Avatar
by John Gardner on 26 Jul 2018

One of the great things about deploying in to AWS is the ease of which you can create infrastructure. Whether you’re adding components via the console or using CloudFormation, the speed of which you can define and create the architecture for a solution is one of the fundamental reasons to move from an on premise solution into the Public Cloud.

However, what if building a greenfield AWS infrastructure isn’t an option for you? What if you have many legacy systems that need to move to the Cloud over a longer term or perhaps you decide that a Hybrid On Premise/AWS offering is better for you. In these cases, how do you reliably and securely communicate between your Data Centre and your VPC? Well, there is a solution and it’s called Direct Connect.

What Is AWS Direct Connect?

Direct Connect (DX) is the native AWS alternative to making an IPSec VPN connection from your Data Centre into your VPC. Whilst VPNs take your data across the public Internet, Direct Connect creates a private connection from AWS to the switch in your rack and has a number of benefits over a VPN:

  • The bandwidth available to you is much higher, by default this is a full 1Gbps or 10Gbps connection, you’re simply not going to get anywhere like that with a VPN tunnel.
  • The quality and consistency of the connection is exceptional and has very low latency.
  • It has the ability to be configured in HA mode.

So, those are the good things about DX, but there are inevitably other points which whilst not bad, require some thought before implementation is considered. The rest of this article will attempt to guide you through these and set you on the path to a perfect (and hopefully outage free) Direct Connect installation.

VPN and Direct Connect

Why Can’t I Just Press a Button?

Although we’ve all become familiar with creating VPCs, Subnets and Routing using a friendly UI, some of the implementation of Direct Connect is outside the control of AWS and therefore, you will have to make some choices of how to proceed once you’ve decided to go ahead with purchasing the DX service. I’ve listed some of the important ones below:

  1. Who will I purchase the service from? This may seem like a strange question, but you don’t have to purchase directly from AWS. You can use one of the many partner companies (APN Technology and Consulting Partners) who will do a lot of the background work with AWS for you. In fact this may be the best option if you don’t have in-house networking skills and in some cases, the Data Centre you are co-located in may already be one of the partners on this list.

  2. Is your Data Centre a Direct Connect Location? AWS have a number of Tier 3 and Tier 4 Data Centres in each AWS Region designated as Direct Connect Locations. These are buildings which have AWS terminating equipment located in them. If you don’t have your equipment located in one of these Data Centres, you will have to make the connection from your site to the nearest Direct Connect Location yourself.

  3. Who will carry out the work at your Data Centre? This part could be the most problematic of all areas under consideration. You will need to understand the networking knowledge of your team and decide if you require third parties to assist you in configuring your Firewalls and/or Routers and Switches. They will need to know about VLANs in general but will also need to understand how to configure ports on your specific pieces of equipment. Ensure you check the AWS Direct Connect FAQ for the full list of requirements. Also, you will need to understand BGP, and that deserves a whole section of its own…

The Importance of BGP

Knowledge of BGP (Border Gateway Protocol) is an important part of understanding how the Direct Connect service works. BGP is the main routing protocol used across the Internet and although this is used within a private context for AWS connections, it’s important to understand at least a little about it, even if you aren’t actually planning to undertake the work. Why? Well simply because mis-configuring BGP can lead to major issues which could affect your connection. Badly configured BGP has, in the past, taken parts of the Internet offline (in one case, an entire country) so this is something that you should have a sound understanding of.

Use Your Vendor Support

Remember the money you pay every year for the support contract to cover networking in your Data Centre? Well, this is where you get some payback. If you have a good level of support on your kit, always ask your vendor for some assistance. They will usually be happy to help and will probably assign you a very clever Network Engineer who will have endless email and telephone conversations relating to the task in hand. If you’re really lucky, this Engineer may even have AWS Direct Connect experience and will be able to provide a remote set of eyes to validate any of the changes you will make. Getting this “free” support from your vendor is easily the best way to calm nerves and gain knowledge without any further financial outlay, so use them as much and as often as you can.

Plan, Plan and Plan

I’m putting this as the last point in the article, but in many ways it should be first. The only way a successful Direct Connect deployment can be undertaken is with lots of planning. This is such an important point that I would suggest that on the day that you decide to go down the Direct Connect route, you create a spreadsheet (or use whatever planning tool you’re happy with) and put down everything you can think of that will affect the outcome of going live. Nothing should be too small or insignificant a point, record it all and allocate someone to deal with any blockers or questions that arise. On the day of go live, you should have a complete set of points which should be ticked off when each of them are complete. Ensure that none of the implementation team deviate from this plan and make sure you highlight any stage which rollback can still be successfully initiated or when your only option is to fix forward. I’ve created a default deployment plan which you can alter to fit your own needs.

And Finally…

If you follow all of the points in the article, you should improve your chances of having a fully operational and successful Direct Connect implementation and it will open up many more possibilities when transferring data between your AWS VPC and Data Centre.