As enterprises move to the cloud, robust connectivity is often an early consideration. AWS Direct Connect provides a more consistent network experience for accessing your AWS resources, typically with greater bandwidth and reduced network costs. This session dives deep into the features of AWS Direct Connect and VPNs. We discuss deployment architectures and demonstrate the process from start to finish. We show you how to configure public and private virtual interfaces, configure routers, use VPN backup, and provide secure communication between sites by using the AWS VPN CloudHub.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour, Specialist Solutions Architect, AWS
December 2016
Deep Dive – Direct Connect and VPNs
NET402
@sseymour

2. Am I in the right room?
NET402: Deep Dive – Direct Connect and VPNs

3. Am I in the right room?
NET402: Deep Dive – Direct Connect and VPNs

4. Am I in the right room?
NET402: Deep Dive – Direct Connect and VPNs
Steve Seymour, Specialist Solutions Architect
@sseymour

5. 400 Level - EXPERT
“Expert Sessions are for attendees who are deeply familiar
with the topic, have implemented a solution on their own
already, and are comfortable with how the technology
works across multiple services, architectures, and
implementations.”

6. Existing knowledge
NET201 - Creating Your Virtual Data Center: VPC
Fundamentals and Connectivity Options
… where she covers connectivity options?

7. Existing knowledge
NET305 - Extending Data Centers to the Cloud: Connectivity
Options and Considerations for Hybrid Environments
…where they explain how to use VPN & AWS Direct Connect ?

8. re:Invent 2015 NET406 – Deep Dive on Direct Connect & VPNs
… where I explain provisioning and basic configuration?
Existing knowledge

9. IPSec VPN
The difference between….
Direct Connect

10. Router – pronounced ‘rooter’
The difference between…

11. Router – pronounced ‘rooter’
The difference between…
Router – pronounced ‘rowter’

12. Let’s get started…

13. What to Expect from the Session
• AWS hardware VPN and Direct Connect
• Options and configuration
• Resilience
• FAQs and billing
• BGP and routing
• Autonomous System Numbers (ASNs) and AS Path
• Routing inside the VGW

14. What to Expect from the Session
• CloudHub and transit VPC solution
• Connectivity with other AWS services
• Configuring an IPSec VPN over Direct Connect

15. AWS hardware VPN

16. Hardware VPN
• Fully managed and highly available VPN termination
endpoint at AWS end
• 1 connection, 2 VPN tunnels per VPC
• IPSec site-to-site tunnel with AES-256, SHA-2, and
latest DH groups
• Support for NAT-T
• Pay 0.05$ per hour per VPN connection
• Static or dynamic (BGP)

17. Static VPN
CORP
• 1 unique security association (SA) pair per tunnel
• 1 inbound and 1 outbound
• 2 unique pairs for 2 tunnels – 4 SAs
10.0.0.0 /16
10.0.0.0 /16
192.168.0.0 /16
192.168.0.0 /16
10.0.0.0 /16

18. Static VPN
CORP
• Consolidate ACLs to cover all IPs
• Filter to block unwanted traffic
10.0.0.0 /16
10.0.0.0 /16
0.0.0.0 /0
(any)
0.0.0.0 /0
(any)
10.0.0.0 /16

19. Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
10.0.0.0 /16
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
172.16.0.0 /16
• BGP peer IP addresses are automatically generated
• Customer ASN – owned or private ASN
• Amazon ASN is fixed per region

20. Resilient dynamic VPN – multiple VPCs
CORP

21. FAQs
Change the pre-shared key on a VPN connection?
• Delete the VPN connection
• Be aware the AWS VGW IPs will also likely change
Change the crypto configuration on a VPN connection?
• Just change your configuration on your device
• VPN configuration is ‘negotiated’ when the tunnel is established
Move VPN to a new VPC?
• Is the new VPC in the same account & region ?
• Detach the VGW from the VPC and attach to the new VPC

