what is direct aws connection?
aws direct connect establishes a direct private connection from your computer to aws. use aws direct connect to form a dedicated network between your physical hardware (eg, colocation environment, office, etc.) and aws resources.
aws connections use 802.1q vlans, which is the industry standard. the benefit of this is that the connection can be divided into multiple private and public virtual interfaces. This means that an organization can use a single connection to access private resources, such as Amazon EC2, as well as access an Amazon S3 object in a public environment. aws direct connect maintains network separation between public and private connections at all times.
Reading: How to setup aws direct connect
For added networking flexibility, you can edit virtual interfaces at any time.
benefits of amazon web services direct connect
In addition to an increase in data throughput, in many use cases, AWS Direct Connect can lower your network costs. aws also provides a consistent high-quality network that is a better experience than an internet-based connection.
signing up for the service is simple; it’s all done through the aws management console. The Management Console is a single point of access to manage all of your AWS connections and virtual interfaces. additionally, after configuring at least one virtual interface, custom router templates are available for download for various network equipment.
aws direct connect provides secure network scaling for every need. It can provide 1Gbps and 10Gbps connections, and makes it easy to provision multiple connections. Additionally, instead of accessing your Amazon VPC instance through an Internet-based VPN connection, you can use AWS Direct Connect. Considering that hardware VPNs often don’t support data connections greater than 4 Gbps, AWS can significantly improve your connectivity.
connectivity over the internet can fluctuate, as you don’t have full control over how data is fetched from start to finish.
With aws direct connect, an organization can choose which data is routed in which way, so they have more control over the connection. this type of dedicated network can offer a more constant flow of data than an internet-based network. Plus, there are no data limits you can transfer using AWS Direct Connect.
compatibility with amazon web services
With aws direct connect, you can make connections to your public and private aws resources in a given aws region. In this way, an organization can transfer data to and from AWS, and bypass internet service providers and any potential network instability.
maintain a dedicated network with amazon cloud services
as already mentioned, aws direct connect can serve as a replacement for a vpn hardware connection to your amazon vpc. This type of connection is completely private, and by using multiple virtual interfaces, you can link to multiple different Amazon VPC instances. complete network isolation is guaranteed. how to configure aws direct connect
how to configure aws direct connect
choose an aws edge location
To maintain minimal network latency, Amazon Web Services are offered through AWS Edge locations. A regional endpoint is a URL that serves as the entry point for Amazon Web Services. amazon web locations can be found at https://aws.amazon.com/directconnect/details/.
Customers are encouraged to access AWS Direct Connect through an AWS Direct location. By placing your equipment in a designated edge location, you can use existing network circuits between a data center and an AWS device.
This connection offers port speeds of up to 10 Gbps.
work with an aws partner network or network provider
an alternative solution would be to work with a partner at aws network partner (apn) or a network provider to connect your on-premises or colocation router to an aws direct connect location.
this connection also provides 1 gbps or higher port speeds.
Another option is to hire a partner in the AWS Partner Network (APN) to create a hosted connection for your organization. If you choose this solution, after signing up for an aws direct connect account, you must accept this connection and then create a virtual interface.
This type of connection offers slower port speeds to less than 1 gbps and only supports a single virtual interface.
account, connection and virtual interface
After deciding on an aws location and connection type, sign in to aws direct connect, and then create an aws direct connect connection, download the loa-cfa, and create a virtual interface.
This article will walk you through each step.
login to aws
aws direct connect connection request
create a direct aws connection
Use the aws direct connect management console to create an aws direct connection. navigate to connections and choose to create a build connection. a new dialog shows the required fields.
after you have created a connection, you should receive a confirmation message as seen in the image below:
the connection is in a “requested” state. aws direct connect staff is reviewing your request and will then provide you with an authorization letter. once it’s available, you need to download the loa and send it to your network provider, who will establish the connection for you.
