• Amazon Web Services (AWS) Direct Connect Overview

  • Amazon Web Services (AWS) Direct Connect makes it easy to establish a network connection from your premises to AWS.

    The AWS/Secure Cloud Interconnect Welcome Kit provides you with the information needed to connect Amazon Web Services with Secure Cloud Interconnect and manage these connections.

    This site provides an overview of AWS Direct Connect:

    AWS Portal: http://aws.amazon.com/
    General Information: http://aws.amazon.com/directconnect/

    The following stages need to be completed to successfully connect your Secure Cloud Interconnect service to the AWS site.

  • Preparation Stage

  • Actions need to be taken by Verizon and your organization to develop your network design.

    • [VERIZON] Verizon will verify that you are a Verizon Private IP customer with active circuit(s).
    • If you are not a Verizon Private IP customer, a Private IP connection must be established to at least one of your locations.
      • Note: As this component is probably the one with the longest delivery timeframe, you should not proceed with the rest of the Secure Cloud Interconnect activation process until this step is completed.
      • Note: Advanced configurations (i.e., hub-to-hub and cloud-to-cloud) are supported by request. Please contact your Verizon Account Team for more details.
      • Note:: If you are a Verizon Private Wireless Gateway customer, please contact your Verizon Account Team for details on how you can use Secure Cloud Interconnect with your AWS service.
    • [VERIZON] Your Verizon Account Team will work with you to create entitlements for Verizon Enterprise Center and Dynamic Network Manager which will enable you to manage and monitor your Secure Cloud Interconnect service.
      • To learn more about Verizon Enterprise Center Registration process, click here and go to Verizon Enterprise Center for detailed instructions.
    • [CUSTOMER] Before proceeding with your Secure Cloud Interconnect port activation, you must ensure that your design does not exceed the AWS specified limits on number of VPCs (Virtual Private Cloud), routes per VPC (see AWS MAX Route section on the left), etc. See the “AWS Max Routes” section on the left.
      • Please refer to the AWS Direct Connect page for an up to date list of those limitations.
    • [CUSTOMER] Your Verizon Account Team will work with you to confirm that you have a clear understanding of Secure Cloud Interconnect NATing.
      • For additional detail, refer to the “Frequently Asked Questions” section of this Welcome Kit: What is Network Address Translation (NAT)?
    • [CUSTOMER] If you are using Secure Cloud Interconnect with Managed Security Services (MSS) Cloud Enhanced Security, additional steps are required.
      • For additional detail, refer to the “Frequently Asked Questions” section of this Welcome Kit: “What additional security services does Verizon provide?”.
  • Ordering and Provisioning Stage

  • Once the design of your Secure Cloud Interconnect connection is finalized, you will be able to proceed with the Ordering and Provisioning Stage. The Secure Cloud Interconnect order items required for connecting with AWS as well as the provisioning requirements will be confirmed.

    • [CUSTOMER] You must create an account with AWS before you proceed with your Secure Cloud Interconnect order. Once your account is created, you will be provided with an AWS Account ID. Click on the AWS login page to obtain your Account ID.
    • [CUSTOMER] You will select the region (location) in which your Secure Cloud Interconnect port will be provisioned.
      • Note: Please check for the AWS region mapping to Secure Cloud Interconnect locations.
    AWS Region Associated with the Secure Cloud Interconnect Location
    AWS Region Name AWS Region Code Verizon Provider Location

    US East (N. Virginia)

    us-east-1

    US East (EquinixDC1 Ashburn)

    US East (N. Virginia)

    us-east-1

    US East (New York, CoreSiteNY1)

    US East (Ohio)

    us-east-2

    US East (Ohio Equinix CH2)

    US West (Oregon)

    us-west-2

    US West (SuperNAP 8 Oregon)

    US West (N. California)

    us-west-1

    US West (EquinixSV1 Silicon Vly)

    US West (N. California)

    us-west-1

    US West (Los Angeles, CoreSiteLA1)

    UE (London)

    eu-west-2

    EU West 2 (Equinix LD5 London)

    EU (Ireland)

    eu-west-1

    EU West (Telecity London)

    EU (Ireland)

    eu-west-1

    EU West (Eircom, Dublin)

    EU (Frankfurt)

    eu-central-1

    EU (Frankfurt, EquinixFR5)

    Asia Pacific (Singapore)

    ap-southeast-1

    AsiaPac (Equinix SG2 Singapore)

    Asia Pacific (Tokyo)

    ap-northeast-1

    AsiaPac (Equinix TY2 Tokyo)

