\nAmazon #AWS Tips and Gotchas \u2013 Part 1<\/a><\/p>\n
For more posts in this series, see here: If you have gone out and bought a shiny new Direct Connect to your AWS platform, you might reasonably assume that all of the users and applications on your MPLS will automatically start using this for accessing S3 content and other AWS endpoints. Unfortunately, this is not so simple!<\/p>\n At a high level, here is a diagram showing the two primary Direct Connect configurations<\/a>, Public and Private:<\/p>\n A key point to note about Direct Connect is that it supports multiple VIFs per 1Gbps or 10Gbps link:<\/p>\n The question therefore becomes, what is the cost-effective and simple solution to access service endpoints (such as S3 in the examples below), when you also want to access your private resources in your own VPCs?<\/p>\n This is not always a straight forward answer if you are on a tight budget.<\/p>\n As I understand it, the S3 endpoint acts very much like VPC peering, only it is from your VPC to S3, and is therefore subject to similar restrictions. Specifically, the S3 endpoint documentation<\/a> has a very key statement:<\/p>\n \u201cEndpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, a VPC peering connection, an AWS Direct Connect connection, or a ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service\u201d<\/em>.<\/p>\n Basically this means for every VPC you want to communicate with directly from your MPLS, you need another VIF, and hence another connection from your service provider. If you want to access S3 services and other AWS public endpoints directly, you will also need an additional connection dedicated to that. This assumes your requirements are not enough to justify buying a 1Gbps \/ 10Gbps pipe for your sole use, and are using a partner to deliver it. If you can buy 1Gbps or above then you can subdivide your pipe into multiple VIFs for little \/ no extra cost.<\/p>\n Here are four example \/ potential solutions for different use cases, but they are definitely NOT<\/em> all recommended or supported.<\/p>\n As this scales to many accounts, many VPCs and many VIFs, things also start to get a bit complex when it comes to routing (especially if you want many or all of the VPCs in question to be able to route to eachother), and I will cover that in the next post.<\/p>\n Until then…<\/p>\n Amazon AWS Tips and Gotchas \u2013 Part 5 \u2013 Managing Multiple VPCs<\/a><\/p><\/blockquote>\n
\nIndex of AWS Tips and Gotchas<\/a><\/p>\nTips and Gotchas \u2013 Part 4<\/b><\/span><\/h5>\n
10. VPC Private \/ Public Access Considerations<\/strong><\/h6>\n
![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws1.png\")
<\/a>More Info on Direct Connect here:
\n AWS Direct Connect by Camil Samaha<\/a><\/p>\n![\"aws2\"](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws2.png\")
<\/a>If you are not a giant enterprise and don’t need this kind of bandwidth, you can buy single VIFs from your preferred network provider, but you will pay for it on a per-VIF basis and as such multiple VPCs Direct Connect access to public endpoints will bump up your costs a bit.<\/p>\nAccessing S3 via your Direct Connect<\/strong><\/h6>\n
\n
\nThis may come as a surprise to people, as you would expect to buy a connection and access any AWS service.![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws3.png\")
<\/a><\/li>\n<\/ul>\n\n
\nThis is a bit like having a private internet connection, so accessing VPCs etc securely would still require you run an IPsec VPN over the top of your \u201cpublic\u201d connection. This will work fine and will mean you can maximise the utilisation of the bandwidth on your direct connect, reduce your Direct Connect costs by sharing one between all VPCs. This is OK, but frankly not brilliant as you are ultimately still depending on VPNs to secure your data. If you want very secure, private access to your VPCs, you should really just spend the money! \ud83d\ude42![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws4.png\")
<\/a><\/li>\n
\nIt is worth specifically noting that although technically possible<\/em>, this method would be strictly against all support and recommendations from AWS<\/em><\/strong>! S3 Endpoints and VPC peers are for accessing content from your VPCs<\/em>, they are NOT<\/em> meant to be transitive<\/a>.![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws5.png\")
<\/a><\/li>\n<\/ul>\n\n
![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/aws6.png\")
<\/a><\/li>\n<\/ul>\n![\"AWS](\"http:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2016\/02\/networking1-288x300.jpg\")
<\/a>Find\u00a0more posts in this series here:
\nhttp:\/\/www.tekhead.org\/tag\/awsgotchas\/<\/a><\/p>\n