AWS DirectConnetc

Question 1

What DirectConnect speeds have we available to us?

Answer 1

1Gbps or 10Gbps

Question 2

What is the physical connection required when connecting with public service endpoint?

Answer 2

You need single mode fibre

Question 3

I do not need a 1Gps connection what can I do to save con cost?

Answer 3

You can use a sub-1Gbps sub connection n through a partner.

Question 4

I do not need a 1Gps connection what can I do to save on cost?

Answer 4

You can use a sub-1Gbps sub connection n through a partner.

Question 5

Why is directly connect more consistent with better latency?

Answer 5

Because when you go over the internet your packets are sent to multiple routers before getting toAWS, this causes latency and inconsistency as different packets pass through different routers

Question 6

I need to transfer large data set, what are my bets option VPN or Directconnect and why?

Answer 6

Direct connect, data transferred over direct connect is billed by AWS at a lower rate.

Question 7

I have to transfer a large amount of data next weekend, which is my best option?

Answer 7

Several VPN tunnels as it takes time to set up a direct connect so DC is not suitable.

Question 8

What is a VIF and what type of VIF do we have?

Answer 8

We have public and private VIFS, public VIFS enable you to talk with the service in the AWS layer like SQS. Private VIFS enable you to talk with your VPC.

Question 9

My org as a public service endpoint near us-east-1 and a public VIF in the us-east-1 region, I want to access SQS and S3 in as-south-1, what do I need to do to access these services through my existing direct connect?

Answer 9

Nothing, you will be able to use your existing direct connect and public VIF, traffic will flow to AWS and then over the private AWS network.

Question 10

One or my regulatory policies require that all data in transit is encrypted, I am using direct connect and a public VIF to access data in s3, am I meeting the regulation requirement?

Answer 10

Yes as the traffic is to s3 is encrypted at the sockets level using TLS, but if the traffic was to a private VIF, them no as the traffic is not encrypted.

Question 11

One or my regulatory policies require that all data in transit is encrypted, I am using direct connect and a private VIF to access data in my VPC, am I meeting the regulation requirement?

Answer 11

No, dat over direct connect is not encrypted, you would need to ensure that the service you connect to in your VPC is encrypting the dat in transit, if not then you have to find a way to encrypt it.

Question 12

Can I use a Public VIF to access the internet form on-prem?

Answer 12

No, they only allow access to the public-facing services on the AWS network.

Question 13

I am creating a private VIF in us-east-1 and want to connect it to a VPC us-west1, what options do I have?

Answer 13

You can not connect a private VIF in one region to a VPC in another region.

Question 14

I have a requirement that all traffic that is in transit is encrypted, should I be concerned for DirectConnect and how can I fix it if needed?

Answer 14

Yes, DirectConetc is not encrypted, but you can use the AWS VPN over DirectConnetc. This is done by creating a public VIF as this connects you with the AWS Public Zone (Network), the AWS VPN has its IP’s in this zone so you can then establish a VPN connection.

Question 15

I need to create an encrypted connection for all my traffic over DirectConnetc, how cna this be done using AWS service only?

Answer 15

You create a public VIF to access the AWS Public Zone where the public IP#s for the AWS VPN service exists, you then establish a VPN connection using AWS VPN service.

Question 16

What is a private VIF?

Answer 16

It enables you to access one VPC in a single region.

Question 17

How cna I connect to my VPC?

Answer 17

You can use a single private VIF.

Question 18

Are private VIFs one to one connection with the VPC?

Answer 18

Yes, you can only connect to a single VPC.

Question 19

What is the DirectConnect GW?

Answer 19

It is a global resource that enables you to connect a DirectConnect on-prem private VLAN to the DirectConnect GW, you can then connect the DirectConnect GW to any VPC in a region with a VPG.

Question 20

I have 5 VPC’s in the seperate region and I would like to connect all 5 VPC using my single DurectConetc, can I just create 5 VIF’s to the single DirectConect? If not possible what options do I have?

Answer 20

No, VIFs are a one to one relationship, they only connect a single on-prem VLAN with a VPC. A better option is to use the DirectConnect GW, this enables you to connect an on-prem V

Question 21

Is DirectConnect GW transitive?

Answer 21

No, you can not have traffic flow over the DirectConect GW to a VPC and then onto another VPC.

Question 22

How many VPCs can you connect to the DirectConnect GW?

Answer 22

10, you then have to create another DirectConenct GW.

