AWS-ANS-C01 & AWS CERTIFICATION | DX Connections & Virtual Interfaces (VIFs) - AWS Certified Advanced Networking

2.3.3.1. DX Connections & Virtual Interfaces (VIFs)

Direct Connect (DX) connections provide the dedicated physical link, while Virtual Interfaces (VIFs) segment this link to enable logical access to different AWS services or VPCs.

Scenario: You have a 10 Gbps AWS Direct Connect connection from your on-premises data center to AWS. You need to access a production VPC (private IP addresses) and also use Amazon S3 (public IP addresses) for backups, both over this dedicated connection.

To utilize AWS Direct Connect (DX), you establish a physical connection at a DX location, and then create virtual interfaces over this connection to access different AWS services.

Key Concepts of DX Connections & VIFs:

DX Connection:
- What it is: The physical network connection between your router in a Direct Connect location and an AWS Direct Connect router. Can be a dedicated connection or a hosted connection (provided by an AWS DX Partner).
- Bandwidth: Available in various speeds (1Gbps, 10Gbps, 100Gbps).
Virtual Interfaces (VIFs):
- What they are: Logical connections created on your DX connection. A single DX connection can support multiple VIFs.
- Types of VIFs:
  - Private VIF: Connects to a single VPC using a Virtual Private Gateway (VPG) or to multiple VPCs via an AWS Direct Connect Gateway or Transit Gateway. For accessing your VPC and private IP addresses.
  - Public VIF: Connects to all public AWS services (e.g., S3, DynamoDB) in all AWS Regions. For accessing public AWS services via their public IP endpoints.
  - Transit VIF: Connects to an AWS Transit Gateway (TGW). Allows connected VPCs to access on-premises networks via the TGW.
Direct Connect Gateway: A globally available resource that allows you to connect your Direct Connect connection to multiple VPCs in the same or different AWS Regions. Used for connecting a single DX connection to multiple VPCs (in the same or different Regions) or an AWS Transit Gateway.

Practical Implementation: Creating a Private and Public VIF (Conceptual)

# This is conceptual, as VIF creation requires an existing DX connection ID.

# 1. Create a Private VIF (to connect to a VPC via VPG or DX Gateway)
aws directconnect create-private-virtual-interface \
  --connection-id dxcon-abcdefgh \
  --new-private-virtual-interface '{"virtualInterfaceName":"MyProdVPCVIF","vlan":10,"asn":65000,"authKey":"mysecretkey","amazonAddress":"169.254.1.1/30","customerAddress":"169.254.1.2/30","virtualGatewayId":"vgw-0abcdef1234567890"}'

# 2. Create a Public VIF (to connect to public AWS services)
aws directconnect create-public-virtual-interface \
  --connection-id dxcon-abcdefgh \
  --new-public-virtual-interface '{"virtualInterfaceName":"MyPublicServicesVIF","vlan":20,"asn":65000,"amazonAddress":"169.254.2.1/30","customerAddress":"169.254.2.2/30","routeFilterPrefixes":[{"cidr":"205.251.192.0/23"}]}'

⚠️ Common Pitfall: Not understanding the routing implications of Public VIFs. A Public VIF advertises all public AWS IP prefixes, which can lead to asymmetric routing if not carefully managed on the on-premises side.

Key Trade-Offs:

Private vs. Public Access: Private VIFs are for your VPCs and private IPs. Public VIFs are for public AWS services. You need to choose the correct VIF type based on the destination.

Reflection Question: How do Direct Connect (DX) connections provide the dedicated physical link, while Virtual Interfaces (VIFs) (Private and Public) fundamentally segment this link to enable logical access to different AWS services or VPCs over a single physical connection?