Let us make clear the aws directconnect

Copyright © 2016 Bit-isle Equinix Inc. All Rights Reserved

Let us make clear the [aws directconnect ~] !

2016-07-18 16:10-16:20@AWS CLI Conference 2016

Bit-isle Equinix Inc.IT Infrastructure Engineering Dept.Tomoaki Hira


Information

These slides will be uploaded to slideshare. The json files in the slides have shown in Qiita.

‣http://qiita.com/rfhira/items/52b402f48e86cf59fe88

2

http://qiita.com/rfhira/items/52b402f48e86cf59fe88

http://qiita.com/rfhira/items/52b402f48e86cf59fe88


About us

3


The company profile of Bit-isle Equinix

We were domestic Internet Datacenter Provider. Equinix was acquired us in last year. Equinix obtained five IBXs by acquisition.

Bit-isle Equinix provides managed AWS direct connect service during two years.

4


Let us make clear the [aws directconnect ~] !

5


Tables of Contents

0: Components of AWS directconnect [private connection] 1: The scenario of this LT 2: See what I can build 3: Conclusion

6


Connection

0: Components of AWS directconnect

7

corporate data center

virtual private cloudAccount: #B

virtual private cloudAccount: #C

Vlan 10169.254.0.0/30

Vlan 20169.254.0.4/30

Vlan 30169.254.0.8/30

VirtualGateway

VirtualGateway

Direct connectAccount: #A

Up to 4094 vlans?

Virtual Interface

Confirming the virtual interface

Datacenter Network

The account of user dept.: #B, #C The account of admin dept.: #A

BGP Router*Customer router


0: Components of AWS directconnect

These are commands the slides covered.

‣describe-connections [admin dept.]‣describe-virtual-interfaces [user dept.]‣allocate-private-virtual-interface [admin dept.]‣confirm-private-virtual-interface [user dept.]‣delete-virtual-interface [user dept.]

8


VPC Subnet172.29.0.0/20

Connection

1: The scenario of this LT

9



VirtualGateway


Up to 4094 vlans?

Datacenter Network172.30.100.0/24

The account of user dept.: #B The account of admin dept.: #A

[1] We have a connection already between the DC to AWS(Account #A)

[2] We have already set up the BGP router

[4] We will execute a command “confirm-virtual-

interface”(Account #B)

[5] We will set up some configuration of

EC2/VPC.(eg. Security Group /

Route Table)

Vlan 511169.254.15.212/30

[3] We will execute a command “allocate-

virtual-interface”(Account #A)


See what I can build

10


2-0: Check our environment [user dept.]

Input command# aws ec2 describe-vpcs# aws ec2 describe-subnets# aws ec2 describe-vpn-gateways# aws ec2 describe-route-tables

11


2-0: Check our environment [user dept.]

12

ResponseThe response of vpcs, subnets, and vpn-gateways is omitted.

Following is a response of a part of “aws ec2 describe-route-tables”. { "Associations": [ { "RouteTableAssociationId": "rtbassoc-c7c749a3", "Main": true, "RouteTableId": "rtb-f3629e97" } ], "RouteTableId": "rtb-f3629e97", "VpcId": "vpc-07f8f462", "PropagatingVgws": [], "Tags": [], "Routes": [ { "GatewayId": "local", "DestinationCidrBlock": "172.29.0.0/16", "State": "active", "Origin": "CreateRouteTable" } ] }

Important attributes


2-1: Check our connections [admin dept.]

Input command# aws directconnect describe-connections

13

Response{ "ownerAccount": "1790********", "connectionId": "dxcon-fg0z****", "connectionState": "available", "bandwidth": "10Gbps", "location": "EqTY2", "connectionName": "DX2BACKUP", "region": "ap-northeast-1"}


2-2: BGP Configuration

14

Link network : 169.254.15.212/30 Vlan ID : 511 Customer router IP address : 169.254.15.213/30 Amazon router IP address : 169.254.15.214/30 ASNumber of the customer : 65000 BGP TCP MD5 Auth Key : fr3gUCLDLS6MQsVLVBw9zgdt