Question 23

What is a good backup for direct connect?

Answer 23

An AWS VPN.

Question 24

What is VGW?

Answer 24

It is a virtual private gateway used as part fo direct connect, you can think of it as a logical distributed router sitting on the edge of your VPC. It cna terminate both IPSEC VPN and DirectConnect.

Question 25

I have VGW, what cna I terminate with it?

Answer 25

Both IPSEC VPN and DirectConentc.

Question 26

Is DirectConect redundant?

Answer 26

Yes, there is a multipal connection to the DirectConetc location and two routers providing the uplink to your routers.

Question 27

What advantages has direct connect over VPN?

Answer 27

DirectConenct transits over private infrastructure, latency is lowe and consistency is better, you also gte an SLA on service.

Question 28

What are the DirectConetc connection points called?

Answer 28

DX Locations

Question 29

In a DX Location, what do you need to establish a connection?

Answer 29

You need a router that will be cross-connected. The souter has to have
- SingleMode Fiber
-

Question 30

What do you need from AWS to establish a DirectConnect cross-connect?

Answer 30

You need the letter of authorisation. (LOA)

Question 31

I need to establish a DirectConnect that can be used to access S3 and DynamoDB form on-prem, how is this done?

Answer 31

We create a

Question 32

Can I use a private VIF to access resources in other regions?

Answer 32

Yes, 100%, you used to not be able and were tied to a single region but this is not the case any more.

Question 33

If you want to connect a VPN to on-prem over a DirectConnect, how can we set this up?

Answer 33

Create a VLAN to use on our DX Location router.
Create a PrivateVIF
Connect PrivateVIF to VPNGW

Question 34

When should I choose DirectConnect over VPN? Why?

Answer 34

When you need better throughput and latency. Because the VPN connection is over the internet and each packet sent is over multiple hops and because of ot contention and other factors packet consistency is not as good as DirectConenct.

Question 35

What speeds can you have for DirectConect?

Answer 35

1 and 10 GB

Question 36

How do you order DirectConect?

Answer 36

You order Direct Connect by deciding on what region you want the DirectConection in, the DirectConnect location is where you make the cross-link between you routers and AWS. You will have two routers in this location and you request a letter of authorisation and a cCFA to all the cross-connect to you routers form the AWS routers. You router mus have BGP and 8021Q. You will set up a VLAN and public or private VIF. The cross-connect needs to be single-mode fibre and a 100 base LX, and 10GBLR for 10Gbit. And the router needs MDS Auth. The VIF is assigned to a VGP in the VPC, the VGP is the same VGP as we would be using for VPN, we only get one VGP in a VPC.

Question 37

I currently am using large outgoing amounts of traffic from 17 VPN for bandwidth to my on-prem, how can I reduce cost and why?

Answer 37

You can opt to use DirectConnect as the cost of the DirectConenct is much lower than data exiting over the internet.

Question 38

I need to transfer 10TB of data to my on-prem and I currently have a VPN, I need to do it this week, so I am going to order a direct connect, is this a valid option?

Answer 38

No, DirectConnect takes several weeks to order and set up.

Question 39

Can I use a public VIF to connect to S3 in a different region?

Answer 39

Yes, you used to only be able to connect to services in the same region, but now you can connect to services in different regions over the public AWS network space.

Question 40

What is a Direct Connect GW used for?

Answer 40

You can create a Direct Connect GW and associated many one or private VIF’s, you also can associate the Direct Connect GW with VGP in any region. This enables one private VIF to be used to connect to may VPCs in any region.

Question 41

My organization has a policy that all external connection is encrypted, Is DirectConnect encrypted by default? how can you work around this?

Answer 41

No, it is not encrypted, but you can create a public VIF and use it with the VPN.

Question 42

I am using the Direct Connect GW with 2 VPC’s, can VPC a + B talk to each other?

Answer 42

No, the Direct Connect GW is not transitive, meaning the vPC’s can talk to on-prem but not to each other.

Question 43

Are you charged to the ports used at the direct connect location?

Answer 43

You are charged per hr.

Question 44

How are the routes advertised?

Answer 44

Over BGP.

Question 45

How are the routes advertised?

Answer 45

Over BGP, not static routes available.

Question 46

Are VPN BGP routes prefered over DirectConect BGP routes?

Answer 46

No, DirectConnect (DX) BGP routes are prefered.

Question 47

What is a good backup for DirectConenct?

