Questions tagged with AWS Direct Connect
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
What are some of the strategies to handle Overlapping IP Ranges
What are some of the strategies to handle Overlapping IP Ranges for various integrations, within AWS as well as while planning hybrid connectivity with on-premises networks using VPN, DX etc. Note: This is a common question asked by AWS customers. Posting it to provide an answer that can benefit everyone.
AWS VPN with Private IP address
Good new with this release yesterday, https://aws.amazon.com/about-aws/whats-new/2022/06/aws-site-vpn-introduces-private-ip-security-privacy/ So wanted to confirm the steps to set this up. 1. Create DXG 2. Create Transit VIF - associate with DXG. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-transit-vif The ASN can be private ASN, correct? 3. Create TGW 4. Create VPN attachement https://docs.aws.amazon.com/vpn/latest/s2svpn/create-tgw-vpn-attachment.html All ASN can be private. All need to be unique.
enable communication between multiple VPCs from a single VPN connection attached to my transit gateway
We have DEV and Production servers in different AWS accounts and these account's VPC are connected via Transit Gateway. I want to connect the VPN to the same Transit gateway so that we don't need to create separate VPNs for DEV And Production account. As AWS doesn't support multiple Remote IPv4 network CIDR in to Site to Site VPN. The CIDR range for which both the accounts can be accessible is of size /16. Since it is a very big CIDR and this can cause overlapping of IP addresses for the client's Network they are not allowing it. Also they are not accepting CIDR greater than size /30. AWS support has recommended that we can consider using a dynamic VPN routing. Does anyone has any idea how we can achieve this configuration without setting up Two VPNs.
Network Setup - 2 on-prem locations 1 AWS region
Hi, I would like to know what would be the best possible option in terms of complexity and cost for the scenario below that we are trying to implement for a client. Customer A has all web apps deployed on-prem and has clients that come through a co-located VPN based network(say ClientNet network) to access those apps. Now all these apps will be deployed in AWS regions(Prod and Non-prod vpc-s) so in essence Customer A will now be on AWS and all these clients will need to access these apps on AWS via this ClientNet network. At the same time, there will be some to and from communication between AWS VPC-s and Customer A's network for stuff that will still be hosted on-prem like Active Directory and other COTS. Can this be achieved without creating 2 separate Direct Connects or 2 separate VPN-s? By 2 separate DC-s I mean - one DC between ClientNet and AWS and one DC between Cutomer A one-prem and AWS and the same applies for VPN if we were to replace DC with VPN. Can TGW be used to consolidate this one just one connection whether its DC or VPN that can assessed later based on requirements for security and bandwidth?
Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC
Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio
Is possible to set up the BGP pass on a S2S VPN connection
Hi all, I want to set up a S2S VPN connection using dynamic routing between on-prem and AWS environment. But on-prem engineers are telling me to set up a BGP password on this VPN in AWS side. Is possible to set up a BGP password in AWS side? As I didn't found anything about BGP password on S2S VPN documentation and in console as well, didn't found the field for BGP password. I know that on a Direct Connect is possible to set up a BGP password. I'm only asking is for a S2S VPN is possible as well? Thank you, Valentin.
Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways?
Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways? I'm trying to connect multiple VPCs (VPC-A, VPC-B) and multiple data centers (DC-A, DC-B) using Direct Connect Gateway (DCGW). Which of the following configurations is better? Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways? 1) - VPC-A, VPC-B <-> DCGW <-> DC-A, DC-B 2) - VPC-A, VPC-B <-> DCGW-A <-> DC-A - VPC-A, VPC-B <-> DCGW-B <-> DC-B
Connect remote sites using VPN to access on-prem via existing Direct Connect?
Hello, we currently have a Direct Connect Link with a private VIF connecting a few VPCs to our on-prem environment, and it is terminated at a Direct Connect Gateway. We are planning to build some VPN tunnels to connect a few remote sites to one "hub" VPC, so would it be possible for the remote sites to route traffic back to on-prem via the "hub" VPC? Thanks!
Inter-region BGP route failover
I have one Global DXGW. One VIF each in us-east-1, us-east-2, eu-west-1, ap-northeast-1 and eu-central-1. I also have VPC's in each of the regions. I want to engineer the BGP routes in such a way that if us-east-1 is not available, all routes will use us-east-2. if eu-west-1 is not available, all routes will use eu-central-1 is it possible to achieve this failover scenario with one global direct connect gateway us-east-1 = primary us-east-2 = secondary eu-west-1 = primary eu-central-1 = secondary ap-northeast-1 = primary us-east-2 = secondary.
AWS's Capability in Handling Outbound Routing with Multiple AWS Direct Connect Connections
IHAC is using two AWS Direct Connect connections with different co-locations homing same AWS region. And they are wondering the way they could use we AWS 's capability in handling outbound routing. That is, they are expecting to achieve "Active-Active" or "Active-backup(passive)" -- for our outbound traffic -- between the two DX connections, by a few clicks on AWS console. According to our document at https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html : "If you have multiple AWS Direct Connect connections, you can adjust the load-sharing of inbound traffic by advertising prefixes with similar path attributes". So how?
AWS Direct Connect route limit
Hi there, I am currently planning for network upgrade on existing Direct Connect from On-Prem to AWS region. Currently we are advertising 50+ prefixes into Transit Gateway through DXG, but I hear that there is a limit on the max number of prefix. Can anyone confirm and advise any work around as we are keep on consolidating our branch network connectivity to use service in AWS cloud.
Direct Connect Public VIF
Trying to use Direct Connect to copy files from on prem to an S3 bucket using direct connect. Looks like this is possible. Have a direct connect connection from a provider Think the next step is set up a public VIF. I'm not sure what I need to specify in 'your router peer ip' and 'amazon router peer ip' Where do these details come from? It says they need to be public IP addresses.