2-3: Allocate the virtual interface

Input command# CONNECTION='dxcon-fg0z****'# VIFNAME='NWG-HIRA-BK'# ACCOUNTID='5651********'# VLANID='511'# ROUTERIP='169.254.15.213/30'# AMAZONIP='169.254.15.214/30'# BGPASN='65000'# BGPMD5='fr3gUCLDLS6MQsVLVBw9zgdt‘

# aws directconnect allocate-private-virtual-interface --connection-id $CONNECTION --owner-account $ACCOUNTID --new-private-virtual-interface-allocation virtualInterfaceName=$VIFNAME,vlan=$VLANID,asn=$BGPASN,authKey=$BGPMD5,amazonAddress=$AMAZONIP,customerAddress=$ROUTERIP

15

Account ID of the User Dept


2-3: Allocate the virtual interface

Response{ "virtualInterfaceState": "confirming", "asn": 65000, "vlan": 511, "customerAddress": "169.254.15.213/30", "ownerAccount": "5651********", "connectionId": "dxcon-fg0z****", "virtualInterfaceId": "dxvif-********", "authKey": "fr3gUCLDLS6MQsVLVBw9zgdt", "routeFilterPrefixes": [], "location": "EqTY2", "customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8…>”}

※I removed most part of the customerRouterConfig because it is too long

16

The status will be confirming


2-4: Confirm the virtual interface

Input command# VGWID=àws ec2 describe-vpn-gateways | jq .VpnGateways[0].VpnGatewayId | tr -d '\"'`# VIFID=àws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`

# cat <<ETX VIFID=$VIFID VGWID=$VGWIDETX

# aws directconnect confirm-private-virtual-interface --virtual-interface-id $VIFID --virtual-gateway-id $VGWID

17


2-4: Confirm the virtual interface

Response and a part of confirming{ "virtualInterfaceState": "pending"}

(This process needs few minutes)

# aws directconnect describe-virtual-interfaces{ "virtualInterfaces": [ { "virtualInterfaceState": "available",…

18

virtualInterfaceState will be changed automatically.


2-5: Some configuration for VPC [Security Group]

Input command# aws ec2 describe-security-groups | jq .SecurityGroups[2].IpPermissions[1]

Response and a part of confirming{ "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "172.30.100.0/24" } ], "UserIdGroupPairs": [], "PrefixListIds": []}

19


2-5: Some configuration for VPC [vgw Route Propagation]

Input command# aws ec2 enable-vgw-route-propagation --route-table-id rtb-4998**** --gateway-id $VGWID

A part of confirming "PropagatingVgws": [ { "GatewayId": "vgw-abbd****" } ],

"Routes": […

{ "GatewayId": "vgw-abbd0baa", "DestinationCidrBlock": "172.30.100.0/24", "State": "active", "Origin": "EnableVgwRoutePropagation" } ]

20

If you want to use all of the route from BGP router, the feature “vgw-route-propagation”

can be used.

From vgw

To RouteTable


2-6: Delete the virtual interface

Input command# VIFID=àws directconnect describe-virtual-interfaces | jq .virtualInterfaces[0].virtualInterfaceId | tr -d '\"'`# cat <<ETX VIFID: $VIFIDETX

#aws directconnect delete-virtual-interface --virtual-interface-id $VIFID

Response and a part of confirming{ "virtualInterfaceState": "deleting"}

21

virtualInterfaceState will be changed automatically.


VPC Subnet172.29.0.0/20

Connection

4: Conclusion

22



VirtualGateway


Up to 4094 vlans?

Datacenter Network172.30.100.0/24

The account of user dept.: #B The account of admin dept.: #A

[1] We have a connection already between the DC to AWS(Account #A)

[2] We have already set up the BGP router

[4] We have executed a command “confirm-virtual-

interface”(Account #B)

[5] We have set up some configuration of

EC2/VPC.(eg. Security Group /

Route Table)

Vlan 511169.254.15.212/30

[3] We have execute a command “allocate-

virtual-interface”(Account #A)


ビットアイル・エクイニクス株式会社

TEL 03-5805-8154 　　 FAX 03-3474-5538 　　 URL http://www.bit-isle.jp/

23