Setting up AWS Direct Connect gateway to route DX traffic to any AWS Region
Direct Connect Senior Product Managers Madhura Kale and Erik Klavon contributed to this post.
AWS Direct Connect (DX) has been a popular method for businesses to connect to AWS services, giving users a secure and reliable connection to an AWS Region. There are more than 100 DX locations available globally across major cities. However, you might find yourself connected to a DX location home-associated with one specific AWS Region. By setting up your DX connection with Direct Connect gateway, it is possible to route your DX traffic to any Region (except China).
Direct Connect gateway is a globally available resource. You can create your DX gateway in any Region and access it from all other Regions. The traffic will reach the designated Region using the shortest path on AWS global infrastructure, therefore bypassing the default DX “home-associated” Region restrictions.
DX gateway is a free feature that adds functionality to your deployment without introducing latency, making it a recommended component for all DX deployments.
Direct Connect gateway overview
Using Direct Connect gateway, by attaching a private virtual interface (VIF) from your DX location and associate with designated Region virtual private gateway (VGW), your DX traffic is route to your the Region using shortest path, without reaching the home-associated Region. You can add more inter-region connections to the same DX gateway and for a resilience multi-region deployment.
The following diagram shows a network architecture example where the DX location (iAdvantage Mega-i, Hong Kong SAR) uses a home-associated Region (Singapore ap-southeast-1) differ from the closet Region (Hong Kong ap-east-1).
This network architecture also applies to DX location where we recently launch new AWS Region (for example, Stockholm, Hong Kong), as well as DX location without a Region in the same country (for example, Vienna, Milano, Madrid, Dubai, Taipei). You are free to choose any AWS Region regardless of your DX location.
The following step focus on the DX gateway only. Make sure your DX connection is ready to use. DX gateway works with both type of DX connection, including dedicated connection and hosted connection. You will also need to create the virtual private gateway that is attached to VPC in your designated Region.
Creating a DX gateway
Open the Direct Connect console, choose Direct Connect Gateway, Create Direct Connect gateway. Provide a name and an AS number for this gateway. After filling in the information, choose Create Direct Connect gateway again.
Create a private virtual interface for a DX gateway
1. Select your newly created gateway and create a virtual interface to DX. Choose Create virtual interface.
2. Choose Private virtual interface and give this virtual interface a name. Under Connection, select the DX interface that you previously setup. In this example, I select the one in iAdvantage Mega-i. Notice, you can attach up to 30 virtual interfaces.
3. Under Gateway type, select the Direct Connect gateway that you created earlier. Supply the VLAN and BGP ASN.
Associate the virtual private gateway of the destination Region
Return to the Direct Connect Gateway page, and choose Gateway Association, Associate Gateway.
Select the virtual private gateway and choose Associate Gateway. You can see the virtual private gateways, as well as the transit gateways, across all Regions. In this example, I chose the virtual private gateway in Hong Kong ap-east-1.
To follow the architectural diagram earlier in this post, I also associate an additional virtual private gateway in Tokyo ap-north-east-1. Each association takes 2–3 minutes. Notice, you can attach up to 10 virtual private gateway.
Testing the connection
After creating your DX gateway, configure your router to peer with it. Under VPC Route Table, turn on Route Propagation.
Finally, to test the connection, a ping test is conducted from the router inside the customer cage, within the DX location (iAdvantage Mega-i, Hong Kong SAR) to an EC2 instance in the destination Region (Hong Kong ap-east-1).
root@HK-MEGAI> ping 192.168.20.2 source 100.100.100.1 rapid count 999
PING 192.168.20.2 (192.168.20.2): 56 data bytes
---192.168.20.2 ping statistics ---
999 packets transmitted, 999 packets received, 0% packet loss
round-trip min/avg/max/stddev= 1.204/1.308/10.970/0.601 ms
With the DX location and AWS region in the same city, the ping shows an average around 1ms. This shows the DX traffic is running on shortest path instead of going through the home-associated Region.
A second the ping test for the other designation region (Tokyo ap-northeast-1) shows the following:
root@HK-MEGAI> ping 192.168.30.2 source 100.100.100.1 rapid count 999
PING 192.168.30.2 (192.168.30.2): 56 data bytes
---192.168.30.2 ping statistics ---
999 packets transmitted, 999 packets received, 0% packet loss
round-trip min/avg/max/stddev= 46.892/47.652/48.132/0.421 ms
This ping results shows an average around 48ms. Again, showing the traffic is taking a direct route to the designated region.
By setting up Direct Connect gateway, you can route DX traffic to connect to any Region, regardless of your DX location.
Lastly, DX gateway is designed for east-west traffic in mind, and some traffic paths aren’t allowed. This includes private virtual interface to private virtual interface, from one virtual private gateway to another virtual private gateway, or from a private virtual interface to VPN.
Regardless of these limitation, DX gateway is a great tool for achieving multi-regional, resilience hybrid network connection. We look forward to your feedback here, on social media, or in the AWS forums.
About the Author
Matthew Chan is a AWS Platform Business Development Manager based in Hong Kong. He enjoys working with partners and customers, and has been passionate about networking and cloud computing. Prior to joining AWS, Matthew is a experience business developer who has experience on various type of network technologies, including software-define network, SDWAN, service provider and enterprise networks.
|Blog: Using AWS Client VPN to securely access AWS and on-premises resources|
|Learn about AWS VPN services|
|Watch re:Invent 2019: Connectivity to AWS and hybrid AWS network architectures|