22. VPN billing
• VPN connections
• Connection hours
• Data transfer
• Data transfer – depends where the CGW is
• Remote network over the Internet – Internet out
• Remote network over Direct Connect public VIF – DX out
• Another VPC in the same region via EIP – local region
• Another VPC in another AWS Region - remote region

23. AWS Direct Connect

24. AWS Direct Connect
• Dedicated, private connection into AWS
• Create private (VPC) or public virtual interfaces to AWS
• Reduced data-out rates (data-in still free)
• Consistent network performance
• Option for redundant connections
• Multiple AWS accounts can share a connection
• Uses BGP to exchange routing information over a VLAN

25. Terminology For physical connections
• Dark fiber, DWDM
• Leased line
• Ethernet private line
• Pseudo-wire
• Point-to-point circuit
• LAN extension
• MPLS / VPLS / IP-VPN / L3-VPN
• MetroE, L2 link, eline, QinQ, EoMPLS

26. Physical connection
• Cross connect at the location
• Single mode fiber
- 1000Base-LX or 10GBASE-LR
• Potential onward delivery via Direct Connect Partner
• Customer router

27. 1G / 10G dedicated vs. hosted connections
• 1G / 10G dedicated ports – ‘regular connections’
• Full port speed available to you
• Supports multiple virtual interfaces
• Hosted connections – sub-1G (50 Mbps – 500 Mbps)
• Provided on a partner interconnect
• Each hosted connection has defined bandwidth and VLAN
• Each hosted connections supports a single virtual interface

28. Public vs. private virtual interfaces
Private VIF: connects you to a virtual private cloud (VPC)
… but not the VPC+2 DNS resolver
… and not the VPC endpoint for Amazon S3
Public VIF: connects you to public AWS services
… located within the associated region
… and anyone else using AWS public IPs
… and managed VPN public IPs

29. Virtual interfaces (VIFs)
• Public or private

30. Virtual interfaces (VIFs)
• Public or private
• 802.1Q VLAN

31. Virtual interfaces (VIFs)
• Public or Private
• 802.1Q VLAN
• BGP session

32. 1G/10G dedicated connections
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account

33. 1G/10G dedicated connections
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 101

34. 1G/10G dedicated connections
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 101
Virtual Interface
dxvif-xxxxxx
VLAN: 102

35. 1G/10G dedicated connections
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 101
Virtual Interface
dxvif-xxxxxx
VLAN: 102
Virtual Interface
dxvif-xxxxxx
VLAN: 103

36. 1G/10G dedicated connections, hosted VIF
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account
Hosted Virtual Interface
dxvif-xxxxxx
VLAN: 101
Your Other Account

37. 1G/10G dedicated connections, hosted VIFs
Direct Connect Connection
‘Regular Connection’
dxcon-xxxxxx
Port Speed: 1 or 10 Gbps
Your Account
Hosted Virtual Interface
dxvif-xxxxxx
VLAN: 101
Your Other Account
Hosted Virtual Interface
dxvif-xxxxxx
VLAN: 102
Another Account

38. Hosted connections (sub-1 G)
Partner Account
Interconnect
’Hosted Connection’
dxcon-xxxxxx
VLAN: 101
Port Speed: 50-500 Mbps
Your Account

39. Hosted connections (sub-1 G)
Partner Account
Interconnect
’Hosted Connection’
dxcon-xxxxxx
VLAN: 101
Port Speed: 50-500 Mbps
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 101

40. Hosted connections (sub-1 G)
Partner Account
Interconnect
’Hosted Connection’
dxcon-xxxxxx
VLAN: 101
Port Speed: 50-500 Mbps
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 101
’Hosted Connection’
dxcon-xxxxxx
VLAN: 102
Port Speed: 50-500 Mbps
Virtual Interface
dxvif-xxxxxx
VLAN: 102

41. Direct Connect – resilient & diverse paths
AWS Direct
Connect Routers
DX Location 1
AWS Direct
Connect Routers
DX Location 2

