Outpost connectivity to AWS Regions - AWS Outposts

Outpost connectivity to AWS Regions

AWS Outposts supports two types of wide area network (WAN) connectivity: service links and local gateways.

During AWS Outposts provisioning, a service link connection is created that connects your Outpost back to your chosen AWS Region or Outposts home Region. The service link is an encrypted set of VPN connections that are used whenever the Outpost communicates with your chosen home Region.

If you select the private connectivity option for your Outpost, the service link VPN connection is established using an existing VPC and subnet that you specify. For more information, see Service link private connectivity using VPC.

Alternatively, the Outpost is able to create the service link VPN back to the AWS Region through public Region connectivity. To do so, the Outpost needs connectivity to the AWS Region's public IP ranges, either through the public internet or AWS Direct Connect public virtual interface. This connectivity can be through specific routes in the service link VLAN, or through a default route of 0.0.0.0/0. For more information about the public ranges for AWS, see AWS IP Address Ranges.

After the service link is established, the Outpost is in service and managed by AWS. The service link is used for the following traffic:

  • Management traffic to the Outpost through the service link

  • Traffic between the Outpost and any associated VPCs

Outpost service links support an MTU of 1300 bytes. You can use AWS Direct Connect, or an internet connection to connect to the AWS Region. For an optimal experience and resiliency, AWS recommends that you use dual 1Gbps connections to the AWS Region.

In the following diagram, the configuration extends the Amazon VPC from the AWS Region to the Outpost. An AWS Direct Connect public virtual interface is the service link connection. The following traffic goes over the service link and the AWS Direct Connect connection:

  • Control plane

  • Intra-VPC traffic between the Outpost and the AWS Region


          AWS Direct Connect connection to AWS

If you are using a stateful firewall with your internet connection to limit connectivity from the public internet to the service link VLAN, you can block all inbound connections that initiate from the internet. This is because the service link VPN initiates only from the Outpost to the Region, not from the Region to the Outpost.


          Internet gateway connection to AWS

If you use a firewall to limit the connectivity from the service link VLAN, you can block all inbound connections. You must allow outbound connections back to the Outpost from the AWS Region as per the following table. If the firewall is stateful, outbound connections from the Outpost that are allowed, meaning that they were initiated from the Outpost, should be allowed back inbound.

Protocol Source Port Source Address Destination Port Destination Address

UDP

443

Outpost service link /26

443

Outpost Region's public routes

TCP

1025-65535

Outpost service link /26

443

Outpost Region's public routes

Note

An Outpost VPC cannot use the service link to communicate with or within the same VPC extended in other Outposts. Use the local gateways to communicate between VPCs across Outposts. Outpost racks are also designed with redundant power and networking equipment, including local gateway components. For more information, see Resilience in AWS Outposts.

Service link private connectivity using VPC

You can select the private connectivity option in the console when you create your Outpost. When you do so, a service link VPN connection is established after the Outpost is installed using a VPC and subnet that you specify. This allows private connectivity by way of the VPC and minimizes public internet exposure.

Note

If you need to undo the private connectivity for your Outpost, you must contact AWS Enterprise Support.

Prerequisites

The following prerequisites are required before you can configure private connectivity for your Outpost:

  • You must configure permissions for an IAM entity (user or role) to allow the user or role to create the service-linked role for private connectivity. The IAM entity needs permission to access the following actions:

    • iam:CreateServiceLinkedRole on arn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts*

    • iam:PutRolePolicy on arn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts*

    • ec2:DescribeVpcs

    • ec2:DescribeSubnets

    For more information, see Identity and Access Management for AWS Outposts and Using service-linked roles for AWS Outposts.

  • Create a dedicated VPC and subnet (/25 or larger, must not conflict with 10.1.0.0/16) in the same AWS account and Availability Zone as your Outpost.

  • Create an AWS Direct Connect connection, private virtual interface, and virtual private gateway to allow your on-premises Outpost to access the VPC. If the AWS Direct Connect connection is in a different AWS account from your VPC, see Associating a virtual private gateway across accounts in the AWS Direct Connect User Guide.

  • Advertise the subnet CIDR to your on-premises network. You can use AWS Direct Connect to do so. For more information, see AWS Direct Connect virtual interfaces and Working with AWS Direct Connect gateways in the AWS Direct Connect User Guide. For other options besides AWS Direct Connect, see the Introduction to Amazon Virtual Private Cloud Connectivity Options.

You can select the private connectivity option when you create your Outpost in the AWS Outposts console. For instructions, see Create an Outpost and order Outpost capacity.

Note

To select the private connectivity option when your Outpost is in PENDING status, choose Outposts from the console and select your Outpost. Choose Actions, Add private connectivity and follow the steps.

After you select the private connectivity option for your Outpost, AWS Outposts automatically creates a service-linked role in your account that enables it to complete the following tasks on your behalf:

  • Creates network interfaces in the subnet and VPC that you specify, and creates a security group for the network interfaces.

  • Grants permission to the AWS Outposts service to attach the network interfaces to a service link endpoint instance in the account.

  • Attaches the network interfaces to the service link endpoint instances from the account.

For more information about the service-linked role, see Using service-linked roles for AWS Outposts.

Important

After your Outpost is installed, confirm connectivity to the private IPs in your subnet from your Outpost.

The following diagram shows a private connectivity configuration that uses an AWS Direct Connect connection, virtual interface, and virtual private gateway.


          Architectural diagram for an Outpost private connectivity configuration.

Connectivity through the local gateway

The primary role of a local gateway is to provide connectivity from an Outpost to your local on-premises LAN. It also provides connectivity to the internet through your on-premises network. The local gateway can also provide a data plane path back to the AWS Region. If you already have connectivity between your LAN and the Region through AWS Site-to-Site VPN or AWS Direct Connect, you can use the same path to connect from the Outpost to the AWS Region privately.

The data plane path for the local gateway traverses from the Outpost, through the local gateway, and to your private local gateway LAN segment. It would then follow a private path back to the AWS service endpoints in the Region.

Redundant internet connections

When you build connectivity from your Outpost to the AWS Region, we recommend that you create multiple connections for higher availability and resiliency. For more information, see AWS Direct Connect Resiliency Recommendations.

If you need connectivity to the public internet, you can use redundant internet connections and diverse internet providers, just as you would with your existing on-premises workloads.