For VPCs using Direct connect, the following table identifies the impact of this migration on specific types of network traffic

Connectivity	Changing?
VPC connectivity to the Internet	not changing
VPC-to-VPC peering	not changing
VPC to campus addresses via the Direct Connect	architecture changes overall connectivity not changing
VPC to campus addresses via the Internet	not changing

Terminology

We use the following terminology in this document:

...

	Resource	Filtering
Source	Direct Connect Virtual Interface	—
↓	Virtual Private Gateway	—
↓	NACL of Subnet containing EC2 instance	inbound rules of NACL
↓	EC2 Instance Security Group	inbound rules of SG
↓	EC2 Instance Elastic Network Interface	—
Destination	EC2 Instance	—

Version 2 (2023)

Image Removed

Image Added

draw.io source: dc-arch-2023.customer.v2.drawio

Paths and Traffic Filtering in Version 2 Architecture

Inbound Traffic – From TGW to EC2 Instance Residing in Subnet Attached to TGW

...

ALTERNATE.10-8.v2.drawio

Paths and Traffic Filtering in Version 2 Architecture

...

Inbound Traffic – From TGW to EC2 Instance NOT Residing in a Subnet Attached to TGW

	Resource	Filtering	Notes
Source	TGW	—
↓	TGW Attachment	—
↓	TGW Attachment Elastic Network Interface	—
↓	NACL of Subnet attached to TGW	outbound rules of NACL attached to utility subnet	The NACL bound to the utility subnets will allow all traffic in and out.
↓	Route Table of Subnet attached to TGW	—
↓	NACL of Subnet containing EC2 instance	inbound rules of NACL for destination subnet
↓	EC2 Instance Security Group	inbound rules of SG
Destination	EC2 Instance Elastic

Network Interface

—

Version 2 – Alternate (2023)

Image Removed

...

Network Interface

—

What Is Changing?

Before the migration is executed, a set of resources in Cornell AWS accounts will be tagged with details about the migration. In addition, a small set of new resources that support the v2 architecture will be created in Cornell AWS accounts. After the migration is complete, a few resources not used in the v1 architecture will be deleted.

...

Tag Key	Tag Values	Description	VPC	Subnets	Route Tables	Transit Gateway Attachments	Virtual Private Gateways	Direct Connect Virtual Interfaces
cit:dc-arch-migration-target	yes/no/guidance-required	Will this resource itself be affected as part of the migration? For subnets, if "guidance-required" then account owners will be consulted.
cit:dc-arch-migration-description	prose	Description of planned changes to this resource
cit:dc-arch-version	v1/v2	Is this a v1 or v2 architecture resource? After migration, v1 resources utilized in the v2 architecture will be relabeled as v2 resources.
cit:dc-arch-migration-new-resource	yes/no	Is this a new resource specifically created for the v2 architecture?	n/a	n/a			n/a	n/a
cit:dc-arch-migration-replaces	resource ID	If this v2 resource will be replacing a v1 resource, this ID references the resource that will be replaced.	n/a	n/a		n/a	n/a	n/a
cit:subnet-type	public/private/utility	Is this a private or public subnet? Public subnets are those with a route to an Internet Gateway. Private subnets are all subnets that are not public and are not utility subnets.	n/a		n/a	n/a	n/a	n/a
cit:tgw-attachment-target	yes/no/guidance-required	Will a Transit Gateway be attached to this subnet? If "guidance-required" then account owners will be consulted about the TGW Attachments.	n/a		n/a	n/a	n/a	n/a
~~cit:tgw-attachment-guidance~~	~~tbd/attach/no-attach~~	~~This tag provides a place for a human reviewer to provide guidance about whether a TGW attachment should be made to the tagged subnet.~~ ~~tbd → guidance has not yet been provided~~ ~~attach → human guidance says to attach the subnet to the TGW~~ ~~no-attach → human guidance says not to attach the subnet to the TGW~~ ~~Of all these tags, this is the only tag whose value should be updated by customers.~~	~~n/a~~		~~n/a~~	~~n/a~~	~~n/a~~	~~n/a~~
cit:dc-vgw	yes/no	Does this Route Table contain rules referencing a VGW?	n/a	n/a		n/a	n/a	n/a
Cost Center	R524755	This tag added to TGW Attachments will result in CIT paying for the $0.05/hr cost of attaching a VPC to a TGW.	n/a	n/a	n/a		n/a	n/a

...