    Asia Pacific (Sydney)

    ap-southeast-2

    AsiaPac (Equinix SY3 Sydney)

    Asia Pacific (Mumbai)

    ap-southeast-1

    AsiaPac (GPX Mumbai)

    South America (Sao Paulo)

    sa-east-1

    Southam (Terremark Sao Paulo)

    AWS GovCloud (US)

    us-gov-west-1

    US West (Equinix SV1 Gov)

    • [CUSTOMER] Please provide your AWS Account ID to your Verizon Account Team along with the AWS type of peering (private or public) to be created, the AWS region, and the Secure Cloud Interconnect location.
      • Note: If this information is not provided at the time of order placement, it may delay the provisioning process.
    • [VERIZON] Your Verizon Account Team selects the type of Secure Cloud Interconnect connection(s) to be ordered based on the AWS service type requested:
      • VPC (AWS Private)
      • Non-VPC (AWS Public)
      • Non-VPC Customer Provided NAT
    • Note: Currently a separate Secure Cloud Interconnect port is required for each AWS VPC created.
    • [CUSTOMER] Let Verizon know of any additional Private IP VPNs needed with your Secure Cloud Interconnect order, or you may use Dynamic Network Manager to add one or more of your Private IP VPNs to your Secure Cloud Interconnect port (using the Add/Remove VPN menu).
      • Note: When you add or remove VPNs to/from a port, you must ensure that the IP addresses of the VPNs don’t overlap and that the total number of Private IP prefixes does not exceed the MAX number specified in the VPNs. If the total number of Private IP prefixes exceeds the MAX number specified in the VPNs, you must contact the Verizon Account Team and request an increase to that MAX number.
      • Note: If you are using non-standard Secure Cloud Interconnect designs, you must coordinate with your Verizon Account Team before proceeding with this step.
    • [VERIZON] Your Verizon Account Team places the Secure Cloud Interconnect order using your AWS Account ID. Once the order is provisioned, your Secure Cloud Interconnect connection will appear in Dynamic Network Manager. Your order is now complete.
  • Secure Cloud Interconnect NAT

  • Secure Cloud Interconnect provides Private IP customers with secure access to our cloud ecosystem. Verizon provides NAT (Network Address Translations) functionality for Secure Cloud Interconnect; however, you also have the ability to provide your own NATing. The information below outlines both Verizon-provided and customer-provided NATing.

    • [VERIZON] Verizon-provided NATing- AWS/Public Access is also referred to as Dedicated Non-VPC with Verizon provided Source NAT Translations. Verizon Secure Cloud Interconnect translates all your Private IP VPN routes in the BGP table into a Single Source NAT address towards AWS. Any routes from AWS inbound are passed through to the Private IP VPN BGP table.
      • Note: If you have ordered services from AWS non-VPC (PaaS), you are required to use public IP addresses to communicate with AWS.
    • For outbound traffic (from Verizon to AWS), Verizon will provide a Source NATing functionality that NATs the source address of your outbound traffic. Verizon will provide the public IP addresses required for your outbound NATing, and they are already whitelisted by AWS.
      • Note: AWS will not initiate any connection toward your VPN. All inbound traffic from AWS will be in reply to a connection initiated by you and those inbound traffic addresses will be reverse-NATed to the initiating Private IP addresses.
    • [CUSTOMER] For instructions on how to add your public IP addresses to communicate with AWS using Dynamic Network Manager, please refer to the “View / Edit Servers” section of this Welcome Kit.
    • [CUSTOMER] Customer Provided NATing- with AWS Public (S3), enables you to select whether you want to provide your own NAT instead of the one provided by Verizon when you order the Secure Cloud Interconnect port. The following guidelines outline your responsibilities for Customer Provided NATing:
      • NATing both outbound, and, when needed, inbound traffic.
      • Providing and whitelisting the public IP addresses required by AWS for the operation of their services.
      • The operation of your NAT device and any coordination issue that is required with AWS.
  • AWS Max Routes

  • AWS has a set of rules for the maximum number of IP addresses or routes that can be advertised.

    • [CUSTOMER] AWS initially configures the Secure Cloud Interconnect connection with 100 BGP (Border Gateway Protocol) routes. If you exceed the 100 BGP route limit, then AWS will immediately drop all traffic on the Secure Cloud Interconnect connection until the BGP table is reset to a max of 100 routes.

