Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 6
16. Physical Process for DX Setup – AWS
Hi everyone and welcome back. In today’s video, we will be discussing the physical process that would be involved typically when you go ahead and set up a Direct Connect connection for your organization. Now the process that is involved is different based on the factors. Two factors. First factor is whether you are going directly through the AWS. Or the second factor is you are are going either to the APN partner. So we have already discussed about Direct Connect. We will be revising certain aspects so that the overview becomes very clear for you. So before we begin, let me quickly show you one aspect before we continue with this specific video. So this is the Direct Connect console and within this, if you click on Get started with Direct Connect for the port speed, you have either one Gbps or ten Gbps. Now this connection is through the AWS.
Now in case you want some different configurations, obviously you can connect to one of the partners of AWS for Direct Connection. Now I’ll just select the geographic location as Asia Pacific and within this I’ll select as Mumbai. And these are all the partners that I can team up with to have a Direct connect connection if I do not want to go directly via AWS. So if you go with Direct Connect partner, there are a lot of flexibilities related to the speeds. Because AWS only offers one Gbps or ten Gbps, you can have much more lesser options available through the Direct Connect partners. So with this, let’s begin our video and let’s understand the physical process involved if you go through AWS for Direct Connection, all right, so we’ll understand this with a nice animation that we generally use. So on the left hand side, on the left hand side, you have the AWS.
This can be any region which is closest to your location. And on the right hand side, you have the customer location where you have your servers. Now you want to establish a Direct connect connection from the AWS side to the customer site. Now we have already discussed that in order to avail that AWS provides us with a Direct connect locations. So these Direct Connect locations are nothing but a data centers. And this data center basically contains AWS racks. And these AWS racks contains the Direct Connect routers, which in turn is connected to the remote region. So these data centers, this data center is not owned by AWS. In fact, this is a generic data center. And within the data center, you have a rack space dedicated for AWS which contains the Direct Connect routers. Now, AWS does provide multiple data centers for high availability.
And within each data center, you have multiple Direct connect routers. So in case one fails, you still have the other one where you can fail over it. So these are the two Direct Connect locations. Now what you have on the other side is since this is a data center, you can also have a customer facing side. So this specific rack, it can belong to a customer or it can belong to a partner. So a customer also or a partner also can have their own routers. So this is a customer partner rack. Now, if you will see all of these things, all of these routers belong within the data center itself. And this routers can be interconnected with the help of cross connect that we will be discussing in the upcoming slide.
Now, it might be possible that you do not really have a customer site over here, all the servers are within the data center itself. So if that is the true use case, then you don’t really have to worry about connecting this specific data center to the customer side. If not, if this belongs to a partner or if this belongs to your own organization, but these are just the routers that you have rented, but all the servers belongs to a remote location, then what you have to do is that you have to connect this specific routers with your own customer site. So this is the high level overview on what are the things which are involved. Now let’s begin and look into the individual steps. First, we request a direct connect connection between AWS account and direct connect location.
This is the very first step. Second, AWS will provide you a Loa document which contains the information about the port and the approval to connect to that port. This is very important aspect to understand because let’s assume that this is a router. Now, this router can contain multiple ports. Now which port you want to connect to, because if your customer router wants to connect to the AWS router, it will connect on a certain port. So this Loa document contains the information related to port details and it also contains the approval for your router within the data center to connect to the AWS router. Now, with the Loa document that you receive, you or the partner, whoever you have partnered with, can establish a cross connect between your router port and the AWS port.
Now, one important part to remember that this cross connect is a fiber based on fiber port based on eight two point eleven cube trunk. So if you are wondering what the Loa document looks like, so this is what Loi document looks like. So basically, this is a Cage number. So in case you get a Cage number. So this AWS rack that we have referred to, it is also referred as the AWS Cage. And this Customer rack is also called as the Customer Cage. So just remember that there are multiple terms. So AWS Cage and Customer Cage is something that you can remember because this is what AWS also refers within certain documents. Now, within this column you have the rack. This is a rack ID.
This is a patch panel ID. And this is the strand. So this is rack, patch panel and a port number. We have already discussed this and it connects the direct connection ID. Now, if you look into the cable type, it is a single mode fiber. Remember this term single mode fiber, quite important for us to remember. So this is what the Loa document looks like. You will receive this Loa document generally in the email of the root register. Whatever email is registered at your root account, you will get this email with the Loa document or you can even download it from the console. So once you receive that load document, now you know that which strands or which is the AWS cage, you know the port number, you have the approval. Now you can physically connect the AWS router with your own router with the help of single mode fiber. Very important to understand.
And this is a fiber port based on 82 point eleven trunk. Now, as we have discussed, once you have established the connectivity, so when the entire process is completed, we have a logical connection established where AWS provides a port on a direct connect router. We have already discussed this as part of the Loa document and this port is configured as a 802. 1 Q track. Now, the reason why it’s required is because it has the capability to carry multiple VLANs. So just remember this specific word, eight 2. 1 Q trunk. Quite important to remember for the exams. So coming back, once you have the entire connection established, if you will see, once you have the approval the Loa document, you can physically establish the connectivity.
