You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Introduction

This document provides details about the resources in Cornell AWS accounts that support the 2023 (v2) Direct Connect architecture.

Terminology

We use the following terminology in this document:

  • customer – Cornell AWS account owners/administrators
  • VPC – Virtual Private Cloud
  • DC – Direct Connect
  • TGW – Transit Gateway
  • AZ – Availability Zone

Resources

Secondary VPC CIDR Block

Each Cornell AWS VPC connected to the 2023 (v2) DC architecture has a small secondary CIDR block added to it. This CIDR block is exclusively used for for DC utility subnets (see below). The secondary CIDR block is a chunk of officially allocated Cornell private network. 

Each secondary CIDR block is either /26 (64 addresses) or /25 (128 addresses) in size, depending on the number of AZs used by the VPC. Any CIDR ranges within the secondary VPC CIDR block not allocated to the utility subnets are reserved for future use.

Utility Subnets

The sole purpose of these subnets is to provide a location for TGW attachment. One utility subnet exists in each AZ that a DC-connected VPC utilizes (for standard subnets).

Each subnet is /28 (16 addresses) in size (the smallest size allowed by AWS) and utilizes a CIDR range from the secondary VPC CIDR block.

One utility subnet exists in each of the AZs where other (standard) subnets in the VPC reside.

Each of the utility subnets is attached to the TGW.

Route Tables

Utility Subnet Route Table

The Route Table used exclusively by the utility subnets contains only local routes for the primary and second VPC CIDR blocks.

Network ACLs

Utility Subnet ACL

The utility subnets exclusively use a NACL created especially for them. This NACL allows all inbound traffic to and outbound traffic from the utility subnets.

Customer ACLs

Customer ACLs are NACLs that filter inter-VPC traffic as well as private Cornell, public Cornell, and internet network traffic. An example of such a NACL is the Baseline AWS Network ACL. The specifics of these NACLs are defined by customer needs.

Transit Gateway Attachments

Transit Gateway Attachments are the mechanism that connect VPCs to Transit Gateways and the DC infrastructure.

A single TGW Attachment is made per VPC, and the Attachment is made to all utility subnets in the VPC. Importantly, a TGW attachment must be made to one (and only one) utility subnet in each of the AZs used by the VPC. 

TGW Attachments are proposed/offered to Cornell AWS accounts by the Cloud Team from the set of TGWs used by CIT to offer Direct Connect services.

References


  • No labels