AWS Direct Connect updates help globe-spanning users

Improvements to AWS Direct Connect link VPCs in multiple regions, keep traffic within AWS' network and reduce administrative work to manage these secure connections to the cloud.

AWS customers with an international presence can now more simply establish secure network connections for workloads that span multiple regions.

An update to AWS Direct Connect enables enterprises to establish a single dedicated connection across multiple Amazon Virtual Private Clouds (VPCs) and cut down on administrative tasks. Enterprises have clamored for this capability, as the previous approach required them to set up unique connections in each region and peer VPCs across regions.

This feature, called AWS Direct Connect Gateways, is critical for large companies that want business continuity with data and applications available across AWS regions, said Brad Casemore, an analyst with IDC.

"This is a critical capability for them as they set up direct connections to AWS services," he said. "They want to ensure they can work across zones as dynamic application requirements dictate."

All the major public cloud vendors have their own flavor of a dedicated networking service for enterprise customers to improve security, bandwidth and performance. These new AWS Direct Connect Gateways are global objects that exist across all public regions, with interregion communication occurring on the AWS network backbone.

At Onica, an AWS consulting partner in Santa Monica, Calif., most of its enterprise customers have requested this capability because of the challenges created by the old model, said Kevin Epstein, Onica's CTO.

Brad CasemoreBrad Casemore

Previously, users had to rely on IPsec virtual private networks to achieve the same result. That could still create real problems if, say, a master database is in one region and services in other regions rely on that database. Users must either replicate that database across AWS regions or suffer a degree of latency that's unacceptable for certain workloads.

Amazon built its AWS regions to be self-contained to avoid cascading failures, and while that model helped limit the impact of the major AWS outage earlier this year, it hampers customers in other ways, Epstein said.

In the past, when other vendors added similar capabilities, AWS argued that segmentation between regions was the best way to operate on its platform securely. These gateways represent a change in that strategy.

"This, to me, is the first major step in nodding to the global players and saying, 'We understand the challenges, and we're going to take down those barriers for you,'" Epstein said.

AWS Direct Connect Gateways require IP address ranges that don't overlap, and all the VPCs must be in the same account. Amazon said it plans to add more flexibility here eventually.

The overlap issue may be a problem for large startups that haven't considered IP address spacing, but it shouldn't cause too many problems at large enterprises that already have a mature outlook on network allocation, Epstein said.

And while these gateways focus on connections to the cloud, Amazon is also making network changes within its cloud. AWS PrivateLink creates endpoints within VPCs through a virtual network and IP addresses within a VPC subnet.

PrivateLink can be connected via API to Kinesis, Service Catalog, Elastic Compute Cloud, EC2 Systems Manager and Elastic Load Balancing, with Key Management Service, CloudWatch and others to be added later. That allows customers to manage AWS offerings without any of that traffic travelling over the internet and cut down on costly egress fees.

"This is mostly about keeping the traffic within the AWS network," Casemore said. "Customers incur additional charges when data must traverse the internet."

Google addresses interzone latency

As they're finding out, [the network] still requires enhancements if they want to continue to expand their footprint.
Brad Casemoreanalyst, IDC

Customers with global footprints or latency-sensitive apps have forced many cloud vendors, not just AWS, to look closer at networking. Google Cloud Platform, a distant third in the public cloud market behind AWS and Microsoft Azure, has made a number of moves in the past three months to bolster its networking capabilities.

GCP this month said the latest version of Andromeda, its internal software-defined network stack, will reduce intrazone network latency between VMs by 40%. Zones are Google's equivalent to AWS regions.

With this move, Google hopes to attract developers that prefer private hosting with bare metal over the public cloud to build latency-sensitive applications for high-performance computing, financial transactions or gaming.

Customers will have to calculate whether these improvements go far enough to address cost, bandwidth and latency, but it's clear cloud vendors are focused on network innovations, Casemore said.

"It's all about pulling a greater share of new and existing apps to the public cloud," he said. "The network has certainly become an enabler, and, as they're finding out, it still requires enhancements if they want to continue to expand their footprint."

Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].

Next Steps

Google service establishes cheap, secure connections

These hybrid cloud tools bridge AWS-data center gap

Put a stop to your AWS networking issues

Dig Deeper on AWS security