Version 2 (2023) Direct Connect Architecture
Cornell migrated to this architecture in January 2023.
Internet 2 Cloud Connect Architecture
Cornell uses the Internet2 Cloud Connect (I2CC) service to private private connectivity of Cornell networks to Azure and AWS. Cornell has multiple 100Gbps connections to Internet2. In turn I2CC has multiple 5Gbps (as of ) connections to the major cloud vendors.
The I2CC service offers several benefits:
- Consolidating and simplifying configuration and management of Direct Connect for Cornell AWS accounts (compared to the previous on-campus Direct Connect architecture)
- Improving flexibility and bandwidth of Direct Connect connectivity
- Allowing private Cornell network traffic in AWS and Azure to flow between those clouds without transiting campus
Direct Connect + Transit Gateway Architecture
The architecture used to provide Direct Connect service to Cornell AWS accounts utilizes AWS Transit Gateways (one per AWS region) in a central AWS account (cu-cit-network) to which VPCs in Cornell AWS accounts are attached. Multiple VPCs in a single AWS account can be attached to Direct Connect in this way.
Each VPC connected to this architecture has full connectivity to all other VPCs connected to the architecture, without need for VPC-to-VPC peering.
Account-level Architecture (VPC)
See Direct Connect Resources in Cornell AWS Accounts for details about the DC-related resources shown below.
draw.io source: dc-arch-2023.customer.10.0.0.8.v2.drawio
Paths and Traffic Filtering
Inbound Traffic – From TGW to EC2 Instance
Resource | Filtering | Notes | |
---|---|---|---|
Source | TGW | — | |
↓ | TGW Attachment | — | |
↓ | TGW Attachment Elastic Network Interface | — | |
↓ | NACL of Subnet attached to TGW | outbound rules of NACL attached to utility subnet | The NACL bound to the utility subnets allow all traffic in and out. |
↓ | Route Table of Subnet attached to TGW | — | |
↓ | NACL of Subnet containing EC2 instance | inbound rules of NACL for destination subnet | |
↓ | EC2 Instance Security Group | inbound rules of SG | |
Destination | EC2 Instance Elastic Network Interface | — |
Outbound Traffic – From EC2 Instance to TGW
Resource | Filtering | Notes | |
---|---|---|---|
Source | EC2 Instance Elastic Network Interface | — | |
↓ | EC2 Instance Security Group | outbound rules of SG | |
↓ | NACL of Subnet containing EC2 instance | outbound rules of NACL for source subnet | |
↓ | Route Table of Subnet containing EC2 instance | — | |
↓ | NACL of Subnet attached to TGW | inbound rules of NACL attached to utility subnet | The NACL bound to the utility subnets allow all traffic in and out. |
↓ | TGW Attachment Elastic Network Interface | — | |
↓ | TGW Attachment | — | |
Destination | TGW | — |