How can I build hybrid cloud networking with AWS Direct Connect Hosted VIF?

Hybrid clouds are virtually everywhere. We hear and work with many of our customers who are deploying hybrid clouds at various size companies and various market verticals. When it comes to deploying on-prem to cloud connections, there are still a lot of “VPNs over internet” deployments out there. But a natural progression of cloud migration, as cloud deployments grow and latency and throughput expectations ratchet up, a connectivity methodology that offers higher performance than public internet is needed.

AWS Direct Connect (Dx) does exactly that. Dx allows enterprises to connect their on-premises resources to their AWS environment over a private, dedicated circuit that’s isolated from the public internet and offers a more predictable performance. One of the questions that often comes up is how does Dx actually connect to the cloud VPCs.

Once the connection is setup by the provider, in order to hook up Dx connection into cloud resources, we need to use a virtual interface (VIF). A VIF is logical object that glues the connection from the cloud to the Dx itself. Generally, Dx connections can be owned by you, or it can be hosted by someone else for you. This can be another provider, or someone in your organization who owns the actual connection. In the case of the latter, this would be called a hosted VIF. Once a VIF is created on the owner’s account, the user needs to accept and setup the connection for their environment using the AWS console.

After VIF is created on the owner’s account, a VIF connection request will appear under the direct connect service. See the screenshot below:

At this point, the VIF is ready to be accepted. When you hit “Accept Virtual Interface”, you will be presented with two options for connecting the VIF to your cloud environment. See screenshot below:

As shown above, there are two ways to attach your VIF to your account. Let’s look at these option and their differences:

Direct Connect Gateway

This will allow the VIF to be connected to VGWs in multiple regions. The drawback is that this VGW can only be connected to a VPC for route propagation, and it will not be able to further advertise on-prem routes to another IPSec/BGP neighbor.

Virtual Private Gateway

This will allow you to connect VIF to a VGW in the same region only. The advantage is that you will be able to connect to this VGW using IPSec/BGP and propagate routes further.

Please note that once you select a connection type and accept the connection, you can’t modify it. For example, if you chose to connect your VIF to Direct Connect Gateway, then you can’t go back and change that to Virtual Private Gateway. A new VIF needs to be created.

How to connect a Dx to Aviatrix Transit

Now let’s bring all of this into perspective. Aviatrix cloud controller allows you to create and manage your hybrid and multi-cloud connectivity using Aviatrix transit. If you are planning on connecting your Dx to an Aviatrix transit in AWS, you will need to connect your VIF to a VGW. Aviatrix transit gateway will be able to connect to this VGW and learn the on-prem routes as stated above. To do that, in the last step above, chose “Virtual Private Gateway (VGW), and then choose the VGW that is to be connected to an Aviatrix transit gateway. If this VGW is not connected to Aviatrix transit, worry not, you can follow “Transit Network” workflow step #3 to connect Aviatrix to this VGW at a later time. Once the VIF is connected to a VGW, and VGW is connected to Aviatrix transit gateway, your hybrid cloud is setup and ready to go. Aviatrix will learn about the on-premises routes and automatically propagate them throughout the rest of the transit network. At this point, your hybrid cloud is setup and connected end to end.