Profile Applicability:

  • Level 1

Description:

AWS Direct Connect allows you to establish a dedicated network connection from your premises to AWS. A virtual interface (VIF) is a logical connection that is used to connect your on-premises network to AWS resources, such as EC2 instances and VPCs.

To ensure high availability and minimize the risk of network failures, it is essential to configure redundant virtual interfaces (VIFs). By configuring redundant VIFs, you ensure that there is a backup connection available in case the primary connection goes down. This redundancy improves the availability and reliability of network connectivity between your on-premises infrastructure and AWS.

This SOP ensures that Virtual Interfaces (VIFs) are configured for redundancy in AWS Direct Connect to provide seamless failover and high availability.

Rationale:

Enabling redundant VIFs in Direct Connect is essential for:

  • Increased Availability: Ensures network availability even if one virtual interface or physical connection goes down.

  • Business Continuity: Reduces downtime during network failures, ensuring continuous access to AWS services.

  • High Performance: Distributes traffic across multiple interfaces, improving overall performance and load balancing.

  • Compliance: Meets compliance requirements for high availability and disaster recovery strategies in environments where downtime can have critical consequences.

Impact:

Pros:

  • Enhanced Availability: Provides continuous connectivity by ensuring that an alternative VIF is available in case of failure.

  • Traffic Distribution: Load balances traffic across multiple VIFs, potentially improving network performance.

  • Minimized Downtime: Reduces the impact of network failures and ensures that critical services remain accessible.

Cons:

  • Additional Costs: Redundant connections and VIFs will incur additional charges for data transfer and Direct Connect connections.

  • Complex Configuration: Requires careful setup and management of VIFs, LAGs (Link Aggregation Groups), and routing for redundancy.

Default Value:

By default, Direct Connect connections do not automatically provide redundancy. You need to manually configure multiple VIFs for redundancy across different locations or regions to ensure high availability.

Pre-requisite:

  • AWS IAM Permissions:

    • directconnect:CreateVirtualInterface

    • directconnect:DescribeVirtualInterfaces

    • directconnect:CreateLag

    • directconnect:DescribeConnections

    • directconnect:DescribeLags

  • AWS CLI installed and configured.

  • Knowledge of AWS Direct Connect, VIFs, and network architecture.

  • Existing Direct Connect connection(s).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Direct Connect under Services.

  3. In the Direct Connect Dashboard, check the Virtual Interfaces (VIFs) section.

  4. Review your Virtual Interfaces and ensure that multiple VIFs are created for redundancy.

  5. Verify that each VIF is associated with Link Aggregation Groups (LAGs) or a separate Direct Connect connection for high availability.

  6. Check the Route Tables to confirm that traffic can failover between redundant VIFs if one fails.

  7. Ensure that BGP (Border Gateway Protocol) is configured to automatically switch to a secondary VIF if the primary VIF fails.

Using AWS CLI:

To list all Virtual Interfaces associated with your Direct Connect connections, run:

aws directconnect describe-virtual-interfaces

Verify that multiple VIFs are created for redundancy, particularly:

  • Private Virtual Interfaces: Used for connecting to private VPCs.

  • Public Virtual Interfaces: Used for connecting to AWS public services like S3.

Check for Link Aggregation Group (LAG) configuration, which allows multiple physical connections to be bundled together for redundancy:

aws directconnect describe-lags

Confirm that BGP is properly configured to allow automatic failover between VIFs:

aws directconnect describe-virtual-interfaces --query 'virtualInterfaces[?bgpPeers!=null]'


To confirm the configuration of redundant connections, run:

aws directconnect describe-connections


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Direct Connect.

  2. In the Virtual Interfaces section, ensure that multiple VIFs are set up across different locations for redundancy.

  3. To create a redundant VIF, follow the process:

    • Click Create Virtual Interface.

    • Choose the connection type (private, public).

    • Associate the VIF with your Direct Connect connection.

    • For private VIFs, associate them with the correct VPC.

  4. For redundant connections, create a Link Aggregation Group (LAG) using:

    • Create LAG to bundle multiple physical connections for redundancy.

    • Verify that your VIFs are correctly associated with the LAG.

  5. Ensure BGP (Border Gateway Protocol) settings are correctly configured for automatic failover.

Using AWS CLI:

To create a redundant virtual interface (VIF), run:

aws directconnect create-virtual-interface --connection-id <connection-id> --new-vif-name <vif-name> --vlan <vlan-id> --address-family IPv4 --peer-address <peer-ip> --bgp-peer-ipv4 <bgp-peer-ip> --asn <bgp-asn>


To create a Link Aggregation Group (LAG), run:

aws directconnect create-lag --lag-name <lag-name> --connections <connection-id1> <connection-id2> --location <location-id> --bandwidth <bandwidth>

To check if BGP failover is properly set up, verify the BGP peers associated with each VIF:

aws directconnect describe-virtual-interfaces --query 'virtualInterfaces[?bgpPeers!=null]'

Confirm that your LAG configuration is correct by running:

aws directconnect describe-lags


Backout Plan:

If the configuration of redundant VIFs or LAGs causes issues (e.g., routing or connectivity problems):

Identify the affected VIFs or LAGs.

To remove a Virtual Interface, run:

aws directconnect delete-virtual-interface --virtual-interface-id <vif-id>


To remove a Link Aggregation Group (LAG), run:

aws directconnect delete-lag --lag-id <lag-id>

Recheck the Direct Connect connections and ensure that the remaining interfaces are properly configured for redundancy.

Note :

  • Monitoring: Set up CloudWatch metrics for your Direct Connect connections and Virtual Interfaces (VIFs) to monitor performance and availability.

  • Cost Considerations: Ensure that the configuration of redundant connections and LAGs is cost-effective for your needs, as multiple connections may incur additional charges.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.