Versions Compared

Old Version 2

changes.mady.by.user Paul Allen

Saved on

compared with

New Version Current

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

What

...

We don't have tons of data on that. Generally, we find that overall realized speed is similar between VPN and DC connections, but that the DC connection has less variability. Here's an example:

What are the physical details of Cornell's Direct Connect to AWS?

The primary DC connection is a 1Gbit/s connection. The backup connection is a 200Mbit/s connection. They use geographically separate routes to reach AWS.

Is the DC monitored?

Yes. The CIT Infrastructure Team monitors the performance and utilization of the primary and secondary links. You can monitor it yourself too using these URLs:

Can the DC bandwidth be increased if utilization becomes heavy?

Yes, there is an upgrade path should that become necessary.

We upgraded the secondary path from 100Mbits/s to 200Mbits/s in November 2019.

As of August 2021, we have had only once instance where the primary Direct Connect circuit was briefly saturated with AWS-bound traffic. It looked like this (blue is AWS-bound, green is campus-bound):
Image Removed

What are the requirements for using Direct Connect?

Your AWS VPC must be using a Cornell private network registered in DNSDB and allocated specifically to your group by the Network Engineering and Cloud teams.

are the requirements for using Direct Connect?

VPCs to be connected to Direct Connect must be using an officially allocated CIDR block from Cornell's private network. Normally, when a Cornell AWS customer requests Direct Connect, the Cloud Team will allocate a CIDR from Cornell's private network  and create a brand new VPC using that CIDR.

What's the cost of using Direct Connect?

Customer Direct Connect costs depend entirely on the volume of traffic sent across the Direct Connect architecture. See Cornell AWS Direct Connect Costs

I don't really use the Direct Connect in my AWS account. Can I remove that feature?

If you do not need or use Direct Connect in your AWS account, you'll be saving Cornell money if you request that Direct Connect be removed. Contact cloud-support@cornell.edu to request that change.

Does Direct Connect remove the need for peering VPCs?

We use a Transit Gateway (TGW) in our Direct Connect architecture. One of the features of this architecture is that all VPCs using Direct Connect are also completed interconnected. In many cases, this removes the need to directly peer VPCs. However there are some situations where VPC-peering still makes sense. See Peering AWS VPCs that Use Direct Connect

What traffic is routed through the Direct Connect

...

?

There are three choices. See diagrams in Cornell AWS Direct Connect Routing Diagrams.

...

  • Private Subnets: AWS subnets without direct Internet access should use a route table that includes all propagated routes from the Direct Connect (includes campus 10-space and public space).
  • Public Subnets: AWS subnets with direct Internet access (IGW) should use a route table that disables route propagation from Direct Connect and only includes references to campus 10-space addresses.

Can I change the traffic routed through

...

Direct Connect?

The configuration for Cornell campus traffic routed through Direct Connect to your VPC can be altered should your needs change in the future.  Moving among the routing options ("RFC 1918", "All-Campus", "Hybrid") may require a review of your subnet route tables to ensure a smooth transition without any negative side-effects. See Cornell AWS Direct Connect Routing Diagrams.

Can Cornell AWS accounts configured to use a VPN connection be upgraded to use the DC? 

Yes. Contact cloud-support@cornell.edu to request that change. The change will require a brief outage of 10-space routing so advanced planning is required so that access to your cloud-based services are not disrupted.

I got a notice from AWS about maintenance for my Direct Connect connection. Will connectivity be down during that maintenance window?

No. During maintenance outages of the primary Direct Connect physical connection, Direct Connects for AWS account will automatically use the secondary Direct Connect connection.

...

What are the physical details of Cornell's Direct Connect to AWS?

Both the two Direct Connect connections are 1Gbps. These connections run in an active-active configuration. See Cornell AWS Direct Connect Architecture for details.

Is Cornell's Direct Connect monitored?

Yes, both the CIT Cloud and Networks teams monitor the Direct Connect and will be alerted when either connection fails.

(info) Since the pre-2023 Direct Connect architecture utilized campus-based hardware, the traffic volume of those connections were easily viewed on Cornell's MRTG tool. Since the 2023 migration to I2CC as the Direct Connect vendor, MRTG cannot show the DC traffic. Let us know if you really, really need to see these metrics.

Is there a disaster recovery plan for our Direct Connect connectivity?

There is no specific DR disaster recovery plan for our Direct Connect connectivity, beyond . We rely on the high availability configuration we now have. We are seeking information from the leased line providers to see how fast they would be able to upgrade our current 100Mbit/s secondary connection to 1Gbit/s if our primary Direct Connect path fails and is expected to be offline for a while. Note too, that since the current Direct Connect lines are piped baked into the design of our Direct Connect architecture to weather individual connection failures. 

Both our I2CC Direct Connect connections are linked directly to the us-east-1 AWS region, our Direct Connect connectivity might be useless in a scenario that involves failure of that entire region. In the event of a regional failure of us-east-1, Direct Connect service may be interrupted. Our design does not include multi-region DC connectivity because a vast majority of Cornell AWS accounts using Direct Connect operate only in us-east-1.