Beginning May 2016 Cornell AWS accounts are setup with AWS Direct Connect (DC) joining the campus 10-space network to the 10-space network in Cornell Standard AWS VPCs. Prior to that accounts were setup with VPN connection back to campus.
FAQs
What is the difference in performance between the Direct Connects and a VPN connection.
We don't have tons of data on that. Generally, we find that overall realized speed is similar between VPN and DC connections, but that the DC connection has less variability. Here's an example:
- VPN ping statistics:
rtt min/avg/max/mdev = 17.749/18.319/19.348/0.458 ms - DC ping statustics:
rtt min/avg/max/mdev = 14.873/15.005/15.188/0.139 ms Seehttps://en.wikipedia.org/wiki/Ping_(networking_utility) for interpreting ping output.
What are the physical details of Cornell's Direct Connect to AWS?
The primary DC connection is a 1Gbit connection. The backup connection is a 100Mbit connection. They use geographically separate routes to AWS.
Is the DC monitored?
Yes. The CIT Infrastructure Team monitors the performance and utilization of the primary and secondary links. You can monitor it yourself too using these URLs:
- Primary Cornell Direct Connect to AWS us-east-1: http://mrtg.cit.cornell.edu/wan/WorkDir/aws1-mx.512.html
- Backup Cornell Direct Connect to AWS us-east-1: http://mrtg.cit.cornell.edu/wan/WorkDir/aws2-mx.512.html
Can the DC bandwidth be increased if utilization becomes heavy?
Yes, there is an upgrade path should that become necessary.
What traffic is routed through the DC?
There are three choices. See diagrams in AWS Direct Connect Routing Diagrams.
RFC1918 Routing
For Cornell AWS accounts with DC configured for RFC1918 routing, only 10-space traffic (specifically 10.0.0.0/8) is routed from on-campus 10-space to 10-space addresses in Cornell Standard AWS VPCs. This means that traffic from servers and clients with (only) public campus IP addresses cannot access the 10-space networks in a Cornell Standard AWS VPC.
All Campus Routing
For Cornell AWS accounts with DC configured for "All Campus" routing, traffic from campus 10-space as well as traffic from public campus IPs is routed through the DC to the Cornell Standard AWS VPC. This routing can be problematic if you intend to deploy services available to the world in your Cornell Standard VPC.
The campus public IP space consists of the following:
- 128.84.0.0/16
- 128.253.0.0/16
- 132.236.0.0/16
- 192.35.82.0/24
- 192.122.235.0/24
- 192.122.236.0/24
Hybrid Routing
Similar to the "All Campus Routing" above, this configuration brings all of the Cornell campus IP space (10-space and public addresses) over the Direct Connect. Where it differs is in the individual subnet route tables:
- Private Subnets: AWS subnets without direct Internet access should use a route table that includes all propagated routes from the Direct Connect (includes campus 10-space and public space).
- Public Subnets: AWS subnets with direct Internet access (IGW) should use a route table that disables route propagation from Direct Connect and only includes references to campus 10-space addresses.
Can Cornell AWS accounts configured to use a VPN connection be upgraded to use the DC?
Yes. Contact cloud-support@cornell.edu to request that change. The change will require a brief outage of 10-space routing so advanced planning is required so that access to your cloud-based services are not disrupted.