...
In this configuration, the Cornell campus network will route network traffic to the VPC's private address space over the Direct Connect. The DCGW+TGW infrastructure connected to the AWS VPC will route Cornell Private Network traffic and Cornell Public Network traffic back to the Cornell campus network traffic from Private AWS subnets to both Private and Public Cornell network segments back to campus via Direct Connect. For Public AWS subnets, the DCGW+TGW infrastructure will route traffic only to PrivateCornell network segments back to campus via Direct Connect.
As in the Private Network Extension configuration discussed earlier, local VPC traffic (i.e. destined for the VPC itself), traffic to peered AWS VPCs, or and traffic to other Cornell VPCs using Direct Connect in AWS remains within AWS and is not sent back to campus over the Direct Connect.
...
This configuration, though similar to Hybrid Routing, is not preferred since it allows for the possibility of asymmetric routing on AWS Public Subnets. Given the similarity to Hybrid Routing and the potential to serve similar use cases, we strongly recommend against using this option.
In this configuration, the Cornell campus network will route network traffic to the VPC's private address space over the Direct Connect. In conjunction, the Virtual Private Gateway in the The DCGW+TGW infrastructure connected to the AWS VPC will route both Cornell Private Network and Cornell Public Network traffic back to the Cornell campus network traffic from both Private and Public AWS subnets to both Private and Public Cornell network segments back to campus via Direct Connect.
As in the the Private Network Extension and and Hybrid Routing configurations configurations discussed earlier, local VPC traffic (i.e. destined for the VPC itself or any configured VPC peering connections will remain ), traffic to peered AWS VPCs, and traffic to other Cornell VPCs using Direct Connect in AWS remains within AWS and is not sent back to campus over the Direct Connect.
There is no inherent protection against asymmetric routing from occurring as all advertised routes from Cornell campus are presented in the subnet routing tables.
...
When using the "All Campus" Routing model:
- AWS Public and Private Subnets that use the VGW incorporate propagated routes from the Direct Connect.This brings in advertised routes to both Cornell Private and Cornell Public networks via Direct ConnectBoth Private and Public AWS Subnets use a route table with static routes to both Cornell's Private (10.0.0.0/8) and Public address (e.g., 128.84.0.0/16) space. These routes would designate the TGW as the "next hop".
- AWS Public Subnets that use the VGW DCGW+TGW infrastructure risk introducing asymmetric routing when presenting services to clients on Cornell Public Networks.
- Leveraging Elastic AWS Load Balancers , since they essentially act acting as a proxy , as a level of indirection on the network may be an acceptable work-around to avoid asymmetric routing.
- AWS Public subnets will be able to address services or clients in Cornell Public Space directly over Direct Connect.
- Exposing production services to clients over Direct Connect is not advised.
...