address Family
- Here you choose the address family, IPv4 or IPv6. with which to establish a BGP peering connection. To provide support for both families, an additional peering connection can be configured after a VIF has been created.
5. BGP ASN (Autonomous System Number)
- Specify the ASN for your network. Any number can be used but if you will be deploying a Private VIF, it is a best practice to use an ASN that you own or one from the private ASN range of 64512-65535. If you are deploying a Public VIF using a Public ASN, you MUST own the ASN as ownership of it will be verified during the Public VIF creation process.
6. BGP MD5 authentication key
- This value represents the password used to authenticate the BGP connection between the AWS and customer owned equipment. The password MUST match on both BGP peers for the connection to be established.
This may all seem a bit confusing, but let’s take some time to examine each VIF type to better understand its intended purpose.
Public VIFs are used to enable direct network access to all AWS public zone services using the AWS network as opposed to the public internet. They are ideal if you require a high speed, low latency connection to public AWS services such as Amazon S3, DynamoDB, Amazon SNS, and Amazon SQS.
Though they cannot be used to directly access private IPs, Public VIFs can be used to create VPN connections to provide encrypted access to private networks within VPCs.
Border Gateway Protocol (BGP) community tags can be used as a means to control the routes advertised and received over a public VIF. You can advertise any public IPs that you own over BGP knowing that any IP address prefixes advertised by AWS customers stay within the Amazon network and are not re-advertised to other customers, providers, or networks.
Private VIFs enable direct network access to AWS resources, such as EC2 instances, within a single VPC using their private IP addresses. A Private VIF is connected to an AWS Virtual Private Gateway (VGW) which is attached to a single VPC in the same region as the DX connection.
With Private VIFs, the BGP peer IP addresses do not need to be public and can be statically defined by you or automatically generated by AWS when the Private VIF is created. Once the BGP session is active, your peer router will receive announcements from the CIDR block ranges associated with your VPC.
Private VIFs with Direct Connect Gateways
I heard it was possible to connect to multiple VPCs with a single private VIF….
It is true to say that Private VIFs enable direct network access to AWS resources within a single VPC using their private IP addresses. It’s also true to say that by combining Private VIFs with Direct Connect Gateways, you can access multiple VPCs in multiple AWS regions within the same account.
Your router will establish a BGP session with the Direct Connect Gateway and then receive route announcements from all VPCs associated with the DX Gateway.
One very important note to call to attention is that the DX Gateway does not allow the VPCs associated with it to communicate with one another.
Transit VIFs are increasingly popular when dealing with complex hybrid networks. A transit VIF is used to associate AWS Transit Gateways with Direct Connect gateways and we’ll explore this in more detail in the next section of this course.
This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam.
- Get a foundational understanding of VPCs, their security, and connectivity
- Learn about VPC sharing using the AWS Resource Access Manager
- Discover inter-regional and intra-regional communication patterns in AWS
- Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
- Understand routing in AWS, including static and dynamic routing
- Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
- Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.