AWS GovCloud (US)
User Guide
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Setting Up AWS Direct Connect with an Optional Hardware VPN

There are two steps to setting up your AWS Direct Connect connection using a VPN for the AWS GovCloud (US) region.

  • The first step is to set up your AWS Direct Connect public virtual interface.

  • (Optional) The second step is to set up your VPN to run on top of your AWS Direct Connect public virtual interface.

AWS Direct Connect with an Optional Hardware VPN Worksheet

The first task for your integration team is to use the VPN worksheet in this section to determine your value for each step. This table includes all of the items that you will need to set up your AWS Direct Connect connection. You can use the example values listed in the Comments column, or you can determine real values. You must obtain real values for all the other items.

Note

You can print the table and fill in the values you plan to use in the column on the far right.

StepItemHow UsedCommentsYour Value
Step 1: Setting up your AWS Direct Connect public virtual interfaceVLANUsed to separate your network traffic on your AWS Direct Connect virtual interface and can be designated with a number from 1 to 4095.Example: any number between 1 and 4095 
Interface IP BlockTwo IP addresses, one for each end of the AWS Direct Connect connection.A unique, public CIDR for your interface IP addresses is required. It must not overlap another CIDR announced via AWS Direct Connect. 
Autonomous System Number (ASN)Your unique network identifier used in AWS Direct Connect Border Gateway Protocol (BGP) network connection.Use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range). For more information about ASNs, go to the Wikipedia article. 
BGP KeyThe security key established to communicate via BGP.This is created in the AWS Direct Connect console when you create your public virtual interface. You will receive your BGP Key when you download your router config in step 1.7. 
PrefixesList of IP addresses to advertise to Amazon over the public virtual interface.At least one network advertisement is required to activate the public virtual interface connection. 
(Optional) Step 2: Setting up your hardware VPNVPC CIDR blockUsed in a customer gateway configuration.Example: 10.0.0.0/16 
Subnet #1 CIDR block (can be same as the VPC's CIDR block) Example: 10.0.1.0/24 
(Optional) Subnet #2 CIDR block Example: 10.0.2.0/24 
(Optional) Subnet #N CIDR block    
Customer gateway type (for example, Cisco ISR, Juniper J-Series, or Juniper SSG)Used in an API call to specify the format of the returned information that you use to configure the customer gateway.  
Internet-routable IP address of the customer gateway's external interfaceUsed in customer gateway configuration (it's referred to as YOUR_UPLINK_ADDRESS).The value must be static and can't be behind a device performing network address translation (NAT). 
(Optional) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway

Used in customer gateway configuration for devices that use BGP (it's referred to as YOUR_BGP_ASN).

NOTE: This is not the same as your AWS Direct Connect BGP defined in step 1.

Use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range). For more information about ASNs, go to the Wikipedia article. 

Step 1: Setting Up Your AWS Direct Connect Public Virtual Interface

Step 1.1: Sign Up for AWS GovCloud (US)

To use AWS Direct Connect for the AWS GovCloud (US) region, you must have an AWS GovCloud (US) account. If you don't have an account, see Signing Up for AWS GovCloud (US) for more information.

Step 1.2: Submit AWS Direct Connect Connection Request

Submit a connection request by signing in to the standard AWS Direct Connect console using your standard AWS credentials. You cannot use your AWS GovCloud (US) account credentials to sign in to the standard AWS Management Console. To make the request, you'll need to provide the following information:

  • Access to the email account associated with the standard AWS account where we will send AWS Direct Connect information.

  • The AWS Direct Connect location through which you want to connect to your AWS GovCloud (US) resources. For a list of AWS Direct Connect locations, see Requesting Cross Connects at AWS Direct Connect Locations.

    Work with a partner in the AWS Partner Network (APN) to help you establish network circuits between an AWS Direct Connect location and your data center, office, or colocation environment, or to provide colocation space within the same facility as the AWS Direct Connect location. For the list of AWS Direct Connect partners who belong to the APN, go to http://aws.amazon.com/directconnect/partners.

  • The port speed you require, either 1 Gbps or 10 Gbps.

    AWS Direct Connect supports two port speeds: 1 Gbps: 1000BASE-LX (1310nm) over single-mode fiber and 10 Gbps: 10GBASE-LR (1310nm) over single-mode fiber. Select a port speed compatible with your existing network.

If you do not have access to the standard AWS Management Console, but you do have access to the AWS GovCloud (US) region, contact us to set up AWS Direct Connect.

