Scaling AWS Direct Connect Connectivity
Scaling AWS Direct Connect Connectivity for Faction Cloud Control Volumes
Picking up where I left off in the AWS Direct Connect Networking discussion, I will expand on the ability to do a Direct Connect LAG and how we can take advantage of this to increase performance.
I will also talk about how we can achieve ECMP and full-redundancy using multiple BGP sessions tied together by a Virtual Private Gateway (VGW). Finally, I will touch upon how Faction uses VRF’s to ease any security concerns regarding the multi-tenant architecture which allow access to Faction Cloud Control Volumes.
A LAG or link-aggregation-group logically bonds together two or more physical connections. Faction takes multiple 10 gbps Direct Connect connections and, under the LAG section of the Direct Connect dashboard, bonds them together to form a single logical connection. AWS limits a single LAG to four connections but states that this can be increased upon request. Depending on the AWS hard limit, upwards of 80-160 gbps can be achieved on a single logical connection to AWS. This logical connection can then be carved up for individual customers under the Virtual Interface section of the Direct Connect dashboard.
When the logical connection, or LAG, is in place the next step is to configure a Virtual Interface. The three main components to the Virtual Interface are the VGW, VLAN, and BGP information. The VGW is the tenant isolation component on the AWS side, The VLAN is the isolation component on the Faction side, and BGP is the transport mechanism between the two.
We are assuming the AWS environment is fully redundant. With a LAG in place there is redundancy with the physical connections going in to AWS. To achieve redundancy for the Faction router doing BGP peering with AWS we need to add a second router, and a second virtual interface in the Direct Connect configuration. This will allow for a second BGP connection and ECMP (Equal cost multipath routing) across both connections. When creating the second virtual interface with the second BGP configuration for the additional router you simply choose the same VGW that you chose when you configured the first virtual interface.
Ensure Tenant Isolation
With full-redundancy in place as well as load-sharing between the redundant systems, the last objective is to ensure tenant isolation. The third component above, the VLAN, gets us half of the way there. When entering the VLAN in the Virtual Interface setup, this refers to the VLAN configured in the Faction environment. This VLAN is extended all the way to the router on the Faction side giving us tenant isolation at Layer-2. Layer-3 isolation is done using Virtual Routing and Forwarding (VRF) technology.
A VRF allows each customer to have their own BGP session with AWS and dedicated routing table just like they are own their very own router. Coupled with VLAN isolation up to their AWS VPC this makes for a very isolated customer environment spanning AWS and Faction. Pretty cool!
Want more info, or need help? Reach out to contact us!