search
Ctrlk

Equinix Fabric

hashtag
Overview

Connect your Equinix-hosted systems to VGS APIs over AWS Direct Connect using your Equinix Fabric portal. With this model, network traffic never traverses the public internet.

hashtag
How it works

Your Equinix-hosted servers connect to VGS via a dedicated AWS Direct Connect connection originating from an Equinix facility. On the VGS side, the connection terminates at an AWS Transit VIF attached to an AWS Transit Gateway. An IPsec encrypted VPN tunnel runs over the Transit Gateway into a dedicated Customer Private Access VPC, which hosts private load balancers and VPC endpoints fronting the VGS APIs.

hashtag
Architecture

hashtag
Setup

The following is the end-to-end provisioning flow based on production deployments.

Steps:

  1. Initiate the AWS Direct Connect connection from your side. In your Equinix account, create an AWS Direct Connect connection targeting the Equinix facility (aligns with VGS presence). VGS will provide the AWS account ID to send the connection request to.

  2. Share connection details with VGS. Once initiated, share the Direct Connect connection ID with your VGS implementation contact.

  3. VGS accepts the connection and provisions a Transit VIF. VGS accepts the hosted connection in the VGS AWS account and creates a Transit Virtual Interface (Transit VIF) attached to the AWS Transit Gateway.

  4. Exchange BGP configuration. VGS will provide BGP peer IPs and AS numbers. You will need to provide the following to VGS:

  5. Your BGP ASN for Direct Connect peering

  6. Direct Connect BGP peer IP and subnet (e.g. a /29 from the 169.254.x.x range)

  7. Your Customer Gateway IP (CGW IP)

  8. Your VPN BGP ASN

  9. Your LAN network CIDR(s) — provide separately for non-prod and production

  10. Configure BGP on your router or firewall. Apply the BGP peer configuration VGS provides to establish the BGP session over the Direct Connect link.

  11. VGS configures the Transit Gateway and IPsec VPN tunnel. VGS attaches the Transit VIF to the Transit Gateway and configures an IPsec site-to-site VPN tunnel for encryption in transit.

  12. VGS deploys your Customer Private Access VPC. VGS provisions a dedicated VPC with a private Network Load Balancer (NLB), an Application Load Balancer (ALB), and VPC interface endpoints fronting the CMP EKS cluster.

  13. VGS provides your private DNS endpoint. You will receive a private hostname (e.g. customer01.prod.vgsapiprivate.com) resolvable only from within your connected network.

  14. Provision a second connection for production. Separate Direct Connect connections are required for non-prod and production environments. Repeat the steps above for each environment.

  15. Validate connectivity. Connect to the private DNS endpoint from your Equinix environment. VGS will confirm traffic is arriving at the CMP cluster.

hashtag
Requirements

Equinix facility

e.g. DC2 / DC6

Connection type

AWS Direct Connect — 1 Gbps or 10 Gbps

AWS region

VGS primary:us-east-1

AWS routing

AWS Transit Gateway with Transit VIF + BGP

Encryption

IPsec site-to-site VPN tunnel on top of Direct Connect

BGP

Required — customer must provide ASN, peer IP, CGW IP, VPN ASN, LAN CIDRs

Environments

Separate connections required for non-prod and production

DNS

customer01.prod.vgsapiprivate.com)

Redundancy

Dual connections recommended for production HA

hashtag
What to provide VGS

To get started, contact your VGS implementation or solutions engineering contact with:

  • Your Equinix facility location (e.g. DC2 or DC6)

  • BGP ASN for Direct Connect peering

  • Direct Connect BGP peer IP and subnet

  • Customer Gateway IP (CGW IP)

  • VPN BGP ASN

  • LAN network CIDR(s) - provide separately for non-prod and production environments

PreviousDedicated Routing and Static IP AddressesNextGCP Cross-Cloud Interconnect

Last updated