42. Direct Connect – resilient & diverse paths
AWS Direct
Connect Routers
DX Location 1
AWS Direct
Connect Routers
DX Location 2
AZ
AZ
AZ AZ AZ
Transit
Transit

43. Direct Connect – resilient & diverse paths
AWS Direct
Connect Routers
DX Location 1
AWS Direct
Connect Routers
DX Location 2
AZ
AZ
AZ AZ AZ
Transit
Transit

44. FAQs
Move a connection to another account or rename it?
• Do not delete it!
• Support case
Move a virtual interface (VIF) to another VGW
• Note the settings (if needed); delete the VIF
• Create a new VIF and select the new VGW
• Deleting a VGW – remove all VIFs first
Need public IPs for a public VIF?
• Support Case
Change bandwidth on a hosted connection?
• Speak to your DX Partner – provide new, create VIF, cease old

45. Direct Connect billing
• Direct Connect
• Port hours (charged in the account owning the connection)
• Reduced data transfer rates
• VPN data transfer (your accounts) over Direct Connect at reduced rate
• Data transfer charged in the account owning the VIF
• Private VIF
• All data transfer out of your VPC via the VGW
• Public VIF
• Access your resources (S3 bucket, etc.) – you pay
• Access resources in your consolidated bill – you pay
• Access resources owned by someone else – they pay

46. IPv6 on Direct Connect

47. IPv6 over Direct Connect
• IPv6 now supported in VPC
• IPv6 on Direct Connect – Amazon supplied /125 CIDR
• Accept /64 or shorter prefixes
• Additional peering session on the same VIF for IPv6
• Supported on both public and private VIFs

48. Existing IPv4 Virtual Interface

49. Add Peering

50. Address Family – IPv6

51. Both IPv4 & IPv6 Peering

52. Both IPv4 & IPv6 Peering

53. Add IPv4 to an existing IPv6 Virtual Interface

54. What is BGP?
• TCP-based protocol on port 179
• BGP neighbors exchange routing information - prefixes
• More specific prefixes are preferred
• Uses Autonomous System Numbers – ASNs
• iBGP – between peers in the same AS
• eBGP – between peers in different AS
• AS_PATH – measure of network “distance”
• Local preference – weighting of identical prefixes

55. Autonomous System Numbers
(ASNs)

56. ASNs
• Global IRR says that Amazon is ASN 16509
• Direct Connect Public VIF – ASN 7224

57. ASNs
• Global IRR says that Amazon is ASN 16509
• Direct Connect Public VIF – ASN 7224
• Direct Connect Private VIF – ASN?
• Dynamic VPN – ASN?
• Can vary …

58. ASNs
• Global IRR says that Amazon is ASN 16509
• Direct Connect Public VIF – ASN 7224
• Direct Connect Private VIF – ASN?
• Dynamic VPN – ASN?
• Can vary …
us-east-1 (N.Virginia) – ASN 7224
eu-west-1 (Ireland) – ASN 9059
eu-central-1 (Frankfurt) – ASN 7224
eu-northeast-1 (Tokyo) – ASN 10124
eu-central-1 (Frankfurt) – ASN 7224
ap-southeast-1 (Singapore) – ASN 17493

59. ASNs
• Global IRR says that Amazon is ASN 16509
• Direct Connect Public VIF – ASN 7224
• Direct Connect Private VIF – ASN?
• Dynamic VPN – ASN?
• Can vary …
us-east-1 (N.Virginia) – AS 7224
eu-west-1 (Ireland) – AS 9059
eu-central-1 (Frankfurt) – AS 7224
eu-northeast-1 (Tokyo) – AS 10124
eu-central-1 (Frankfurt) – AS 7224
ap-southeast-1 (Singapore) – AS 17493Always Check!

