AWS Outposts connectivity to AWS Regions - AWS Outposts

AWS Outposts connectivity to AWS Regions

AWS Outposts supports wide area network (WAN) connectivity through the service link connection.

The service link is a necessary connection between your Outposts and your chosen AWS Region (or home Region) and allows for the management of the Outposts and the exchange of traffic to and from the AWS Region. The service link leverages an encrypted set of VPN connections to communicate with the home Region.

To set up the service link connectivity, you or AWS must configure the service link physical, virtual LAN (VLAN), and network layer connectivity with your local network devices during the Outpost provisioning. For more information, see Local network connectivity for racks and Site requirements for Outposts rack.

For the wide area network (WAN) connectivity to the AWS Region, AWS Outposts can establish service link VPN connections through the AWS Region's public connectivity. This requires the Outposts to have access to the Region's public IP ranges, which can be through the public internet or AWS Direct Connect public virtual interfaces. For the current IP address ranges, see AWS IP address ranges in the Amazon VPC user guide. This connectivity can be enabled by configuring specific or default (0.0.0.0/0) routes in the service link network layer path. For more information, see Service link BGP connectivity and Service link infrastructure subnet advertisement and IP range.

Alternatively, you can select the private connectivity option for your Outpost. For more information, see Service link private connectivity using VPC.

After the service link connection is established, your Outpost becomes operational and is managed by AWS. The service link is used for the following traffic:

  • Customer VPC traffic between the Outpost and any associated VPCs.

  • Outposts management traffic, such as resource management, resource monitoring and firmware and software updates.

Service link maximum transmission unit (MTU) requirements

The maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be passed over the connection. The network must support 1500-bytes MTU between the Outpost and the service link endpoints in the parent AWS Region. For information on the required MTU between an instance in the Outpost and an instance in the AWS Region through the service link, see Network maximum transmission unit (MTU) for your Amazon EC2 instance in the Amazon EC2 User Guide.

Service link bandwidth recommendations

For an optimal experience and resiliency, AWS requires that you use redundant connectivity of at least 500 Mbps (1 Gbps is better) and a maximum of 175 ms round trip latency for the service link connection to the AWS Region. You can use AWS Direct Connect or an internet connection for the service link. The minimum 500 Mbps and maximum round trip time requirements for the service link connection allows you to launch Amazon EC2 instances, attach Amazon EBS volumes, and access AWS services, such as Amazon EKS, Amazon EMR, and CloudWatch metrics with optimal performance.

Your Outposts service link bandwidth requirements vary depending on the following characteristics:

  • Number of AWS Outposts racks and capacity configurations

  • Workload characteristics, such as AMI size, application elasticity, burst speed needs, and Amazon VPC traffic to the Region

To receive a custom recommendation about the service link bandwidth required for your needs, contact your AWS sales representative or APN partner.

Firewalls and the service link

This section discusses firewall configurations and the service link connection.

In the following diagram, the configuration extends the Amazon VPC from the AWS Region to the Outpost. An AWS Direct Connect public virtual interface is the service link connection. The following traffic goes over the service link and the AWS Direct Connect connection:

  • Management traffic to the Outpost through the service link

  • Traffic between the Outpost and any associated VPCs

AWS Direct Connect connection to AWS

If you are using a stateful firewall with your internet connection to limit connectivity from the public internet to the service link VLAN, you can block all inbound connections that initiate from the internet. This is because the service link VPN initiates only from the Outpost to the Region, not from the Region to the Outpost.

Internet gateway connection to AWS

If you use a firewall to limit the connectivity from the service link VLAN, you can block all inbound connections. You must allow outbound connections back to the Outpost from the AWS Region as per the following table. If the firewall is stateful, outbound connections from the Outpost that are allowed, meaning that they were initiated from the Outpost, should be allowed back inbound.

Protocol Source Port Source Address Destination Port Destination Address

UDP

443

AWS Outposts service link /26

443

AWS Outposts Region's public routes

TCP

1025-65535

AWS Outposts service link /26

443

AWS Outposts Region's public routes

Note

Instances in an Outpost cannot use the service link to communicate with instances in another Outposts. Leverage routing through the local gateway or local network interface to communicate between Outposts.

AWS Outposts racks are also designed with redundant power and networking equipment, including local gateway components. For more information, see Resilience in AWS Outposts.

Service link private connectivity using VPC

You can select the private connectivity option in the console when you create your Outpost. When you do so, a service link VPN connection is established after the Outpost is installed using a VPC and subnet that you specify. This allows private connectivity by way of the VPC and minimizes public internet exposure.

Prerequisites

The following prerequisites are required before you can configure private connectivity for your Outpost:

  • You must configure permissions for an IAM entity (user or role) to allow the user or role to create the service-linked role for private connectivity. The IAM entity needs permission to access the following actions:

    • iam:CreateServiceLinkedRole on arn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts*

    • iam:PutRolePolicy on arn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts*

    • ec2:DescribeVpcs

    • ec2:DescribeSubnets

    For more information, see Identity and access management (IAM) for AWS Outposts and Using service-linked roles for AWS Outposts.

  • In the same AWS account and Availability Zone as your Outpost, create a VPC for the sole purpose of Outpost private connectivity with a subnet /25 or larger that does not conflict with 10.1.0.0/16. For example, you might use 10.2.0.0/16.

  • Create an AWS Direct Connect connection, private virtual interface, and virtual private gateway to allow your on-premises Outpost to access the VPC. If the AWS Direct Connect connection is in a different AWS account from your VPC, see Associating a virtual private gateway across accounts in the AWS Direct Connect User Guide.

  • Advertise the subnet CIDR to your on-premises network. You can use AWS Direct Connect to do so. For more information, see AWS Direct Connect virtual interfaces and Working with AWS Direct Connect gateways in the AWS Direct Connect User Guide.

You can select the private connectivity option when you create your Outpost in the AWS Outposts console. For instructions, see Create an Outpost and order Outpost capacity.

Note

To select the private connectivity option when your Outpost is in PENDING status, choose Outposts from the console and select your Outpost. Choose Actions, Add private connectivity and follow the steps.

After you select the private connectivity option for your Outpost, AWS Outposts automatically creates a service-linked role in your account that enables it to complete the following tasks on your behalf:

  • Creates network interfaces in the subnet and VPC that you specify, and creates a security group for the network interfaces.

  • Grants permission to the AWS Outposts service to attach the network interfaces to a service link endpoint instance in the account.

  • Attaches the network interfaces to the service link endpoint instances from the account.

For more information about the service-linked role, see Using service-linked roles for AWS Outposts.

Important

After your Outpost is installed, confirm connectivity to the private IPs in your subnet from your Outpost.

Redundant internet connections

When you build connectivity from your Outpost to the AWS Region, we recommend that you create multiple connections for higher availability and resiliency. For more information, see AWS Direct Connect Resiliency Recommendations.

If you need connectivity to the public internet, you can use redundant internet connections and diverse internet providers, just as you would with your existing on-premises workloads.