# Equinix Fabric
## Overview
Connect your Equinix-hosted systems to VGS APIs over AWS Direct Connect using your Equinix Fabric portal. With this model, network traffic never traverses the public internet.
### How it works
Your Equinix-hosted servers connect to VGS via a dedicated AWS Direct Connect connection originating from an Equinix facility. On the VGS side, the connection terminates at an AWS Transit VIF attached to an AWS Transit Gateway. An IPsec encrypted VPN tunnel runs over the Transit Gateway into a dedicated Customer Private Access VPC, which hosts private load balancers and VPC endpoints fronting the VGS APIs.
### Architecture
```mermaid
graph TD
A["Your Systems (Equinix)"] -->|"AWS Direct Connect Dedicated Connection"| B["AWS Direct Connect Location (VGS)"]
B -->|"Transit VIF + BGP"| C["AWS Transit Gateway (VGS)"]
C -->|"IPsec Encrypted VPN Tunnel"| D["Customer Private Access VPC (VGS)"]
D -->|"NLB → ALB VPC Interface Endpoints"| E["VGS APIs (EKS Cluster)"]
```
### Setup
The following is the end-to-end provisioning flow based on production deployments.
```mermaid
sequenceDiagram
participant Customer as Your Team
participant VGS as VGS
participant AWS as AWS (VGS account)
Customer->>AWS: Initiate AWS Direct Connect connection from your side
Customer->>VGS: Share Direct Connect connection details
VGS->>AWS: Accept Direct Connect connection — provision Transit VIF
VGS-->>Customer: Provide BGP peer configuration
Customer->>Customer: Configure BGP on your router / firewall
Customer->>VGS: Provide BGP parameters (ASN, peer IP, CGW IP, VPN ASN, LAN CIDRs)
VGS->>AWS: Configure Transit Gateway + IPsec VPN tunnel
VGS->>AWS: Deploy Customer Private Access VPC + NLB + ALB + VPC endpoints
VGS-->>Customer: Provide private DNS endpoint (e.g. customer01.prod.vgsapiprivate.com)
Customer->>VGS: Validate connectivity to private DNS endpoint
VGS-->>Customer: Confirm traffic flowing to CMP APIs ✅
```
Steps:
1. Initiate the AWS Direct Connect connection from your side. In your Equinix account, create an AWS Direct Connect connection targeting the Equinix facility (aligns with VGS presence). VGS will provide the AWS account ID to send the connection request to.
2. Share connection details with VGS. Once initiated, share the Direct Connect connection ID with your VGS implementation contact.
3. VGS accepts the connection and provisions a Transit VIF. VGS accepts the hosted connection in the VGS AWS account and creates a Transit Virtual Interface (Transit VIF) attached to the AWS Transit Gateway.
4. Exchange BGP configuration. VGS will provide BGP peer IPs and AS numbers. You will need to provide the following to VGS:
5. Your BGP ASN for Direct Connect peering
6. Direct Connect BGP peer IP and subnet (e.g. a `/29` from the `169.254.x.x` range)
7. Your Customer Gateway IP (CGW IP)
8. Your VPN BGP ASN
9. Your LAN network CIDR(s) — provide separately for non-prod and production
10. Configure BGP on your router or firewall. Apply the BGP peer configuration VGS provides to establish the BGP session over the Direct Connect link.
11. VGS configures the Transit Gateway and IPsec VPN tunnel. VGS attaches the Transit VIF to the Transit Gateway and configures an IPsec site-to-site VPN tunnel for encryption in transit.
12. VGS deploys your Customer Private Access VPC. VGS provisions a dedicated VPC with a private Network Load Balancer (NLB), an Application Load Balancer (ALB), and VPC interface endpoints fronting the CMP EKS cluster.
13. VGS provides your private DNS endpoint. You will receive a private hostname (e.g. `customer01.prod.vgsapiprivate.com`) resolvable only from within your connected network.
14. Provision a second connection for production. Separate Direct Connect connections are required for non-prod and production environments. Repeat the steps above for each environment.
15. Validate connectivity. Connect to the private DNS endpoint from your Equinix environment. VGS will confirm traffic is arriving at the CMP cluster.
***
### Requirements
| Equinix facility | e.g. DC2 / DC6 |
| ---------------- | ------------------------------------------------------------------------- |
| Connection type | AWS Direct Connect — 1 Gbps or 10 Gbps |
| AWS region | VGS primary:`us-east-1` |
| AWS routing | AWS Transit Gateway with Transit VIF + BGP |
| Encryption | IPsec site-to-site VPN tunnel on top of Direct Connect |
| BGP | Required — customer must provide ASN, peer IP, CGW IP, VPN ASN, LAN CIDRs |
| Environments | Separate connections required for non-prod and production |
| DNS | `customer01.prod.vgsapiprivate.com`) |
| Redundancy | Dual connections recommended for production HA |
### What to provide VGS
To get started, contact your VGS implementation or solutions engineering contact with:
* Your Equinix facility location (e.g. DC2 or DC6)
* BGP ASN for Direct Connect peering
* Direct Connect BGP peer IP and subnet
* Customer Gateway IP (CGW IP)
* VPN BGP ASN
* LAN network CIDR(s) - provide separately for non-prod and production environments
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.verygoodsecurity.com/enterprise-platform/developer-resources/advanced-connectivity/equinix-fabric.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.