To create a new AWS Direct Connect public virtual interface

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/.

  2. Select a US region (US East or either of the US West regions) where you want to connect to AWS Direct Connect.

    region selector on the navigation bar
  3. On the Welcome to AWS Direct Connect screen, click Get Started with Direct Connect.

    Welcome to AWS Direct Connect screen
  4. In the Create a Connection dialog box, do the following:

    Create a Connection dialog box
    1. In the Connection Name field, type a name for the connection.

    2. In the Location list, select the appropriate AWS Direct Connect location in the US.

      Note

      If you don't have equipment at an AWS Direct Connect location, click contact one of our partners. In your email, indicate the AWS Direct Connect location that you want to use and that it will be connected to the AWS GovCloud (US) region.

    3. Select the appropriate port speed, and then click Create.

      Your connection is listed on the Connections pane of the AWS Direct Connect console.

Step 1.3: Complete the Cross Connect

AWS will send you an email within 72 hours with a Letter of Authorization and Connecting Facility Assignment (LOA-CFA). This email is sent to the email address that is associated with the standard AWS account that is used for billing, not the AWS GovCloud (US) account. After you receive the LOA-CFA, follow these steps to establish the dedicated connection:

  1. Contact the colocation provider to request a cross-network connection. This is frequently referred to as a cross connect.

    • You must be a customer of the colocation provider, and you must present them with the LOA-CFA that authorizes the connection to the AWS router.

    • The contact process can vary for each colocation provider. For more information about each AWS Direct Connect location, see Requesting Cross Connects at AWS Direct Connect Locations in the AWS Direct Connect User Guide.

  2. Give the colocation provider the necessary information to connect to your network. The diagram in Setting Up an AWS GovCloud (US) AWS Direct Connect Connection shows various placement options. You should verify that your equipment meets the specifications set out in the AWS Direct Connect Requirements section.

Step 1.4: Configure Redundant Connections with AWS Direct Connect

To provide for failover, we recommend that you request and configure two dedicated connections to AWS as shown in the following figure. These connections can terminate on one or two routers in your network.

Different configuration choices are available when you provision two dedicated connections:

  • Active/Active (BGP multipath). Network traffic is load balanced across both connections. If one connection becomes unavailable, all traffic is routed through the other. This is the default configuration.

  • Active/Passive (failover). One connection is handling traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.

How you configure the connections doesn't affect redundancy, but it does affect the policies that determine how your data is routed over both connections. We recommend that you configure both connections as active.

Step 1.5: Test the Physical Connection

After your partner completes the installation of the cross-network connection, your router should indicate that the link is active. After the connection is activated, continue to Step 1.6: Create a Public Virtual Interface.

Step 1.6: Create a Public Virtual Interface

The next step is to provision your public virtual interface. Each public virtual interface must be tagged with a customer-provided VLAN that complies with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the AWS Direct Connect connection. To begin using your public virtual interface, you will need to advertise at least one prefix using BGP, up to a maximum of 100 prefixes. If you require more prefixes, open a new case in Support Center. The case must include your AWS Direct Connect connection ID, which you can find in the AWS Direct Connect console. Your AWS Direct Connect connection ID is in the format dxcon-xxxx. For more information about support, see Signing Up for AWS GovCloud (US) Customer Support.

We advertise appropriate Amazon prefixes to you so you can reach AWS GovCloud (US) resources. You can access all Amazon Web Services prefixes in US regions through this connection, such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon.com. You do not have access to non-Amazon prefixes or prefixes outside of AWS US regions. For the current list of IP prefixes advertised on AWS Direct Connect public connections, see the list in the AWS Direct Connect Discussion Forum.

To provision a public virtual interface connection to the AWS GovCloud (US) region

After you have configured your AWS Direct Connect connection, you can create a public virtual interface that you’ll use to connect to AWS GovCloud (US). Before you begin, you will need the following information:

  • A new, unused VLAN tag that you select.

  • A public or private Border Gateway Protocol (BGP) Autonomous System Number (ASN). If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 65000 range.

  • A unique, public CIDR for your interface IP addresses that does not overlap another CIDR announced via AWS Direct Connect.

  • A unique, public CIDR range to announce via AWS Direct Connect that does not overlap another CIDR announced via AWS Direct Connect, unless the overlapping announcement is on your redundant AWS Direct Connect connection.

  • Whether this connection will be paired with another connection and the pairing model for the connections, either active/passive (failover) or active/active (BGP multipath). The default pairing model is active/active.

