You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

This document provides details about the resources in Cornell AWS accounts that support the 2023 (v2) Direct Connect architecture.

Terminology

We use the following terminology in this document:

  • customer – Cornell AWS account owners/administrators
  • VPC – Virtual Private Cloud
  • DC – Direct Connect
  • TGW – Transit Gateway
  • AZ – Availability Zone

Resources

Secondary VPC CIDR Block

Each Cornell AWS VPC connected to the 2023 (v2) DC architecture has a small secondary CIDR block added to it. This CIDR block is exclusively used for for DC utility subnets (see below). The secondary CIDR block is a chunk of officially allocated Cornell private network. 

Each secondary CIDR block is either /26 (64 addresses) or /25 (128 addresses) in size, depending on the number of AZs used by the VPC. Any CIDR ranges within the secondary VPC CIDR block not allocated to the utility subnets is reserved for future use.

Utility Subnets

The sole purpose of these subnets is to be used to make TGW Attachments. One utility subnet exists in each Availability Zone that a DC-connected VPC utilizes.

Each subnet is /28 (16 addresses) in size, the smallest size allowed by AWS and utilizes a CIDR range from the secondary VPC CIDR block.

One utility subnet exists in each of the AZs where other (standard) subnets in the VPC reside.

Each of the utility subnets is attached to the TGW.

Route Tables

Utility Subnet Route Table

The Route Table used exclusively by the utility subnets contains only local routes for the primary and second VPC CIDR blocks.

Customer Route Tables

Customer Route Tables that support inter-VPC traffic as well as private Cornell, public Cornell, and internet network traffic. Routes in these tables direct traffic bound for the private Cornell network (10.0.0.0/8) and (optionally) public Cornell subnets use the Transit Gateway Attachment as their destination.

Network ACL

Utility Subnet ACL

The utility subnets exclusively use a NACL created especially for them. This NACL allows all inbound traffic to and outbound traffic from the utility subnets.

Standard ACL

Standard ACLs are customer route tables that filter inter-VPC traffic as well as private Cornell, public Cornell, and internet network traffic. An example of such a NACL is the Baseline AWS Network ACL. The specifics of these NACLs are defined by customer needs.

Transit Gateway Attachments

Transit Gateway Attachments are the mechanism that connect VPCs to Transit Gateways and the DC infrastructure.

A single TGW Attachment in made per VPC, and the Attachment is made to all utility subnets in the VPC.

References


  • No labels