AWS: DIRECT CONNECT GATEWAY AND ENDPOINTS

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

DIRECT CONNECT GATEWAY

Limitations

The VPCs to which you connect through a Direct connect gateway cannot have overlapping CIDR blocks.

You cannot create a public virtual interface to a Direct Connect gateway.

A Direct connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only.

The following traffic flows are not supported:

Direct communication between the VPCs that are associated with Direct connect gateway.

Direct communication between the virtual interfaces that are attached to the Direct Connect gateway.

Direct communication between a virtual interface attached to a Direct connect gateway and a VPN connection on a virtual private gateway that's associated with the same Direct connect.

You cannot associate a virtual private gateway with more than one Direct connect gateway and you cannot attach a private virtual interface to more than one direct connect gateway.

A virtual private gateway that you associate with more than one Direct connect gateway and you cannot attach a private virtual interface to more than one Direct connect gateway.

A virtual private gateway that you associate with a Direct connect gateway must be attached to a VPC.

AWS Direct Connect Limits

VPC ENDPOINTS:

Without VPC Endpoints, EC2 instances/ Apps access to AWS services require to go over the internet (IGW), VPN connections, or NAT gateways, or Public IP addresses.

With VPC Endpoints, EC2 instances/Apps can leverage higher performance and more secure connections to connect, via its private IP address, to AWS services without the need to go over the internet (IGW), VPN connections, or NAT gateways, or public IP addresses.

A VPC endpoint allows EC2 instances/Apps to privately connect from the VPC to supported AWS services and the VPC endpoint services powdered by private link, without requiring an internet gateway, NAT device, VPN connection or AWS Direct Connect connection.

Hence, using VPC Endpoints, Instances in the VPC do not require Public IP addresses to communicate with resources in the target service.

Traffic between the VPC and the other services does not leave the AWS network.

There are two types of VPC endpoints: Interface endpoints and gateway endpoints.

Each service can be accessed by one of the two endpoints types and you cannot change that type.

Endpoints are virtual devices. They are horizontally scaled, redundant and highly available VPC components.

They allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on network traffic.

GATEWAY ENDPOINTS

A Gateway endpoint is a gateway that is a target for a specified route in the route table you specify.

It is used for traffic destined to a supported AWS service. The following AWS services are supported.

  • Dynamo DB

An endpoint policy can be configured to control who can access and permissions on services accessed by the gateway.

Endpoints are supported with in the same region only.

VPC INTERFACE ENDPOINTS

An Interface endpoint is an ENI with a private IP address that serves as an entry point for traffic destined to a supported service.

AWS will create an ENI per subnet you specify.

Not highly available, you need to configure it in multiple subnets in multiple AZ’s.

It allows the connection to services that are powered by AWS PrivateLink.

These services include:

  • Services hosted by other AWS customers and partners in their own VPC’s.
  • Supported AWS Marketplace partner services.

The owner of the service is the service provider and you, as the principal creating the interface endpoint, are the service consumer.

Relies on DNS resolution and is not based on Route table entries.

Multiple DNS endpoints (URLs) are returned

Example of the supported services:

  • Cloud Formation
  • Cloud Watch
  • EC2 API
  • KMS
  • Kinesis Data Streams
  • ELB
  • SNS
  • Endpoints hosted by other AWS Services
  • Systems Manager
  • STS
  • Code build
  • AWS config
  • Service catalog
  • Secrets Manager

INTERFACE VPC ENDPOINTS PRIVATE DNS

Instead of using the general Interface Endpoints specific DNS hostnames to access the respective service, and to avoid changing the applications, you can enable private DNS features.

It associates a private hosted zone with your VPC.

  • This allows to use the services default DNS hostname instead of the endpoint specific DNS hostnames to make requests to the service.
  • This way applications in the VPC that were configured to use the default services DNS hostnames, can continue to use that and be routed to the interface endpoints.

IPV6 and the INTERNET GATEWAY

As in IPv4, an instance in a public subnet can connect to the Internet gateway if it has an IPv6 address.

Clients on the Internet can initiate a connection to such an instance as well.

IPv6 addresses are globally unique, which means IPv6 addresses are public IP addresses.

EGRESS ONLY INTERNET GATEWAY (IPV6)

To prevent initiating traffic to your IPv6 addressed instances from the internet, yet allow the instance to access the internet (initiate traffic).

  • Create egress only internet gateway in the VPC,
  • Add a route to the respective route table, directing all IPv6 traffic destined to the internet pointing to the egress only Internet gateway.
  • Any IPv6 traffic in the subnet is then routed to the egress only internet gateway.

The egress only internet gateway is stateful:

  • It then sends the response back to the instances.

An egress only gateway has the following characteristics:

A security group cannot be associated with an egress only internet gateway.

VPC FLOW LOGS

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Flow Logs can help you with a number of tasks

  • You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.

You can create a flow log for a VPC, a subnet or a network interface.

Flow log data for a monitored network interface is recorded as flow logs records, which are log events consisting of fields that describe the traffic flow.

Flow log data can be published to Amazon CloudWatch Logs and Amazon S3

To create a flow log,

  • The type of traffic to capture and
  • The destinations to which you want to publish the flow log data.

Cloud Watch Logs charges apply when using flow logs, whether you send them to cloud watch logs or to Amazon S3.

After you have created a flow log, it can take several minutes to begin collecting and publishing data.

VPC DHCP OPTION SETS

You can use an on-premise DNS for your AWS VPC environment.

But you cannot use Route53 as a DNS for your On-premise infrastructure.

The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.

The options field of a DHCP message contains the configuration parameters.

Some of those parameters are the domain name, domain name server, and the NetBIOS node type.

You can configure DHCP options sets for your Virtual Private Cloud (VPC).

After you create a set of DHCP options, you can’t modify them.

  • You can also set up your VPC to use no DHCP options at all.

You can have multiple sets of DHCP options, but you can associate only one set of DHCP options with a VPC at a time.

After you associate a new set of DHCP options with a VPC, any existing instances and all new instances that you launch in the VPC use these options.

These are the following functions of VPC. In my next blog, I will start my discussion on EC2 which is one of the primary services of AWS.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bharathi Batthula

Bharathi Batthula

Bharathi is a self driven and purpose-oriented person.The main mission is to create profound change in her career. contact her on bharathi.batthula6@gmail.com