It may take up to three (3) business days to process the request.
download the letter of authorization and allocation of connection facilities (loa-cfa)
after completing a connection request, aws will process the request. Amazon may take up to 72 hours to review your request and provide a connection port. Amazon may request additional information by email. Please respond within seven business days or the connection will be terminated.
once the application is accepted, download the letter of authorization and assignment of the connection facility. In a nutshell, this is Amazon giving you permission to establish and use the connection.
To download the loa-cfa, log in to your aws direct connect account, go to connections and select the newly created connection. choose actions > download loa-cfa.
an optional step is to enter the name of your network provider. It will appear with the name of your organization as the loa-cfa applicant. download the authorization letter. it will download as a pdf file.
requesting cross connection
after you have downloaded your authorization letter, request a cross connection. If you have equipment at the AWS Direct Connect location, contact your Designated Provider to establish a cross-connect. For example, if you have a team in Phoenixnap, Phoenix, you should email [email protected].
for a complete list of aws providers, see the amazon aws documentation.
the cross-connection must be established within 90 days after the granting of the loa-cfa. after 90 days, the authorization letter expires. if the loa-cfa expires, download it again from the aws direct connect console and resubmit it to your network provider.
For speeds less than 1 gbps, you cannot use the aws console to request a connection. instead, hire an aws direct connect partner to create a hosted connection for you.
accept a hosted connection
If an aws partner creates a hosted connection for you, you only need to accept the connection after creating an aws account.
accept the connection to activate it. after activating your connection, the next step would be to create a virtual interface.
once your connection status changes from “requested” to “available”, you can create a virtual interface. virtual interfaces are a prerequisite before using aws direct connect. note that you can create multiple virtual interfaces on a single aws connection.
First, you need to know about the two types of virtual interfaces. that is, there are public virtual interfaces, which are used to connect to public AWS resources. and then there are private virtual interfaces that are used to connect to your amazon vpc instance. If an organization wants to communicate with multiple vpc instances, it must use a single virtual interface per vpc.
Before you establish a virtual interface, make sure you have the necessary information. also note that sub-1g connections are limited to a single virtual interface.
how to create a public virtual interface
if you are connecting to public aws resources, perform the following steps.
- log in to your aws account at https://console.aws.amazon.com/directconnect/.
- navigate to connections, select the connection you want to use and select actions > create virtual interface.
- be sure to select public as the appropriate option for your virtual interface.
Under Define your new public virtual interface, provide the following information and select Continue.
how to create a private virtual interface
If you are connecting to the phoenixnap aws direct connect endpoint, you will need to configure all virtual interface options except the vlan (ie virtual local area network) field. phoenixnap provides the vlan number. this number will be between 1 and 4094, and must comply with the 802.1q ethernet connection standard.
To create a private virtual interface, you need a public or private asn and the vpc virtual private gateway (vpg) id.
to begin the process of creating a private virtual interface:
- navigate to https://console.aws.amazon.com/directconnect/ and sign in to your aws account.
- choose connections, select the connection to use and select actions > create virtual interface.
- select the appropriate virtual interface type. in this case, click private.
When created, the virtual interface will be in the “pending” state.
direct connection gateways
direct connect gateways can group virtual private interfaces and virtual private gateways that belong to a single aws account. Use direct connect gateways to connect your aws direct connect connection to a vpc in the same or a different region. it does this by associating the direct connect gateway with a vpc’s virtual private gateway.
To create a direct connection gateway:
- Sign in to your aws account at https://console.aws.amazon.com/directconnect/.
- select direct connect gateways > create a direct connection gateway.
- provide the necessary information.
aws direct connect gateways have certain limitations
- multiple vpcs associated with a single direct connect gateway cannot communicate directly.
- multiple virtual interfaces associated with a single direct connect gateway cannot communicate directly.
- to the virtual interface associated with a direct connect gateway and a virtual private gateway associated with that same direct connect gateway cannot communicate directly.
- a A virtual private gateway can only be associated with a single direct connect gateway.
- A virtual private gateway associated with a direct connect gateway must be attached to a vpc.