So this is the call as the cross connect. So cross connect is basically your router or the customer router. I would say partner router is connected with a direct connect router. So this is the connection which is established, this is the single mode fiber and there is also a logical connection which is established from the direct connect router to the AWS region. Now again, this is a fiber and a very high speed fiber. So now once you have this established, then you can go ahead and create multiple logical interface. One can be a public interface and second can be a private interface. And depending upon the public interface and the private interface, direct connect for the public interface it can go through internet and for the private interface it can go through the direct connect fibers. So this is one important part to remember that once the cross connect has established, so once this cross connectivity has established, direct connect logical connection is also established, then you go ahead and create two interfaces, generally public and private.
We have already discussed about those aspects. Now, another important pointer for the exam is that connection between a direct connect router and the customer router is a single mode fiber that we have already discussed. And it needs to be a one Gbps ten base LX or a ten GB base LR. So this is one important pointer that you have to put it inside your mind. Do remember this specific pointer that whatever single mode fiber is it has to conform with a specific requirement which is governed by AWS. So let’s revise the entire steps involved. So first is you select a region in which you want a direct connect connection. Now this specific is definitely customer dependent.
There is no blockers which are involved from the other party. Second is you order the connection either one Gbps or ten Gbps. Again this is customer dependent. Now here we are assuming that you are ordering it from AWS directly. So there are only two options here. Third is you await for AWS to provide you a Loa CFA document. Now this is AWS dependent and it might take up to three days for you to receive this Loa document. So once you receive this Loa document you arrange for a cross connect from your customer port to the AWS direct connect port.
So in order for that to happen you need to provide an Loa definitely because this is required and you also have to get a customer port details what port that you need. Now this is a partner dependent because if this is through a partner, all of these has to be done through the partner. Like you will not be allowed to enter into AWS case and do a physical cross connect. So next is you might have to arrange connectivity between direct connect locations and the customer side.
This is something that we already discussed that if your servers are location on the customer side which is not within the direct connect location, then you have to establish a connectivity between the data center and the customer location. So this again it can be partner dependent and it might take long time. Typically it can take even 90 days. Now, once you have the connectivity definitely next part comes the configuration where you have to do port specific configuration on your site, I would say on the customer specific site.
So there are certain details which AWS recommends like auto negotiation should be of port speed, should be statically defined. So these are the port specific configuration that you do on the customer router side. So this again is the customer dependent and last is interface creation and configuration. So once you have port specific configuration then you can go ahead and do interface specific creation, public interface, private interface and this can be done by configuration directly from AWS when it can be done manually. So again this is customer dependent.
17. Physical Process of DX Setup – Partner
Hey everyone and welcome back. In today’s video we will again discuss about the physical process or physical steps which are involved in setting up the direct connection. However, this time we will understand through the partner side. So, as we have already discussed, there are two ways in which you can get a direct connect connection. One is through the AWS, and second is through the partner. Now, AWS side, the step which are involved if you go through the AWS site is something that we have already discussed in the last video. In today’s video we will be discussing on the partner side. So if you want to get a direct connection from an AWS partner now this is a slide that we have already discussed. Now, on the left hand side you have the AWS cage. On the right hand side you have the partner cage. And between the AWS case, between the direct connect router and between the router on the partner case, there is a cross connect which is established.
Now, one important part to understand this is specifically related to if you are going with direct connect connection through partner is that this specific cross connect is managed by the partner. So you don’t really have any flexibility, you don’t really have any visibility. This entire connectivity is completely managed from the partner side. One very important aspect to understand. So let’s look into some of the important pointers. First, this cross connect is completely managed by the partner and you don’t really have control over it. So this is something that we have just discussed. Second important pointer is that cross connect is between the DX router and the partner and it is shared between all of the customers of the partner. Quite important because since this specific router belongs to partners, it might happen that this single CrossConnect which is between the direct connect and the partner router will be shared between multiple customers. So very important to understand that this line will be shared. It is not for your individual use. Now, third important point is that when you order a direct connect connection through the partner, instead of getting a full direct connection which supports multiple VLANs based on 82. 1 Q trunk, this is not really possible. We are partnered directly is that basically we get a hosted connection. And this hosted connection which we get from the partner side, it supports only one VLAN per hosted connection. So one VLAN is equal to one virtual interface. So since you get only one VLAN, you cannot have multiple virtual interface.
You can either have a private virtual interface or you can have a public virtual interface. Very important to understand. Now, one good thing about going through partner is that you don’t really have to worry much about the Loa CFA document about establishing the connectivity between the direct connect router and the router over here. Now, if you’re going with partner, definitely you will have to establish the connectivity so this specific connectivity side from your Partner router to your customer router needs to be established. So this is still the fact that needs to be done.
