AWS Direct Connect and Azure Services
Overview
Cloud computing technology brings new opportunity to you, you wouldn’t have to be in the enterprise infrastructure team, you can manage your own virtual machine, you can do network design for your solution, you can deploy your compute, storage and load balancer components.
There is endless learning opportunity, it’s really exciting.
In this article, we are going to talk about AWS direct connect and compare with Azure ExpressRoute Direct.
Feature Summary Side by Side:
Direct Connect
Many organizations use hybrid networks to connect on-premises data centers to the cloud. In the same data center location, CSP has a cage and you have a cage, and direct connection is established between CSP router and your router. Now your on-premises private network is linked to public cloud environment with low latency and bypass internet service providers in your network path.
AWS Direct Connect
AWS Public Virtual Interface
AWS Public virtual interface provide alternative route from your on prem through the direct connect and reaching CSP service, instead of going over public network for your data in transit, but your CSP service is still reachable via public network, unless you utilize other feature to disable public network access.
Azure ExpressRoute Direct
Two connection are provided out of box and both are active, but it does not take traffic in round robin fashion, one is primary, the other one is secondary.
Routing Policy
When multiple direct connections are present, to optimize the routing path and avoid high latency, following solution can be utilized in both CSPs.
- Longest Prefix Match
- Use BGP Communities
- Use AS PATH prepending
Azure alos provides routing weight option in vgw connections to optimize routing path between vnet.
Resiliency
Azure ExpressRoute Direct
Azure ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.
AWS DX
AWS Direct connect resiliency toolkit gives multiple options, below is the maximum resiliency option with two location and two connection in each location.
MAC Security
Both CSPs support MAC Security, and it’s configured in AWS DX connection or Azure ExpressRoute Direct port.
MACsec encrypts data at network layter 2, between partner’s edge and CSP edge, meaning AWS direct connection or Azure expressRoute port. it’s not host to host or end to end encryption.
Logging and Monitoring
Azure ExpreeRoute Metrics
microsoft.network/expressrouteports Metrics:
AdminState, BitsInPerSecond, BitsOutPerSecond, LineProtocol, RxLightLevel, TxLightLevel
microsoft.network/expressroutecircuits Metrics:
Arp Availability, Bgp Availability, DroppedInBitsPerSecond, DroppedOutBitsPerSecond, BitsInPerSecond, BitsOutPerSecond, GlobalReachBitsInPerSecond, GlobalReachBitsOutPerSecond
microsoft.network/virtualnetworkgateways Metrics:
CPU utilization (can be split by instance), packets per second, count of routes advertised to peer, count of routes learned from peer, frequency of routes change, number of VMs in the virtual network
AWS Direct Connect Metrics
AWS Direct Connect Connection metrics:
ConnectionState, ConnectionBpsEgress, ConnectionBpsIngress, ConnectionPpsEgress, ConnectionPpsIngress, ConnectionErrorCount, ConnectionLightLevelTx, ConnectionLightLevelRx, ConnectionEncryptionState
AWS Direct Connect virtual interface metrics:
VirtualInterfaceBpsEgress, VirtualInterfacBpsIngress, VirtualInterfacePpsEgress, VirtualInterfacPpsIngress
Available dimensions: ConnectionId, OpticalLaneNumber, VirtualInterfaceId
Quotas
BGP Session, BGP Peer Session
Two routers that have established connection for exchanging BGP information, are referred to as BGP peers. Such BGP peers exchange routing information between them via BGP sessions that run over TCP, which is a reliable, connection oriented & error free protocol.
Once the BGP Session is established, the routers can advertise a list of network routes that they have access to and will scrutinize them to find the route with the shortest path.
AWS Quota
AWS BGP peer is added to virtual interface, and you can have multiple virtual interface per direct connect(DX) connection.
Quota Summary:
- Connection: 10 Active AWS Direct Connect connections per Region per account
- VIF: 50 VIF/Connection 1 transit VIT/Connection
- DCG: 30 Virtual interfaces (private or transit) per AWS Direct Connect gateway
- VPG: 10 virtual private gateway per direct connect gateway
- TGW: 3 transit gateway per AWS direct connect gateway
Azure Quota
An ExpressRoute circuit has multiple routing domains/peerings associated with it: Azure public, Azure private, and Microsoft. Each peering is configured identically on a pair of routers. (Azure public peering is deprecated for new circuits).
Conclusion
Since direct connect typically requires enterprise environment for implementation, it’s not possible to do a lab in this blog post, however it’s still fun to compare AWS and Azure side by side and document the understanding.
AWS Direct Connect Cheat Sheet
- HA Connection all show as individual resource. (meaning you see two VIF attachments in primary region and two VIF attachments in DR region for one direct connect gateway)
- Direct connect gateway needs one virtual interface attachment for every link (1/10/100G link), . (Direct connect gateway is in central account)
- Virtual private gateway connects to direct connect gateway
(Quota: Virtual private gateways per AWS Direct Connect gateway is 10, this limit cannot be increased.) - Virtual private gateway is associated to a VPC. (in individual account)
- Associate an AWS Direct Connect gateway with either TGW or VPG
References
Azure ExpressRoute: About Encryption | Microsoft Docs
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings#routingdomains