60. Customer gateway configuration – check ASN

61. Public virtual interface
• Provides access to Amazon public IP addresses
• Requires public IP addresses for BGP session
If you can’t provide them, raise a case with AWS Support
• Public ASN must be owned by customer – private is OK
• Inter-region is available in the US

62. DX public VIF - AS_PATH & NO_EXPORT

63. DX public VIF - AS_PATH & NO_EXPORT
“AWS Public Direct Connect advertises prefixes
with a minimum path length of 3”

64. DX public VIF - AS_PATH & NO_EXPORT
“AWS Public Direct Connect advertises prefixes
with a minimum path length of 3”
“AWS Public Direct Connect announces all public prefixes
with the IANA well-known NO_EXPORT community set”

65. Public VIF – inter-region – US only
Public VIFs receive prefixes for all US regions
Prefixes are identified by BGP communities
Advertisements can be controlled via BGP communities

66. IP 54.239.244.57 /31
BGP AS 7224
Public VIF – inter-region – US only

67. AS PATH considerations

68. AS_PATH considerations
Corporate IPVPN – AS 65000
US-EAST-1 US-WEST-2 EU-WEST-1
AS7224 AS7224 AS9059
10.1.0.0/16 10.2.0.0/16 10.3.0.0/16

69. AS_PATH considerations
CORP
AS 65000
US-EAST-1
AS7224
10.1.0.0/16: [7224][i] 10.1.0.0/16: [65000][7224][i]
US-WEST-2
AS7224
10.1.0.0/16: REJECT. LOOP.

70. AS_PATH considerations
CORP
AS 65000
US-EAST-1
AS7224
10.1.0.0/16: [7224][i] 10.1.0.0/16: [65000][7224][i]
US-WEST-2
AS7224
10.1.0.0/16: REJECT. LOOP.
AS-OVERRIDE
10.1.0.0/16: [65000][65000][i] 10.1.0.0/16: ACCEPTED

71. AS_PATH considerations
CORP
AS 65000
US-EAST-1
AS7224
10.1.0.0/16: [7224][i] 10.1.0.0/16: [65000][7224][i]
US-WEST-2
AS7224
10.1.0.0/16: REJECT. LOOP.
AS-OVERRIDE
10.1.0.0/16: [65000][65000][i] 10.1.0.0/16: ACCEPTED
CORP
AS 65000
US-WEST-2
AS7224
US-EAST-1
AS7224
10.2.0.0/16: [7224][i]
AS-OVERRIDE
10.2.0.0/16: [65000][65000][i] 10.2.0.0/16: ACCEPTED

72. AS_PATH considerations
CORP
AS 65000
EU-WEST-1
AS9059
10.3.0.0/16: [9059][i] 10.3.0.0/16: [65000][9059][i]
US-WEST-2
AS7224
10.3.0.0/16: ACCEPTED

73. AS_PATH considerations
CORP
AS 65000
EU-WEST-1
AS9059
10.3.0.0/16: [9059][i] 10.3.0.0/16: [65000][9059][i]
US-WEST-2
AS7224
10.3.0.0/16: ACCEPTED
CORP
AS 65000
US-WEST-2
AS7224
EU-WEST-1
AS9059
10.2.0.0/16: [7224][i] 10.2.0.0/16: [65000][7224][i] 10.2.0.0/16: REJECT. LOOP

74. AS_PATH considerations
CORP
AS 65000
EU-WEST-1
AS9059
10.3.0.0/16: [9059][i] 10.3.0.0/16: [65000][9059][i]
US-WEST-2
AS7224
10.3.0.0/16: ACCEPTED
CORP
AS 65000
US-WEST-2
AS7224
EU-WEST-1
AS9059
10.2.0.0/16: [7224][i] 10.2.0.0/16: [65000][7224][i] 10.2.0.0/16: REJECT. LOOP
Why?
Because AS 7224 is used internally

75. AS_PATH considerations
CORP
AS 65000
US-WEST-2
AS7224
EU-WEST-1
AS9059
10.2.0.0/16: [7224][i] 10.2.0.0/16: [65000][7224][i] 10.2.0.0/16: REJECT. LOOP