Answer 47

A dynamic VPN

Question 48

Will static roots be prefered over dynamic?

Answer 48

Yes

Question 49

How can you make DirectConenct highly available?

Answer 49

Create a DirectConnect to another location in another region.

Question 50

I have to pass large quantities of data between on-prem and aws S3, should i use (1 Direct connect (2 VPN (3 Internet and why?

Answer 50

You should use Direct Connect (DX),

• Better latency and consistency
• Depending on ISP cost for internet DX could be lower cost.

Question 51

I need to transfer data this week to S3, should I (1 Setup direct connect (2 use VPN?

Answer 51

Setup VPN, yes VPN. This is because it takes more than a week to set up DX, so your only option is a VPN.

Question 52

When you create a DX, are you creating it more than a single region?

Answer 52

No, just a single region

Question 53

With a public VIF can I access public AWS service in any region?

Answer 53

Yes, 100%, you used not be able and were restricted but today you can access any AWS service in any region with a public VIF.

Question 54

How does AWS advertise it public service IP’s over DX?

Answer 54

Using BGP

Question 55

Can you create a private VIF in us-east-1 and use it to transit to a VPC in us-west-1?

Answer 55

No, you can not go from one region to another

Question 56

What is the name of where you would put your router?

Answer 56

Co-location facility

Question 57

What is in the co-location facility?

Answer 57

two routers two on your side and two on the aws side, there are cross-connected using single-mode fibre.

Question 58

Are connections over DX encrypted?

Answer 58

No

Question 59

What is the direct connect gateway?

Answer 59

It is a global service then enables you to create a way to connect to VPGs for your VPC’s in different regions.

Question 60

If i am using direct connect gateway and I have it connected to VPG’s with two VPC’s and each VPC is in a separate region, can I talk form region 1 to region two?

Answer 60

No, the direct connected gateway is not transitive and you can not talk form VPC to VPC, in same or separate regions.

Question 61

Direct connect is good for 1g and 10g, how can I order lowers speeds?

Answer 61

You can be ordered from any APN partners supporting AWS Direct Connect. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mb

Question 62

How can i use DC to connect to multiple regions with VPC’s?

Answer 62

Here we have to consider the following options,

• Transit GW enables you to connect to multiple regions
• Direct connect GW enables you to alos connect to multiple regions but is not as flexible as transit GW.
• Directly connect with private VIF VPG enables you to only connect to a single region

Question 63

What are you charged for in Direct connect?

Answer 63

Dedicated: Port charge per hour
Hosted (3rd party): Port charge
Data in: zero (0)
Data out: you pay depending on location (about 0.02pGB)

Question 64

What is more cost-effective to transfer data out of AWS (1) internet (2) direct connect.

Answer 64

Direct has a lower cost for data out compared to the internet.

Question 65

What is prefered (1) BGP routes (2) Static routes

Answer 65

BGP

Question 66

Which is prefered (1) Static routes (2) Dynamic routes

Answer 66

(1) Static

Question 67

On the VPC side, how is DX terminated?

Answer 67

VPG

Question 68

What is a meet-me location?

Answer 68

It is the same as co-location and is where you have you routers to cross patch to AWS routers

Question 69

What is LOA and CFA?

Answer 69

Letter of authorization, it is generated by AWS and is given to the co-location to make the cross-connect.

Question 70

Where can I see DX stats like light levels?

Answer 70

In the cloudwatch console.

Question 71

What is a VIF?

Answer 71

It is a logical interface (Q VLAN TAGS) across the physical interface.

Question 72

What is a VIF?

Answer 72

It is a Q tagged logical interface to a VPC

Question 73

I need to connect from on-prem to dynamoDB using a private interface, what are by options?

Answer 73

Direct connect using a private VIF

Question 74

What is a hosted connection?

Answer 74

It is a sub 1g direct connect to AWS provided by an AWS partner.

Question 75

I need 20BiB connection to AWS, how cna I do this?

Answer 75

Use LAG at the co-location this means two 10GB cross-connects are used.

Question 76

Are Jumbo frames supported?

Answer 76

Yes 100% (9001 MTU)

Question 77

How many VIFs can I have on a physical interface?

Answer 77

50

Question 78

Can you mix public and private VIFs on the same =physical interface?

Answer 78

Yes 100%

Question 79

Can you assign VIF from one account to another?

Answer 79

Yes, the VIF is hosted in a master account and shared with another account if needed. (but Transit GW is prob a better choice today.)