      Please ensure that your Private IP configuration has a default route to avoid exceeding AWS route table limitations. If your network does not have a default route in your Private IP BGP table, you must inject one as part of the final configuration of the Secure Cloud Interconnect connection.
      • Note: If you need assistance with injecting a default route, please contact your Verizon Account Team to open a request with Verizon Layer 3 Support to have them inject the default route towards AWS.
    • AWS route limitations currently support a maximum of 100 routes per Virtual Interface (VIF), and the limit cannot be increased. For more information, please refer to: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html#directconnect_limit
  • Dynamic Network Manager

  • The details below provide you with the steps required to establish your connection to AWS for Secure Cloud Interconnect. If additional assistance is required from Verizon, please work with your Verizon Account Team.

    Activating a Connection

    • Enter your username- When your Verizon Account Team sets up your Verizon Enterprise Center profile and entitlements, your organization’s primary contact will receive a username. You may also receive an invitation code via email with your login credentials.

      If you already have a profile in Verizon Enterprise Center, just use your existing user name and password.
    • Click Sign In. The Sign In screen appears.
    • Enter your password.
    • Click Continue to reach the Verizon Enterprise Center home page.
    • To access your Secure Cloud Interconnect service:
      • Click Manage Account at the top of the page. A drop-down menu appears.
    • Click Dynamic Network Manager in the Product Tools section. Dynamic Network Manager appears in another browser window. Click Launch under Secure Cloud Interconnect. You will then see the Dynamic Network Manager screen.
    • Click on the associated Secure Cloud Interconnect Service ID to refresh the page with the Secure Cloud Interconnect list order details.
    • Once you find the correct Service ID, you can see other relevant Secure Cloud Interconnect details. Click Establish Connection.
    • You can view and export the Secure Cloud Interconnect Utilization Report from Dynamic Manager.
    • Once logged into Dynamic Network Manager, click Utilization Report. (#1)
    • Enter your AWS Account ID in the box, and click Initiate Direct Connection.

    Note: Your AWS Account ID is a 12-digit numerical format. Do not input any dashes as this may create an error.

    • You will then see the status of the initiation and acceptance of your connection.

    Note: If your connection is unsuccessful (or in a “failed status”), please contact your Verizon Account Team for assistance.

      Within your AWS portal

    • Log into your AWS portal to accept the Secure Cloud Interconnect connection. Instructions on how to complete this process can be found here.

    Note: If you are experiencing any issues with your AWS portal, contact your AWS representative for assistance.

    1. Sign in to your AWS account: https://signin.aws.amazon.com/
    2.  

      9 AWS Connection

    3. Click Services.
    4. Click Direct Connect. The Secure Cloud Interconnect service instance ID displays twice.
    5.  

      Connection Status

    6. Click the connection.
    7. Check I understand that I will be responsible for data transfer charges incurred for this interface.
    8. Click Accept Virtual Interface. The Accept Virtual Interface pop-up appears.
    9.  

      Accept Virtual Interface

    10. *Please note*: If you are using AWS Direct Connect Gateway (DCG) instead of “Virtual Private Gateway,” make sure your DCG private ASN does not conflict with your Private IP Customer Edge ASN. (It cannot be 65000.) Please consult your Verizon Account Team to engage the Verizon Special Products & Services Group to change remote-ASN to match your DCG private ASN.
    11. Select the Virtual Private Gateway or Direct Connect Gateway
    12. Click Accept.
    13. Repeat steps 4 – 8 for the second connection in the pair.
    14.  

      Complete Connection

    15. AWS Direct Connect – VPC connections to AWS are typically active within 10 minutes from accepting the VLANs in the AWS Virtual Interface screen.
    16. AWS Direct Connect – non-VPC connections to AWS will be held in a confirming state while AWS verifies that the publicly routed IP addresses that have been assigned to your connection by Verizon are registered to Verizon and authorized for your company to use. Verizon will submit a Letter of Authorization (LOA) via a Technical Support Case with AWS Support for these IP addresses and send them to AWS after your VLANs have been accepted in the Virtual Interface screen.

      Verizon shall collect the following Secure Cloud Interconnect configlet information from your AWS non-VPC connections:
      • BGP ASN
      • Verizon Peer IP address
      • Amazon Peer IP address
      • NATed IP address
      • Customer VIF (Virtual Interface) ID
    17. Verizon Activation Team will add the information listed above to a Letter of Authorization (LOA) and send it to AWS at directconnect-requests@amazon.com
    18. AWS DirectConnect Service Team will verify that the IP addresses are authorized for use for your company by Verizon.
    19. Upon verification, AWS will activate the Virtual Interfaces. This process takes up to 72 hours from the time that the LOA is submitted to AWS. Once the status in the AWS portal changes from “Verifying” to “Available,” the BGP session will become active. Also note, the Amazon status in Verizon’s Dynamic Network Manager portal will also change to “Available” once AWS has verified that the IP Addresses are registered to Verizon and your company is authorized to use them. Please notify the Verizon Account Team that your Virtual Interface connection is active.
    20. At this time, connectivity has been established between your Verizon Private IP VPN and your newly created commercial AWS account.