New Resource Groups are an easy way to see the lists of affected resources.
New Route Tables will have routes that replace Virtual Private Gateway destinations with Transit Gateway Attachments destinations.
New utility Subnets, one for each AZ where the VPC is active.
New permissive Network ACL to be used only by the new utility Subnets.
Transit Gateway Attachments will connect VPCs to the v2 architecture.

...

These Route Tables will be created during the Migration phase of the migration. See Migration Process.

Utility Subnets

Forthcoming

Network ACL

Forthcoming

Transit Gateway Attachments

...

Phase	Stage	Timeframe	Activity	Impact on Cornell AWS Account VPC Networks
Preparation	Data Collection	November 2022	Gather information about Direct Connect resources and connected VPCs in Cornell AWS accounts	none
	Resource Tagging	14 Dec 2022	Add tags to existing resources in customer accounts to assist with targeting, identification, status, intended disposition	none
	Resource Groups	14 Dec 2022	Create Transit Gateway in CIT AWS account Create Resource Groups for resources involved in the migration in customer accounts	none
	Customer Input #1	15 Dec 2022 - 02 Jan 2023	Cornell AWS account owner/admin review Cornell AWS account owner/admin feedback solicited	none
Migration	Transit Gateway Attachments	03 Jan 2023 - 06 Jan 2023	Utility Subnets Transit Gateway Attachments created in customer accounts v2 Route Tables created in customer accounts NACLs for Utility Subnets	none
	Customer Input #2	09 Jan 2023 - 13 Jan 2023	Cornell AWS account owner/admin review Cornell AWS account owner/admin feedback solicited Route Table and/or TGW Attachments adjusted according to customer input	none
	VPC Routing Updated	16 Jan 2023	v2 Route Tables activated v1 Route Tables deactivated	VPC-to-campus traffic will be routed through the v2 architecture
	Campus Direct Connect Routes Updated	17 Jan 2023	Campus-side routing updated to begin using the v2 architecture for campus-to-AWS traffic	campus-to-VPC traffic will be routed through the V2 architecture
Cleanup	Customer Account Cleanup	23 Jan 2023 - 31 Jan 2023	VGWs and DC VIFs in customer accounts deleted	none
Cleanup	Campus Direct Connect Cleanup	23 Jan 2023 - 31 Jan 2023	Campus Direct Connect resources deleted or decommissioned	none

...

Space shortcuts

Page tree

Versions Compared

Old Version 80

New Version 81

Key

Terminology

Version 2 (2023)

Paths and Traffic Filtering in Version 2 Architecture

Inbound Traffic – From TGW to EC2 Instance Residing in Subnet Attached to TGW

Paths and Traffic Filtering in Version 2 Architecture

Inbound Traffic – From TGW to EC2 Instance NOT Residing in a Subnet Attached to TGW

Version 2 – Alternate (2023)

What Is Changing?

Utility Subnets

Network ACL

Transit Gateway Attachments

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 80

New Version 81

Key

Terminology

Version 2 (2023)

Paths and Traffic Filtering in Version 2 Architecture

Inbound Traffic – From TGW to EC2 Instance Residing in Subnet Attached to TGW

Paths and Traffic Filtering in Version 2 Architecture

Inbound Traffic – From TGW to EC2 Instance NOT Residing in a Subnet Attached to TGW

Version 2 – Alternate (2023)

What Is Changing?

Utility Subnets

Network ACL

Transit Gateway Attachments