- Currently, the direct connection gateway cannot be used to connect to a vpc in the china region.
create virtual private gateway in vpc – aws configuration
Create a virtual private gateway and attach it to the vpc that contains the ec2 virtual machine you are trying to connect to. to create a vpg and attach it to a vpc:
- log in to your aws account and select virtual private gateways > create a virtual private gateway.
- enter a name for your vpg which will create a tag containing a name key and the value you entered. if you intend to use the aws default asn, do not change the default asn selection. to type a value, select custom mapping and enter a value. it must be between 64512 and 65534 or 4200000000 and 4294967294.
- select create virtual private gateway.
- select the newly created vpg. click actions > attach to vpc.
- select the desired vpc and click yes, attach.
associate the virtual private gateway with an aws direct connect gateway
associate the new vpg with the dcg you created earlier. to do this, you must be in the same region as the virtual private gateway. the same applies to the dissociation of vpgs. the vpg must be connected to a vpc.
- Sign in to your aws direct connect console at https://console.aws.amazon.com/directconnect/.
- Select the region where your vpg is located.< /li
- select the Direct Connect Gateway drop-down menu and click the desired Direct Connect Gateway.
- click actions> associate virtual private gateway.
- find and select the desired virtual private gateway and select associate.
If you want to verify all your virtual private gateways in all regions associated with a single direct connect gateway, select virtual gateway associations. this will display a list of existing associations.
connect a bare metal backend to aws via direct connection
The setup below is an example of how a phoenixnap client would typically connect their bare metal backend to aws direct connect. this may or may not apply to your use case.
choose a server from your entire pnap inventory to become your router server.
enable ip & ipv6 forwarding on chosen router server. create a new file and name it /etc/sysctl.d/90-routing-sysctl.conf. the file must contain the following content:
load the new sysctl.conf file
run the following command to load the newly created sysctl.conf file:
download get-pip.py safely.
check if everything seems ok with get-pip.py. if so, run the following command:
create frrouting packets on router server
To install the necessary packages, run the following command:
add user and group frr
download frr source, configure and compile
This document assumes that you want to build and install frr from git and not use any packages.
create an empty frr config file
install daemon configuration file
to enable daemons, change no to yes for watchfrr_enable, zebra, bgpd
install the frr service
register system files
start or restart frr manually
edit the /etc/frr/vtysh.conf file
add the following line to the file:
edit the /etc/frr/zebra.conf file
edit the /etc/frr/bgpd.conf file
reset frr manually
to reboot, run the following:
telnet allows management of zebra and bgpd via vty. to install telnet, run the following:
back-end network without operating system
On other machines in your bare metal back-end network, you’ll need a route to the router server.
Edit gateway=“”in /etc/sysconfig/network-scripts for your appropriate back-end interface for each server that needs to connect to aws. configure gateway=“router_server_ip” where router_server_ip is the ip address of your router server.
reboot the network after making the changes.
verify the newly created virtual interface
after successfully establishing a virtual interface with your aws resources, it is recommended to verify your connection using the following procedures.
verify virtual interface connection to aws cloud service
run traceroute to verify that the aws direct connect identifier is in the network trace.
use a pingable ami to verify your virtual interface connection to amazon vpc
a pingable linux ami, like amazon linux ami, is a great tool for checking your connection to amazon vpc. start your ec2 instance in the vpc attached to your vpg (ie virtual private gateway).
you should see amazon linux amis in the quick start tab. ensure that the security group linked to the instance allows incoming icmp traffic. once the ec2 instance is running, get its private ipv4 address (see instance details). ping that private ipv4 address and look for a response.
Each direct connect connection is a single, dedicated network between your computer and an amazon router. if you need a redundant connection, it is strongly recommended to establish a second connection.
iptables on servers in your environment are still in place and can disrupt traffic flows if not managed properly.
security groups in aws are still in place and can disrupt traffic flows if not managed properly.
See also: How to View Your Blink Camera On a TV