    Deactivating a connection

    If you need to disconnect your Secure Cloud Interconnect connection for any reason, initiate the process within Dynamic Network Manager by following these steps.

    • Once logged into Dynamic Network Manager, click Available (#1)
    • Next, click on Deactivate (#2)
    • AWS portal will show connections being deleted.

    Changing a Description

    You have the ability to add or change a description type to your Secure Cloud Interconnect connection in Dynamic Network Manager.

    • Once logged into Dynamic Network Manager, click on the pencil Icon under Amazon Location.
    • Add your description (#2).
    • Click on the check mark to finish (#3).

    Add or Remove VPNs to Secure Cloud Interconnect Connection

    You have the ability to add or remove VPNs for your Secure Cloud Interconnect connection in Dynamic Network Manager.

    • Once logged into Dynamic Network Manager, click Add / Remove VPN (#1)
    • Select the VPNs (#2) to add or remove (#3), and click OK.

    Note: Remember to add the new VPNs first before removing any existing VPN’s.

    Utilization Report

    You can view and export the Secure Cloud Interconnect Utilization Report from Dynamic Network Manager.

    • Once logged into Dynamic Network Manager, click Utilization Report. (#1)
    • Select usage trends by date along the bottom. Click on the Microsoft® Excel® .CSV icon (#2) to export data (#3).

    Unbilled Usage

    You are able to capture usage within a 30 day billing cycle for your Secure Cloud Interconnect connection in Dynamic Network Manager.

    Note: The usage shown within Dynamic Network Manager may not reflect what is on your invoice.

    If desired, you can also add a threshold alert to notify you by e-mail when your data consumption reaches a certain percentage.

    • Once logged into Dynamic Network Manager, click Unbilled Usage. (#1).
    • New browser tab will open to show Consumption with current Usage Bill Cycle Month, Summary of Data Plans, Summary of Billing AC Number, and Summary by Cloud Service Provider (CSP).

    Data Plan Usage

    Aggregated Usage

    Threshold Alerts

    Export Usage

    SCI Inventory

    View/Edit Servers

    If you have ordered services from AWS non-VPC (PaaS), you are required to use public IP addresses to communicate with AWS. This section demonstrates how to add or remove public IP prefixes in Dynamic Network Manager.

    Note: The addition/removal of public IP prefixes in Dynamic Network Manager cannot be done until the address verification process with AWS has been completed

    • Once logged into Dynamic Network Manager, click View/Edit Servers. (#1)
    • Click Add or Remove Server IPs (#2) and then Update Server IP’s (#3) to complete the process.

    Order History

    Any changes or edits made to your Secure Cloud Interconnect connection in Dynamic Network Manager are captured in the Order History tab.

    • Once logged into Dynamic Network Manager, click Order History. (#1)
    • Click on Order ID (#2). This screen enables you to review your order history with a timestamp, user name, and status.

    Router commands

    Use the Router Commands feature in Dynamic Network Manager to manage and monitor network connectivity to your router interface(s).

    • Once logged into Dynamic Network Manager click Router Commands. (#1)
    • Select the router command of choice (#2), and click Submit. (#3) Then click OK to confirm.
  • Ordering Additional Ports

  • You are able to order additional ports as needed for your Secure Cloud Interconnect service. Please review the Secure Cloud Interconnect ordering guide found here (log-in required).

  • Shutting Down a Secure Cloud Interconnect Port

  • If you need to shut down one of your Secure Cloud Interconnect ports, follow the steps below:

    • Once your port is provisioned, log into Dynamic Network Manager and selects the Secure Cloud Interconnect port you want to shut down.
    • The detailed section of your Secure Cloud Interconnect connection will show the following:

    • As highlighted on the previous screen shot, the status requiring change is the Modify Admin Status field. Click on the pencil icon, and adjust as needed.
    • The Modify Admin Status screen will appear. The shutdown or no-shutdown of the port can be done through the “New Admin Status” drop down menu. Finally, click on Process Order to complete the action.