76. AS_PATH considerations
CORP
AS 65000
US-WEST-2
AS7224
EU-WEST-1
AS9059
10.2.0.0/16: [7224][i] 10.2.0.0/16: [65000][7224][i] 10.2.0.0/16: REJECT. LOOP
10.2.0.0/16: REJECT. LOOP.
AS-OVERRIDE
10.2.0.0/16: [65000][7224][i]

77. AS_PATH considerations
CORP
AS 65000
US-WEST-2
AS7224
EU-WEST-1
AS9059
10.2.0.0/16: [7224][i] 10.2.0.0/16: [65000][7224][i] 10.2.0.0/16: REJECT. LOOP
ORIGINATE-DEFAULT
0.0.0.0/0: [65000][i] 0.0.0.0/0: ACCEPTED

78. Routing inside the VGW
EU-WEST-1
AS9059
10.3.0.0/16
0.0.0.0/0
via CORP (AS65000)
CORP
AS 65000
VGW

79. Routing inside the VGW
EU-WEST-1
AS9059
10.3.0.0/16
0.0.0.0/0
via CORP (AS65000)
CORP
AS 65000
“The Internet”
AKA 0.0.0.0/0
IGW
VGW

80. Routing inside the VGW
EU-WEST-1
AS9059
10.3.0.0/16
0.0.0.0/0
via CORP (AS65000)
CORP
AS 65000
“The Internet”
AKA 0.0.0.0/0
IGW
VGW
10.3.0.0/16 local

81. Routing inside the VGW
EU-WEST-1
AS9059
10.3.0.0/16
0.0.0.0/0
via CORP (AS65000)
CORP
AS 65000
“The Internet”
AKA 0.0.0.0/0
IGW
VGW
10.3.0.0/16 local
0.0.0.0/0 IGW

82. Routing inside the VGW
EU-WEST-1
AS9059
10.3.0.0/16
0.0.0.0/0
via CORP (AS65000)
CORP
AS 65000
“The Internet”
AKA 0.0.0.0/0
IGW
VGW
10.3.0.0/16 local
0.0.0.0/0 IGW
10.0.0.0/8 VGW

83. Routing preference
1. Local routes to the VPC (no override with more specific routing)
2. Longest prefix match first
3. Static route table entries preferred over dynamic
4. Dynamic routes:
a) Prefer DX BGP routes
i. Shorter AS Path
ii. Considered equivalent, and will balance traffic per flow
b) VPN static routes (defined on VPN connection)
c) BGP routes from VPN
i. Shorter AS Path

84. AWS VPN CloudHub

85. AWS VPN CloudHub
AS65001
AS65002
AS65003
eBGP

86. AWS VPN CloudHub and software VPN
AS65001
AS65002
AS65003
eBGP
VPN
VPN
US-EAST-1
EU-CENTRAL-1
Note: You can use the same Border Gateway Protocol (BGP)
Autonomous System Numbers (ASNs) for each site, or use a
unique ASN if you prefer. ALLOWAS-IN may be required.

87. AWS VPN CloudHub and software VPN
AS65001
AS65002
eBGP
VPN
VPN
US-EAST-1
EU-CENTRAL-1
VPN
VPN
US-WEST-2

88. AWS VPN CloudHub and software VPN
AS65001
AS65002
eBGP
VPN
VPN
US-EAST-1
EU-CENTRAL-1
VPN
VPN
US-WEST-2
AS65003

89. AWS VPN CloudHub and software VPN
AS65001
AS65002
eBGP
VPN
VPN
US-EAST-1
EU-CENTRAL-1
VPN
VPN
US-WEST-2
AS65003
“Transit VPC”?