Now generally if you go via Partner you will get a hosted connection. So this is the demo hosted connection and in here the VLAN is automatically assigned. So you don’t really have the control of the VLAN assignment. You will have a pre assigned VLAN that you will get and you don’t really have a control over it. And only per hosted connection, only one VLAN is allowed. That means you can only have either public or private interface. Per hosted connection. You can have multiple hosted connection but that will lead to additional charge. So if you see over here, this is a VLAN ID. You have a port speed of 50 pmvps. So this is through the Partner and you have to accept this specific hosted connection from your AWS account. And once you accept it then you go ahead and create either public or private interface depending upon how many hosted connections that you’re.
18. Dual DX Architectures
Hey everyone and welcome back. In today’s video we will be discussing about the dual direct connect architecture. Now, this specific topic is also quite important for the exams. There might be a few questions that you might get based on the topics that we are discussing. So let’s go ahead and discuss more about this specific type of architecture. Now, we have already looked into the this specific architecture diagram in the earlier lectures. So let’s assume that here you have on the first hand side you have four data center and below you have the second data center. Now within the first data center you have the AWS cage where you have multiple AWS router and same goes with the data center too. Now you can establish so when you go ahead and establish a single direct connectivity, then there would be a cross connect between the DX router and the customer router. Now, one important part that you need to understand over here is that if this specific DX router fails, then your direct connection would be broken. So what many customers do is that for resiliency, they generally can have multiple cross connects so that you can have a high availability.
So these are two direct connect connections. You can have the third one and you can even have the fourth one. So depending upon the architecture, depending upon the high availability resiliency that you need, you can have multiple cross connects and multiple direct connections. Now, if you have multiple direct connections, there are certain challenges that you would have to work around with. So let’s discuss about some of them. Now, if you’re going with the dual direct connect architecture, then essentially there would be multiple virtual interfaces as well. Because let’s assume that you just have a single direct connect, this is the single direct connection, then you might have a single private interface. Now if this direct connect connection goes down, so if this connection goes down, then essentially a whip also goes down. So if you’re going with dual so let’s assume that you are going with this dual direct connect architecture. And if this two router goes down, then essentially you have a backup.
So in order for the backup, you also need to have multiple virtual interfaces as well. So two widths across those connections. Now, if you have multiple virtual interfaces, then you can either run them based on Active or Active passive mode. So let’s go ahead and understand on how Active really looks like. So all the credit for this diagram for this screenshot goes to the AWS. So I just like to credit them for these diagrams that we will be posting in the upcoming slides as well.
So within this active scenario. So if you will see over here, I have two connections over here. So these are two direct connect connections, the remote IP. So the remote IP, I mean the IP from to the AWS site is 100 00:16, 100 00:16. So you have two times and the next hop there are two IP addresses, 116 and 254-2549 116 and 254 254 13. So if you’ll see over here there are two different IP addresses which are present over here. Now, if we are going with active then what we can do is we can set the maximum path is equal to two. So basically this would enable the multi path based on BGP. So when you select this maximum path is equal to two, then you will have a screen like M. This basically means that multi path is on. So what multi path is basically signify, it signifies the active connection. So it is like a load balancer where traffic goes through both the sites.
So this is what multi path is all about. Now, this is from the client router side. So once you select or once you enter this maximum path is equal to two. The update also goes to the virtual gateway. So now what virtual gateway will do is once you basically virtual gateway will also get this specific two addresses where you have two different paths. And the algorithm is based on BGP multi path. So it will work based on a multi part approach which is active. So remember that whenever you put some updates, it will be announced via BGP to the virtual gate baser. Now, the second approach is based on active passive where at a time you might want only one link to be up or you want to prioritize your traffic.
So in order for active passive architecture to work, we can work based on priority. Now, priority in BGP can be set with the help of local preference option. So within this, if you will see here that for 106 9254-2549 you have a local preference of 150. So this is the local preference of 150 and for the second of 169-25-4254 dot 13, you have a local preference of 200. So depending upon the local preference and that is basically the priority. Depending upon the priority, the traffic will be sent accordingly. Now, one important part to understand is that even if you are selecting the local preference on the virtual gateway side, it will still work based on BGP multiple.
So it will continue to send traffic across both the connection and this is something that you do not really want to achieve because in the active passive you are having one as primary and one as secondary. So you want everything to come to this primary only unless and until the primary goes down. So since in this kind of approach, the virtual gateway will still send to both the active, the primary as well as the passive one. So this is something that you do not want. So what you can do is there is an approach of as path prepending. So what happens in as path prepending is that you make the virtual gateway believe that one path is longer than the other. So in order to understand that, if you will see where you are prepending by two, and on the second route, you are prepending by one.
So on the first IP, you are prepending by two, and on the second IP, you are prepending by one. So what virtual gateway route will look like on the first path, it it will look something similar to this. So you have 65001, 650-016-5001 and I, and on the second path, you have 650-016-5001 and I, and you can have based on shortest path.
So now virtual gateway will work based on shortest path, and it will automatically send that traffic to the location where you have the shortest path, which is the second one. So this is how you can prevent in such a way that virtual gateway will think that this is the longer path and it will not send the traffic there. So definitely, since the first row is the longer path, this is the passive connection, and the second row is the active connection, and the virtual gateway will be sending the traffic to this specific active connection. So this is what the AES prepending is all about.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »