AWS direct connect and more - yar145/mytestrepo1 GitHub Wiki
AWS Direct Connect Resiliency Recommendations AWS Site to Site VPN connections as a backup for the Direct Connect Some AWS customers would like the benefits of one or more AWS Direct Connect connections for their primary connectivity to AWS, coupled with a lower-cost backup connection. To achieve this objective, they can establish AWS Direct Connect connections with a VPN backup.
It is important to understand that AWS Site to Site VPN supports up to 1.25 Gbps throughput per VPN tunnel and does not support Equal Cost Multi Path (ECMP) for egress data path in the case of multiple AWS Site to Site VPN tunnels terminating on the same VGW. Thus, we do not recommend customers use AWS Site to Site VPN as a backup for AWS Direct Connect connections with speeds greater than 1 Gbps.
For additional resiliency, AWS customers can consider using AWS Site to Site VPN terminating on an AWS Transit Gateway as a back up to their AWS Direct Connect connections. Using AWS Site to Site VPN with Transit Gateway, you can ECMP traffic across multiple VPN tunnels to achieve up to 50Gbps. It is important to note that single VPN tunnel bandwidth is still limited to 1.25 Gbps.
Private IP VPN with AWS Direct Connect With private IP VPN, you can deploy IPsec VPN over AWS Direct Connect, encrypting traffic between your on-premises network and AWS, without the use of public IP addresses or additional third-party VPN equipment.
One of the main use cases for private IP VPN over AWS Direct Connect is helping customers in the financial, healthcare, and federal industries meet regulatory and compliance goals. Private IP VPN over AWS Direct Connect ensures that traffic between AWS and on-premises networks is both secure and private, allowing customers to comply with their regulatory and security mandates.
How do I establish an AWS VPN over an AWS Direct Connect connection? AWS Direct Connect + AWS Transit Gateway + VPN
Detail instruction
Introducing AWS Site-to-Site VPN Private IP VPNs
AWS Site-to-Site VPN introduces Private IP VPNs for enhanced security and privacy
Private IP VPN with AWS Direct Connect
AWS Direct Connect route limit
AWS Direct Connect route limit there is a limit of 100 routes limit via Direct Connect with transit vif or privat vif (https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html), if your route advertise more than that, the BGP session will go idle (DOWN).
You can do a route summarization if you can or consider using Transit Gateway Connect to build a overlay GRE tunnel with BGP session to advertise your routing information.
Pls refer to the blog for deployment details (https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-sd-wan-devices-with-aws-transit-gateway-and-aws-direct-connect/)
This not only increase the route advertised from 100 to 1000, you can also build upto 4 GRE tunnels so as to increase your traffic up to 20Gbps to the Transit Gateway.
there is a limit of 100 routes limit via Direct Connect with transit vif or privat vif (https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html), if your route advertise more than that, the BGP session will go idle (DOWN).
You can do a route summarization if you can or consider using Transit Gateway Connect to build a overlay GRE tunnel with BGP session to advertise your routing information.
Pls refer to the blog for deployment details (https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-sd-wan-devices-with-aws-transit-gateway-and-aws-direct-connect/)
This not only increase the route advertised from 100 to 1000, you can also build upto 4 GRE tunnels so as to increase your traffic up to 20Gbps to the Transit Gateway.
There's another limit you may need to be aware of depending on your architecture. Each TGW/DXGW Association can list at most 20 prefixes. These prefixes, covering your VPCs, are propagated to on-prem. Hopefully in your case for IPv4 you can use a single summary block but you still have an issue to solve if using site-to-site VPN as your fail-over link, because by default that will have propagated each VPC prefix. Those more specific prefixes will have precedence over the DX summary block. The workaround is to add static summary blocks to propagate for the VPN, and tell your on-prem router to ignore the specific VPC prefixes.
BTW future use of IPv6 across DX like this doesn't look easy at the moment. If you've let AWS assign VPC IPv6 CIDRs for you and you have a lot of VPCs, no way can you list them all with that limit of 20 prefixes. I raised a Product Feature Req about this a while back.
Quotas for your transit gateways
SD-WAN connectivity with AWS Transit Gateway Connect
Simplify SD-WAN connectivity with AWS Transit Gateway Connect
Integrating AWS Direct Connect with AWS Transit Gateway Connect
BGP
Creating active/passive BGP connections over AWS Direct Connect
Routing policies and BGP communities
[How can I use BGP communities to influence the preferred routing path on Direct Connect links from AWS to my network(https://repost.aws/knowledge-center/direct-connect-bgp-communities)
Site-to-Site VPN routing options
PACKET CAPTURE
AWS VPC Traffic Mirroring Walkthrough
When VPC Flow Logs Aren’t Enough