90. AWS VPN CloudHub and software VPN
AS65001
AS65002
eBGP
VPN
VPN
US-EAST-1
EU-CENTRAL-1
VPN
VPN
US-WEST-2
AS65003
“Transit VPC” ?
2x EC2 Instances per VPC …

91. Transit VPC solution
• Move the 2x EC2 instances to the
‘hub’ – make them CGWs
• Use the VGW in the ‘spokes’ – single
route table target
• CloudHub on a detached VGW –
takes DX private VIF or VPN and re-
advertises routes in both directions

92. VPN and DX with other AWS services

93. Working with AWS services – public VIF
Public VIF: connects you to public AWS services
… located within the associated region
… and anyone else using AWS public IPs
… and managed VPN public IPs
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
Kinesis
Amazon API
Gateway
Note: This is only a sampling of AWS services

94. Working with AWS services – public VIF
Public VIF: connects you to public AWS services
… located within the associated region
… and anyone else using AWS public IPs
… and managed VPN public IPs
Amazon
EC2
AWS
Lambda
Elastic Load
Balancing
Amazon
WorkSpaces
Note: This is only a sampling of AWS services
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
Kinesis
Amazon API
Gateway

95. Working with AWS services – private VIF (or VPN)
Private VIF: connects you to a virtual private cloud (VPC)
… but not the VPC+2 DNS resolver
… and not the VPC endpoint for S3
Amazon
EC2
AWS
Lambda
Elastic Load
Balancing
Amazon
WorkSpaces
Note: This is only a sampling of AWS services

96. Working with AWS services – private VIF (or VPN)
Private VIF: connects you to a virtual private cloud (VPC)
… but not the VPC+2 DNS resolver
… and not the VPC endpoint for S3
Amazon
RDS
Amazon
Redshift
AWS
CloudHSM
AWS Directory
Service
Note: This is only a sampling of AWS services
Amazon
EC2
AWS
Lambda
Elastic Load
Balancing
Amazon
WorkSpaces

97. Working with AWS services – AWS Storage Gateway

98. Working with AWS services – AWS Storage Gateway
CORP NET
VGW
VPC:10.44.208.0/20
172.16.0.0/16
Storage Gateway
Appliance
Legacy
Servers
Backup
Software
VTL
iSCSI

99. Working with AWS services – AWS Storage Gateway
CORP NET
VGW
VPC:10.44.208.0/20
172.16.0.0/16
Storage Gateway
Appliance
Legacy
Servers
Backup
Software
VTL
iSCSI
Storage Gateway
Service Endpoints
client-cp.storagegateway.region.amazonaws.com:443
dp-1.storagegateway.region.amazonaws.com:443
anon-cp.storagegateway.region.amazonaws.com:443
proxy-app.storagegateway.region.amazonaws.com:443
storagegateway.region.amazonaws.com:443
Internet

100. Working with AWS services – AWS Storage Gateway
Direct Connect
CORP NET
VGW
VPC:10.44.208.0/20
172.16.0.0/16
Public VIF
Storage Gateway
Appliance
Legacy
Servers
Backup
Software
VTL
iSCSI
Storage Gateway
Service Endpoints
client-cp.storagegateway.region.amazonaws.com:443
dp-1.storagegateway.region.amazonaws.com:443
anon-cp.storagegateway.region.amazonaws.com:443
proxy-app.storagegateway.region.amazonaws.com:443
storagegateway.region.amazonaws.com:443

101. Working with AWS services – Amazon WorkSpaces

102. Working with AWS services – Amazon WorkSpaces
Authentication
Gateway
Active
Directory
corp
servers
CORP
NET
Users
Data Center
Streaming
Gateway
MFA
WorkSpacesVGW
Internet
Session
Gateway
Zero Client
Gateway
B A
VPC:10.44.208.0/20172.16.0.0/16
AWS
Directory
Service
AWS Hardware VPN

103. Working with AWS services – Amazon WorkSpaces
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
CORP
NET
Users
Data Center
Streaming
Gateway
MFA
WorkSpacesVGW
Internet
Session
Gateway
Zero Client
Gateway
B A
Private VIFs
VPC:10.44.208.0/20172.16.0.0/16
AWS
Directory
Service
AWS Hardware VPN

