MCR Connections to Amazon Web Services via Direct Connect (DX)
Creating a VXC to AWS via Direct Connect (DX) from an MCR is a straightforward process via the Portal. Follow the steps below to establish a private VIF connection that is able to connect either directly to a selected VPC (via VGW) or to a range of VPCs either in a single or multiple AWS regions (within a single AWS account). Alternatively, you can watch the 7-minute video tutorial at the bottom of this page.
The majority of this guide will concentrate on building a Private Direct Connect VIF connection type to AWS. However, if you wish to build a Public VIF (S3, Dynamo DB and other public IP addressable services) and do not wish to build a Private VIF, you may jump directly to the last section of this article.
Pre-requisites for Private VIF connection type (VPC target)
In order to connect from an existing MCR to AWS using a private VIF, you’ll need to gather the following information:
- Your AWS Account ID number – this is accessible from the My Account menu item in the top right of the screen under the account name.
- For private VIF connections, it is recommended that you provide a target AWS private ASN through one of the following two options:
- If you are targeting only a single VPC in any given AWS region worldwide, you can use a VGW (via VPC/Virtual Private Gateways) then proceed to select the target region. Multiple VXCs from a single MCR, with individual connections to VGWs, is the preferred manner for inter-region peering and will also support inter-region peering between VPCs from multiple accounts.
- A second option is to use the Direct Connect Gateway (DXGW) functionality as a target which can aggregate multiple VGWs from the local (and remote, if used) region(s). This method is, therefore, more extensible than the above even if you are only initially targeting a single VPC. A DXGW can be created from the Direct Connect/Direct Connect Gateways option in any region, and will be equally addressable via DX connection from all regions. Selecting this option does require careful consideration of traffic paths and latency implications and it is advised that you consult the AWS DXGW documentation for up to date information on the rules/limits imposed on this connection type.
- If you don’t currently have an existing MCR, you may refer to our main Megaport Cloud Router (MCR) article to create one.
Creating/confirming your Private ASN for VGW and/or DXGW
In order to connect MCR to your target VPC/s you will need to either create a new VGW or confirm the AS number of an existing VGW. This can be done from the VPC/Virtual Private Gateways screen ensuring that your console view is in the same region as your desired target VPC:
In the case above, a new VGW has been requested with tag ‘KB CustomVGW’ and ASN = 65333 (values within range 64512 – 65534 are accepted). This is suggested to replace the AWS default ASN (usually 7224) as routing multiple VXC instances to the same target ASN will potentially result in routing anomalies.
Once the custom VGW has been created, it will be displayed in this panel as ‘detached’ and therefore available for attaching to the target VPC. This can be achieved through the ‘Actions’ button at the top of the page; then select ‘Attach to VPC’ and choose the target VPC. The state of the VGW will change from ‘detached’ to ‘attaching’ – please note that this process can take a few minutes to complete though at this stage you may proceed to either configuring the VXC pointing to this VGW/VPC from the Portal or proceed to the next step to aggregate this VGW into a multi-region DXGW.
Direct Connect Gateway
It is possible to aggregate multiple VGWs into a target of a single VXC/VIF (as long as they reside within the same AWS account ID) by creating a Direct Connect Gateway (DXGW) via the Direct Connect configuration screen in the AWS Console.
Here is a sample of the creation of a new DXGW called ‘KB DXGW1’ with ASN 64999. When created (which is instantaneous), you will be able to associate the VGW in the previously created step, as well as any other VGWs. Please ensure to keep ASNs unique for the DXGW and associated VGWs to allow easier troubleshooting and simplified routing decisions.
Once created, you can associate the VGW to the DXGW using the Actions/Associate Virtual Private Gateway option as per below:
It is then possible to repeat the step above for all VGWs/VPCs you wish to peer noting that the IP address ranges of the VPCs for any connected subnets should NOT overlap. The associated VGW(s) will appear in the ‘Virtual Interface Attachments’ after a few minutes, although at this stage, you may proceed to the Portal MCR configuration.
Completing an AWS DX connection request from MCR
From the steps completed above, the information available is sufficient to create the VXC request to AWS from our selected MCR.
Upon choosing ‘+Connection’ and selecting the the Cloud type connection method:
It is then necessary to select the target service provide (AWS) and the destination region Port:
In this example, a connection is being requested from a London based MCR to AWS EU-WEST-1 region (Ireland) via a London based target Port. In the next screen ‘3) Connection Details’ (not shown) you will be asked the name of the connection (for display in the Megaport dashboard) and the rate limit (Mbps).
