thenetworking.guru

A little blog on Cloud stuff, trying to simplify topics that took me a while to get my head around.

AWS Networking

Deep Dive: Direct Connects

By Mev

Not sure how many Direct Connects you need, where or how to design them? You’re in the right place.

Most people who have a bit of experience with AWS would have probably heard the term Direct Connects, those super low latency, high bandwidth, private connections to AWS. Sounds so simple, but so far from it. Working with a lot of different customers, I have seen the good, the bad and the ugly Architectures of Direct Connects – so hopefully this would help if you’re not sure where to get started.

Firstly, do you need Directs Connects? If you don’t need super-low latency connections, you’re okay with traversing the internet (obviously, encrypted) and 1.25Gbps is enough for you – go with IPSEC Tunnels instead (if you need more than 1.25Gbps, you can technically run multiple tunnels to a Transit Gateway and use ECMP to scale). It’s going to be cheaper, and much less faff.

If you do need Direct Connects, you’ll need to first figure out where you want to jump into the AWS Network, because you won’t be able to terminate into their Data Centers. You’ll need to meet the AWS Backbone at a Meet-Me Location (a.k.a. Co-Location). Choose a Meet-Me location that is closest to your Data Centers. Why? You should jump on the AWS Backbone as near as possible to your Data Centers, as the AWS Backbone is probably a lot faster than lease lines/your first mile network. You can find the full list of locations here: https://aws.amazon.com/directconnect/locations/. Within the Meet-Me Location, there is customer cage with your device where you first mile terminates, an AWS cage with their router connecting to the AWS Backbone, and a cross-connect is performed by the Network Provider of the Meet Me location via an allocated port on the router.

How many Direct Connects and Co-Locations do I need? That’s the million pound question, it depends on how critical high-availability is to you and how much money you’re willing to spend. Let’s take look at a few examples.

Example 1 – Single Non-Redundant Architecture:

In this Architecture, there are multiple single-point-of-failures. An issue could occur in the router within your DC, an issue with the first-mile network, an issue with the customer router within the Meet-Me Location, an issue with the AWS Router etc. This type of Architecture is not recommended for Production workloads. AWS provide a 95% SLA for this type of Architecture.

Example 2 – Single Redundant Architecture:

This Architecture improves on the availability, at the cost of double-ing your network costs. But there are still some single points of failures, for example what if it the entire Meet-Me Location suffered a catastrophic event such as a fire. That could cause the entire location to be unavailable, so generally I don’t recommend this type of Architecture.

Example 3 – Multi-Site Non-Redundant Architecture:

Now we’re getting somewhere. Multiple customer DCs which can handle re-routing via the other in case of a router issue, unique first-mile networks, separate Meet-Me Locations to cope with Co-Lo failure. AWS provide a 99.9% SLA for this type of Architecture.

Example 4 – Multi-Site Redundant Architecture:

Now this, this is maximum redundancy. Multiple Customer DCs with multiple Routers, Multiple Co-Locations with Redundant Routers. If you have an outage with type of Architecture, then its pure bad luck. AWS offer a 99.99% SLA for this Architecture.


Direct Connects come in a couple of flavours, Hosted and Dedicated.

  • Hosted Direct Connects are a virtual circuit to a port that’s already connected to AWS. It’s a shared port, so other customers will also have virtual circuits running through that port. They’re really quick to provision and can be up within a matter of minutes. These connections are normally less than 10Gbps and have a 1:1 relationship with VIFs.
  • Dedicated is a physical connection that allows you to run multiple virtual circuits. You can get these in 1Gbps, 10Gbps and in some Co-Locations, 100Gbps. These do take a bit of time (normally weeks, sometimes months), and you will need to request a Letter-of-Authority Connecting-Facility-Assignment from AWS, which basically just tells the Network Partner than they’re allowed to perform a cross-connect between your dedicated port into the AWS Network Edge.