104. Working with AWS services – Amazon WorkSpaces
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
CORP
NET
Users
Data Center
Streaming
Gateway
MFA
WorkSpacesVGW
Internet
Session
Gateway
Zero Client
Gateway
B A
Private VIFs
VPC:10.44.208.0/20172.16.0.0/16
AWS
Directory
Service
Public VIF
AWS Hardware VPN

105. Working with AWS services – Amazon WorkSpaces
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
CORP
NET
Users
Data Center
Streaming
Gateway
MFA
WorkSpacesVGW
Session
Gateway
Zero Client
Gateway
B A
Private VIFs
VPC:10.44.208.0/20172.16.0.0/16
AWS
Directory
Service
Public VIF
AWS Hardware VPN

106. VPN over Public VIF

107. Hardware VPN over DX public VIF
CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi0/0.200
VLAN 200
IP 54.239.244.56 /31
BGP AS 65001
MD5 Key
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001

108. Create a DX public VIF
• Using VRFs – virtual routing and forwarding instance
• Create a public VIF on an interface assigned to that VRF
• Isolate the public VIF routes on your router using a VRF
Router
PublicVIF
VRF
Interface
gi0/0/0.551
Interface
gi0/1
54.239.240.240
54.239.240.241

109. Create a DX public VIF

110. AWS public prefixes now in the VRF
Router
PublicVIF
46.51.120.0/18 …
46.51.192.0/20 …
46.137.0.0/17 …
46.137.128.0/18 …
... ... ... ...
VRF
Interface
gi0/0/0.551
Interface
gi0/1
54.239.240.240
54.239.240.241

111. Tunnels using the VRF
• Keyrings and profile need VRF awareness

112. Tunnels using the VRF
• Tunnel interfaces need to use the PublicVIF VRF

113. Build VPN – tunnels using the VRF
Router
PublicVIF
46.51.120.0/18 …
46.51.192.0/20 …
46.137.0.0/17 …
46.137.128.0/18 …
... ... ... ...
VRF
Interface
gi0/0/0.551
Interface
gi0/1
54.239.240.240
54.239.240.241
192.168.51.0/24
192.168.51.254
tun1
tun2
172.31.0.0/16
Routes

114. Build VPN – tunnels using the VRF
Router
PublicVIF
46.51.120.0/18 …
46.51.192.0/20 …
46.137.0.0/17 …
46.137.128.0/18 …
... ... ... ...
VRF
Interface
gi0/0/0.551
Interface
gi0/1
54.239.240.240
192.168.51.0/24
192.168.51.254
tun1
169.254.23.54
tun2
169.254.22.118
172.31.0.0/16
Routes
172.31.0.0 169.254.22.117
172.31.0.0 169.254.23.53
... ... ... ...
BGP
BGP
169.254.23.53
169.254.22.117

115. Build VPN – tunnels using the VRF
Router
PublicVIF
46.51.120.0/18 …
46.51.192.0/20 …
46.137.0.0/17 …
46.137.128.0/18 …
... ... ... ...
VRF
Interface
gi0/0/0.551
Interface
gi0/1
54.239.240.240
192.168.51.0/24
192.168.51.254
172.31.0.0/16
Routes
172.31.0.0 169.254.22.117
172.31.0.0 169.254.23.53
... ... ... ...
169.254.23.53
169.254.22.117
BGP
BGP
tun1
169.254.23.54
tun2
169.254.22.118

116. Related Sessions
• NET201 - Creating Your Virtual Data Center: VPC Fundamentals
and Connectivity Options
• NET305 - Extending Datacenters to the Cloud: Connectivity Options
and Considerations for Hybrid Environments
• NET205 - Future-Proofing the WAN and Simplifying Security On
Your Journey To The Cloud
• NET301 - Cloud Agility and Faster Connectivity with AT&T NetBond
and AWS
• PTS216 - A Look Under the Hood: Check out the AWS Direct
Connect Network Design Powering AWS re:Invent

117. Remember to complete
your evaluations!

118. Thank you!
Steve Seymour, Specialist Solutions Architect
@sseymour