  1. Verify that the VLAN is not already in use on this AWS Direct Connect connection for another virtual interface.

  2. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/.

    Remember that you will need to use your standard AWS credentials to log in to the AWS Direct Connect console.

  3. In the Connections pane, select the connection to use, and then click Create Virtual Interface.

  4. In the Create a Virtual Interface pane, select Public.

    Note

    For access to AWS GovCloud (US), you will need to use a public virtual interface. You will connect to AWS GovCloud (US) through the local AWS Direct Connect region using our backbone network.

    Create a Virtual Interface screen
  5. In the Define Your New Public Virtual Interface dialog box, do the following:

    1. In the Connection field, select an existing physical connection on which to create the virtual interface.

    2. In the Interface Name field, enter a name for the virtual interface.

    3. In Interface Owner, select the My AWS Account option if the virtual interface is for your AWS account ID.

    4. In the VLAN # field, enter the ID number for your virtual local area network (VLAN); for example, a number between 1 and 4094.

    5. In the Your router peer IP field, enter the IPv4 CIDR destination address where traffic should be sent.

    6. In the Amazon router peer IP field, enter the IPv4 CIDR address you will use to send traffic to AWS.

    7. In the BGP ASN field, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your gateway; for example, a number between 1 and 65534.

    8. Select Auto-generate BPG key check box to have AWS generate one.

      To provide your own BGP key, clear the Auto-generate BPG key check box, and then in the BGP Authorization Key field, enter your BGP MD5 key.

    9. In the Prefixes you want to advertise field, enter the IPv4 CIDR destination addresses (separated by commas) where traffic should be routed to you over the virtual interface.

  6. Click Continue.

Step 1.7: Download Router Configuration

After you have created your public virtual interface for your AWS Direct Connect connection, you can download the router configuration file that you will use for your AWS Direct Connect Customer Gateway router.

To download router configuration

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/.

  2. In the Virtual Interfaces pane, select a virtual interface, click the arrow to show more details, and then click Download Router Configuration.

    Download Router Configuration
  3. In the Download Router Configuration dialog box, do the following:

    1. In the Vendor list, select the manufacturer of your router.

    2. In the Platform list, select the model of your router.

    3. In the Software list, select the software version for your router.

    Download Router Configuration screen
  4. Click Download, and then use the appropriate configuration for your router to ensure that you can connect to AWS Direct Connect:

    Cisco

    interface GigabitEthernet0/1
    no ip address
    speed 1000
    full-duplex
    
    interface GigabitEthernet0/1.VLAN_NUMBER
    description direct connect to aws
    encapsulation dot1Q VLAN_NUMBER
    ip address IP_ADDRESS
    
    router bgp CUSTOMER_BGP_ASN
    neighbor NEIGHBOR_IP_ADDRESS remote-as 7224
    neighbor NEIGHBOR_IP_ADDRESS password "MD5_key"
    network 0.0.0.0 
    exit
                                    

    Juniper

    edit interfaces ge-0/0/1
    set description " AWS Direct Connect "
    set flexible-vlan-tagging
    set mtu 1522
    edit unit 0
    set vlan-id VLAN_ID
    set family inet mtu 1500
    set family inet address IP_ADDRESS
    exit
    exit
    
    edit protocols bgp group ebgp
    set type external
    set authentication-key "MD5_KEY"
    set peer-as 7224
    set neighbor NEIGHBOR IP ADDRESS
                                    

Step 1.8: Verify Your Virtual Public Interface

After you have established virtual public interfaces for the AWS GovCloud (US) region, you can verify your AWS Direct Connect connections using the following procedures.

Important

If you are transferring any type of ITAR-regulated data through the AWS Direct Connect connection, you must encrypt the data that is being transferred by using a VPN tunnel. You can, however, test your connect using non ITAR-regulated data.

To verify your virtual public interface connection to the AWS GovCloud (US) region

  • Run traceroute from your router and verify that the AWS Direct Connect identifier is in the network trace.

(Optional) Step 2: Setting Up Your VPN Over Your AWS Direct Connect Virtual Public Interface

If you are processing ITAR-regulated workloads, you must configure your AWS Direct Connect connection with a VPN to encrypt data in transit.

Using your values from the worksheet at the top of the section, create your AWS GovCloud (US) VPC and VPN. For detailed instructions on how to create your VPC and VPN, see Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon VPC User Guide. For instructions on how to configure your on-premises VPN hardware, see Amazon VPC Network Administrator Guide.