Hybrid Networking - vedratna/aws-learning GitHub Wiki

  • To connect to services such as EC2 using just Direct Connect you need to create a private virtual interface. However, if you want to encrypt the traffic flowing through Direct Connect, you will need to use the public virtual interface of DX to create a VPN connection that will allow access to AWS services such as S3, EC2, and other services.
  • To connect to AWS resources that are reachable by a public IP address (such as an Amazon Simple Storage Service bucket) or AWS public endpoints, use a public virtual interface. With a public virtual interface, you can:
  • Connect to all AWS public IP addresses globally.
  • Create public virtual interfaces in any DX location to receive Amazon’s global IP routes.
  • Access publicly routable Amazon services in any AWS Region (except for the AWS China Region).
  • To connect to your resources hosted in an Amazon Virtual Private Cloud (Amazon VPC) using their private IP addresses, use a private virtual interface. With a private virtual interface, you can:
  • Connect VPC resources (such as Amazon Elastic Compute Cloud (Amazon EC2) instances or load balancers) on your private IP address or endpoint.
  • Connect a private virtual interface to a DX gateway. Then, associate the DX gateway with one or more virtual private gateways in any AWS Region (except the AWS China Region).
  • Connect to multiple VPCs in any AWS Region (except the AWS China Region), because a virtual private gateway is associated with a single VPC.
  • If you want to establish a virtual private network (VPN) connection from your company network to an Amazon Virtual Private Cloud (Amazon VPC) over an AWS Direct Connect (DX) connection, you must use a public virtual interface for your DX connection.
  • Link Aggregation Group (LAG): hard limit 4. has to be of same bandwidth
  • You can use multiple connections for redundancy. A link aggregation group (LAG) is a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple dedicated connections at a single AWS Direct Connect endpoint, allowing you to treat them as a single, managed connection. LAGs streamline configuration because the LAG configuration applies to all connections in the group.
  • You can create a LAG from existing dedicated connections, or you can provision new dedicated connections. After you create the LAG, you can associate existing dedicated connections (whether standalone or part of another LAG) with the LAG. The following rules apply:
  • All connections must be dedicated connections and have a port speed of 1 Gbps, 10 Gbps, or 100 Gbps.
  • All connections in the LAG must use the same bandwidth.
  • You can have a maximum of two 100G connections, or four connections with a port speed less than 100G in a LAG. Each connection in the LAG counts towards your overall connection limit for the Region.
  • All connections in the LAG must terminate at the same AWS Direct Connect endpoint.
  • Direct Connect Gateway: It's global, used to connect customer location to many vpcs spread acrosss regions using single Private VIF
  • Transit Gateway: It's regional. Used for transitive vpc peering in the same region. all vpcs within same region can connect to transit gateway to talk to each other, they can also connect to customer location if customer vpn link is connected to transit gateway. Vpc, vpn and direct connect gateway can connect to transit gateway. Direct connect can't.
  • Direct connect gateway doesn't allow connected vpcs to talk to each other. vpcs from same region can connect to transit gateway and transit gateway can connect to direct connect gateway to enable regional vpcs to direct connect to customer as well as to each other.