DX Flashcards
What does private vif do?
Is a private virtual interface between customer and aws on a DX connection. Only connects to all private IPs in 1 VPC.
Do private vifs have encryption?
No. But you can layer on your own encryption, like https
Creating private vif
- Pick the DX
- Choose VGW or DX gateway
- BGP ASN of on premises
- VLAN for this vif
Maximum number of ip prefixes (cidr blocks) AWS will allow per private vif
- You can only advertise 100 prefixes via BGP to aws. Vif becomes unfunctional and idle past this limit. Hard limit.
What is a VLAN in DX?
In 1 physical cable, you might want network isolation in it. For example, different departments might want to share the same cable, so they need network isolation and VLAN helps to create virtual interfaces.
What is BGP for in DX?
DX uses BGP as the default way to advertise what routes each side knows about. BGP also dynamically exchanges route info by default, so even if routes in your systems change, you don’t have to worry about the other party not being able to know about it.
What is public VIF for and what is it not for?
For accessing public services (SNS, sqs, s3). Not for accessing private services (vpc)
How many regions per public vif?
All regions can be accessed with 1 public vif, unlike private that requires 1 per region
How to decide between public or private vif?
If I want to access AWS public zone, then public. If private vpc, then private
VPN or MACSec for encrypting DX?
VPN is faster to spin up and more available but becomes a bottleneck because of cpu overhead. Side note, a common pattern is to use VPN while DX is getting set up then use VPN as backup to DX
What’s the point of Gateway DX and whats the alternative if we don’t have Gateway DX?
No Gateway then stuck with limitations of public and private vifs.
Gateway DX is for all private vpcs to connect to same device, on prem will have to create private vifs (1 vif per Gateway, yes we can have multiple Gateway) that terminate at Gateway DX. Solves the problem of 1 private vif per region. Catch is, vpcs connected to same Gateway can’t talk to each other - can only communicate from on prem to aws
How can we use Transit Gateway and DX together?
TGW is regional - can do hub and spoke architecture but only for vpcs within the region.
1. Create many regional tgw
2. Connect them using tgw peering
3. Set up DX Gateway to talk to the TGWs. The vif is called a Transit vif
A dx gateat can be associated with vpc and private vifs, and tgw and transit vif at the same time
No
The same business has 2 on prem locations and want to talk using DX Gateway
Can’t. Use Transit gateway. Set up 2 Gateways, one for each on prem, then use tgw as a hub. Can’t use the same DXGW for both on prem to connect and talk to each other because DXGW is a free svc and it ends up costing aws money to allow DX for free
Whats a DX location?
A data centre that aws meets you in between for DX.
DX Link Aggregation Group
Aggregating multiple physical connections as one. This increases the bandwidth of 1 connection. Only cables with same speed can be linked, and up to 4 can be linked.
Use case: When the max cable speed provided is not fast enough, just provision multiple cables and link them.
