Amazon, Microsoft, and Google would want everyone to move all of their applications and workloads to the public cloud, but we know for a fact that most traditional enterprise companies don’t prefer that. They would still choose to run almost all of their applications on premises. But, as we have seen in the past few years, CIOs everywhere want to take the Cloud first approach. Whether that is the best way to go or not depends on the individual company. Most datacenter admins would not be comfortable moving everything to the cloud. So we need to find that sweet spot, where we can still continue running some traditional applications on-prem, but also utilize public clouds to run more of the DevOps or microservices-based applications. There are two AWS services that help users achieve this specific use case.
- AWS VPN:
You setup a VPN Tunnel between your Datacenter and AWS Cloud using Virtual Private Gateway(AWS site) and Customer Gateway(User Site). This basically uses your Internet connection and creates a VPN Tunnel between the two endpoints for secure communication.
- AWS Direct Connect:
Enables you to link your on-prem datacenter with the AWS Cloud using a dedicated network, without having to go over the internet. Having this private dedicated connection has several benefits such as:
- Cost Reduction: Having a dedicated link enables you to save ISP costs for faster internet connections and also the data transfer charges for Direct Connect are lower than the charges for a VPN connection over the Internet.
- Private Connectivity: Direct Connect gives you a private connection from your datacenter directly to the public cloud. So you can basically treat the resources that you are using in the cloud as an extension of your own datacenter. You can have 1G or 10G connectivity if you are in a colocation facility or even sub 1G connectivity if you work with the AWS Partners to provide Direct Connect links straight to your own datacenter. We will talk about these options in a little bit more detail later in this blog.
- Consistent Performance: Having this dedicated link almost guarantees the performance you can expect out of the network. You don’t have to rely on your ISP to be up and running all the time, for you to be able to talk to your resources in the cloud.
Ok, so now let’s dig in, let’s try to look at the architecture of how we can use Direct Connect and plug into AWS directly. There can be the following two scenarios:
Scenario 1: In this scenario, you have all your equipment in a colocation facility like Equinix. All you need to do to get that direct connect setup is to request a direct link from your router to the AWS Direct Connect router that sits in the same colocation facility. Once your request is received and processed, Equinix(in this example) will run a dedicated cable between your router and the AWS router, thus extending your existing network to the cloud. You can get 1G or 10G links in such scenarios. And in case you need more than that, you can use Link Aggregation Groups(LAG) to combine a maximum of 4 links to give you that aggregated bandwidth.
Scenario 2: In this scenario, all your equipment is sitting in your private datacenter and not a colocation facility. You can work with AWS Direct Connect Partners to provide you with that direct connect link from AWS to your own datacenter. We can still use the above architecture diagram to explain how this is done. The AWS Direct Connect partner will have a router in a colocation facility and have a dedicated link between AWS Router and their router. They will basically extend another dedicated link from their router to your router sitting in your private datacenter. So you still kind of have a dedicated link from your datacenter to the AWS Cloud, just that in this case, you will be sharing the dedicated link from the AWS Router to the Partner router in the colocation facility. If you are concerned about security, then you can encrypt all your data before using that link for data transfer. Working with partners you can get speeds ranging from 50, 100, 200 to 500 Mbps in increments of 100.
Once you get that direct connect link setup by either of the above two methods, you can then use 802.1Q VLANs on top of these links to segregate public and private traffic from each other. AWS VPCs do not support any layer 2 traffic so you can create virtual interfaces(VIF) for each VLAN that you define on the link to take care of the segregation. An important point to note is that the Direct Connect links by default are not redundant. If you need redundancy, you can request for a second link which would be connected to a second AWS router, thus making sure that if one link/router goes down, you still maintain connectivity to your resources.
Now, let’s talk about a possible use case for AWS Direct Connect. Data is the most important resource that a company has and data growth rate can sometimes be exponential is a well-established fact. For such use cases, we might want to use a storage offering like NetApp Private Storage(NPS), which enables you to keep all your data ‘near the cloud’ (in a colocation facility) and then utilize the consistent bandwidth offered by the direct connect links from the cloud to connect to your storage. So you can use the elasticity of Amazon EC2 and spin up and down the compute resources when you need, but always keep data stored on your private storage using NPS. This not only enables you to save costs of storing your data in the cloud but also enables you to maintain complete control of your data, thus keeping it secure. NPS is an awesome technology, and to do some justice to it, I will need to write another blog post. But in the meantime, if you are interested in learning more, then you can refer to these following links:
And if you want to learn more about AWS Direct Connect, the APN Partners or even the pricing details, you can look at the following links: