Introduction
This document provides details about the resources in Cornell AWS accounts that support the 2023 (v2) Direct Connect architecture.
Terminology
We use the following terminology in this document:
- customer – Cornell AWS account owners/administrators
- VPC – Virtual Private Cloud
- DC – Direct Connect
- TGW – Transit Gateway
- AZ – Availability Zone
Resources
Secondary VPC CIDR Block
Each Cornell AWS VPC connected to the 2023 (v2) DC architecture has a small secondary CIDR block added to it. This CIDR block is exclusively used for for DC utility subnets (see below). The secondary CIDR block is a chunk of officially allocated Cornell private network.
Each secondary CIDR block is either /26 (64 addresses) or /25 (128 addresses) in size, depending on the number of AZs used by the VPC. Any CIDR ranges within the secondary VPC CIDR block not allocated to the utility subnets are reserved for future use.
Utility Subnets
The sole purpose of these subnets is to provide a location for TGW attachment. One utility subnet exists in each AZ that a DC-connected VPC utilizes (for standard subnets).
Each subnet is /28 (16 addresses) in size (the smallest size allowed by AWS) and utilizes a CIDR range from the secondary VPC CIDR block.
One utility subnet exists in each of the AZs where other (standard) subnets in the VPC reside.
Each of the utility subnets is attached to the TGW.
Route Tables
Utility Subnet Route Table
The Route Table used exclusively by the utility subnets contains only local routes for the primary and second VPC CIDR blocks.
Customer Route Tables
Customer Route Tables that support inter-VPC traffic as well as private Cornell, public Cornell, and internet network traffic. Routes in these tables direct traffic bound for the private Cornell network (10.0.0.0/8) and (optionally) public Cornell subnets use the Transit Gateway Attachment as their destination.
Network ACLs
Utility Subnet ACL
The utility subnets exclusively use a NACL created especially for them. This NACL allows all inbound traffic to and outbound traffic from the utility subnets.
Customer ACLs
Customer ACLs are NACLs that filter inter-VPC traffic as well as private Cornell, public Cornell, and internet network traffic. An example of such a NACL is the Baseline AWS Network ACL. The specifics of these NACLs are defined by customer needs.
Transit Gateway Attachments
Transit Gateway Attachments are the mechanism that connect VPCs to Transit Gateways and the DC infrastructure.
A single TGW Attachment is made per VPC, and the Attachment is made to all utility subnets in the VPC. Importantly, a TGW attachment must be made to one (and only one) utility subnet in each of the AZs used by the VPC.
TGW Attachments are proposed/offered to Cornell AWS accounts by the Cloud Team from the set of TGWs used by CIT to offer Direct Connect services.
References
- 2023 Cornell AWS Direct Connect Architecture Migration
- Cornell AWS Direct Connect
- Cornell AWS Direct Connect Routing Diagrams
- Cornell AWS Direct Connect Architecture