Private type (VPC) connectivity option is selected here, and accordingly only the fields on the left hand side of the display are mandatory with the right hand side being auto populated, or you can enter manual values if you have specific requirements. For customer ASN you may use the MCR default (Megaport registered) value of 133937 or select your own valid private (or public) value as required (be aware previously we have used another Megaport ASN, 132863, and this is currently being updated in all screenshots across KnowledgeBase). For Amazon ASN this will either be the VGW value (for 1:1 VPC connections) or the custom value that was assigned to the DXGW in the earlier steps of this guide.
After these values have been entered (and checked) you may press ‘Next’ and proceed to the next step to accept the connection detail summary, add to cart, and check-out the connection.
Once the VXC connection is deployed successfully, you will see it attached to the MCR on the Portal dashboard:
Clicking on the VXC title (‘EUW1 AWS VXC’ in this case), will give visibility of this connection, note under the ‘Details’ tab that, while the service status (Layer 2) is UP, BGP (Layer 3) will be currently down due to the matching configuration not existing on the AWS side. This will be configured in the next section.
After two to three minutes, the corresponding inbound VIF request will be visible on the AWS Direct Connect / Virtual Interfaces configuration. Note that this is specific to the target region that was chosen based on the target AWS port. If your VIF doesn’t appear as below after a few minutes, you can confirm that you are viewing the correct region by checking both the selected AWS Region name at the top right of screen and also in the URL displayed for this page.
The name and account ID of the VIF should match that supplied above and the BGP ASN should also be confirmed to match with the ‘Customer ASN’ as presented above. Note that the ‘Amazon side ASN’ will be the default region’s AWS ASN (in this case, 9059 where we have requested 64999 to match the DXGW created earlier) though this will be updated in the next step where the virtual interface is accepted and assigned.
Note that it is not possible to accept the inbound VIF via the ‘Actions’ menu, however there is a separate acceptance screen that is available below the details panel where a tickbox and ‘Accept Virtual Interface’ item appears. Ensure that this is selected, then in the following screen you will be asked to either select the VGW (1:1 VPC mapping, single region) or the DXGW that was created earlier.
After acceptance of the associated interface, you will note that the ‘Amazon side ASN’ field should change to the chosen ASN – 64999 in this case. Status of the connection will change from ‘pending acceptance’ to ‘pending’ and then ‘available’ once BGP has established. Please note that even when refreshing this screen sometimes there is a delay in ‘available’ BGP status being shown on the AWS end though you can confirm the current state of the Layer 3 link by re-visiting the Portal view of this connection, and selecting the AWS VXC and then the Details tab (BGP status will show a green tick mark).
Enabling VPC Route Propagation and checking received route-table
At this time, the VIF is connected to the VGW/DXGW which is associated with your attached VPC, however routes are not enabled to be propagated to/from this VPC by default, and this needs to be enabled on the specific VPC(s). This is achieved through the VPC Dashboard console under Route Tables / Route Propagation tab.
Upon selecting the Route Propagation tab, click Edit, change Propagate the tick box against the associated VGW to YES (enabled) and save the changes.
Once these steps have been completed, any routes that are being advertised from the MCR across the given VXC will be automatically updated into the route table of the target VPC. Note that if you don’t currently have any routes being propagated from a remote VXC into the MCR viewing the route table will not show any entries, but will be automatically updated once these are added.
Prerequisites for Public VIF connection type (public IP address targets)
The connectivity requirements for a Public VIF to AWS are similar to the steps detailed above. However, it is not required to terminate onto a VGW or DXGW and the target ASN will, therefore, be the AWS public ASN for the destination region. In order to connect to public resources such as Amazon Simple Storage Service (S3) and Amazon DynamoDB, AWS generally requires you to bring public IP addresses to this connection. However, with the MCR product, Megaport will supply a /31 range that can be utilised for public peering upon which the global AWS route tables will be received. Setup for this is the same as the above for private peering up to Step 5 (AWS details) where different mandatory fields are required for Public VIF connections. If you have values you wish to configure and send to AWS that are valid as per AWS Direct Connect FAQ guidance, you may use these in the non-mandatory fields, however, if you do not have these details, Megaport will supply one set of public IP addresses per VXC and NAT towards your MCR instance. AWS Detail entry screen (add VXC step 5):
Once successfully deployed, accepted (from AWS Direct Connect console) and with BGP confirmed as established via both the AWS Direct Connect interface and the Details tab on the VXC, you will see the details that have been populated from the Megaport/AWS API interaction and be receiving the global AWS route table onto your MCR instance: