Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Amazon AWS Direct Connect


Amazon AWS Direct Connect

Cloud Exchange

The Cloud Exchange provides Layer 3 routed access to Amazon via direct peering with these providers. Consider using the Cloud Exchange when accessing cloud providers if your applications don’t require your campus private network to be extended into the cloud. Additionally, if your application requires network layer encryption implemented with VPN tunneling, the Cloud Exchange can provide multiple high capacity paths for your tunnels into these cloud providers.

Cloud Connect

Using your regional's infrastructure in conjunction with the Internet2 Network, you can reach cloud resources, including Amazon AWS Direct Connect The robust regional and national networks allow access to these cloud providers available in the locations on the map (please see below). Depending on your preference, you can implement either a Layer 2 or Layer 3 solution. In addition, you will need to subscribe to the cloud provider's service.

Amazon AWS Direct Connect Service Locations



Connecting to Amazon AWS Direct Connect

Internet2 offers both a layer 2 and a layer 3 connectivity option.

Layer 2 Amazon AWS Direct Connect Connection

The layer 2 option consists of layer 2 VLANs connecting the campus routers to routers inside the Amazon AWS cloud. The campus and Amazon exchange routes via BGP.

Layer 3 Amazon AWS Direct Connect Connection

With the layer 3 option, Internet2 creates an L3VPN unique for each campus. The L3VPN BGP peers with Amazon AWS and the campus, in turn, BGP peers with the L3VPN. The regional network, if any, passes the VLANs through between the campus and Internet2. One advantage of this option will be discussed further below.

Additional Layer 3 Connectivity

Another advantage of the Layer 3 option is the possibility of connecting to other Amazon AWS regions and other cloud service providers. In this case, the Internet2 L3VPN peers with the additional sites/providers and the campus simply continues to peer with the L3VPN over the existing VLANs. Doing this with Layer 2 would require possibly many additional VLANs connecting the campus to provider routers.

Presentations - Webinars

  • A conversation with Emory's Jimmy Kincaid on using VPNs instead of Direct Connect
    • "With the recent announcements from Internet2 about their Cloud Connect program, the “When Direct Connect?” vs. “When VPN?” has been the subject of vigorous discussion in the cloud community.  Emory University has constructed an impressive environment to automate the provisioning and use of AWS by their research community. As part of their extensive research, testing and configuration, Emory decided to use VPNs for these accounts over AWS Direct Connect at this time. Jimmy Kincaid did the analysis for Emory and has graciously agreed to join us for a call to explain his findings and explain how they made their decision and implemented it." 
      Bob Flynn, Manager of Cloud Technology Support, Indiana University
  • Webinar by Yale: Hybrid approach to cloud resources
    • "Yale University had the need to reduce seven data centers on campus to two primary facilities and establish disaster recovery for critical services. With the availability of cloud resources, Yale was able to provide a comprehensive plan for consolidation of onsite resources and make available multiple cloud providers. Providing a hybrid approach with on premise Data Centers and extending to cloud providers, Yale is able to offer its community availability for disaster recovery, scalability of onsite resources, and self-service resources such as servers and storage. Attendees to this session will learn the challenges and opportunities of considering hybrid cloud options."
      Louis Tiseo, Director, Cloud Technologies, Yale University

For service information and fees, send email to


For information about access to Amazon AWS Direct Connect  please contact for more information.


Amazon AWS Direct Connect FAQ

What are the primary differentiators between the NET+ AWS agreement through DLT and the newly offered Cloud Connect service?

The Cloud Connect service is complimentary to the NET+ AWS Service. Cloud Connect uses your regional network’s infrastructure in conjunction with the Internet2 Network to access cloud resources such as Amazon AWS. You also need the AWS service and you may obtain that through NET+. Although Internet2 offers both Cloud Connect and NET+ AWS, Cloud Connect doesn’t require that you obtain AWS through Internet2 NET+ and it is possible to obtain NET+ AWS without using Cloud Connect.

What is the implementation process for Amazon AWS Direct Connect?

How do I decide between a Layer 2 and Layer 3 solution?

Layer 2 Pros:
  • Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
  • Paths of VLANs can be engineered to be completely separate physically.
Layer 2 Cons:
  • One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.
Layer 3 Pros:
  • Multiple peerings from an institution are required only if resiliency is needed.
  • Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
  • Handles private addressing, and the data center extension case
  • Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.
Layer 3 Cons:
  • Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service

How does the Global Data Egress Waiver work?

The providers have information on their websites regarding the data egress waiver for higher education institutions.

Can you provide more details on the Global Data Egress Waiver?

Global Data Egress Waiver (GDEW) program.

Questions and Answers
  1. The DEFW is a per AWS account benefit, and the 15% calculation is made at the AWS account level, not the Payer Account level.
    • No, it is calculated and applied at the payer level. This is done to help benefit the entire institution. A great example of this is up at Cornell. We had a department in a single, standlaone AWS account hosting a 1 GB dictionary file in S3 and was being downloaded about 45 TB worth in a month. This was all they had in the account, so the bill was 1 GB = $0.023 and the data egress was about $4k. We pulled that account into the master account so that the aggregate spend for all of Cornell wiped out the charges. I know data egress is always a huge concern, but we haven’t had a customer go over that 15% to date.
  2. The DEFW applies over AWS Direct Connect, with the same ruleset as it does over Internet2 Peering (soon to be rebranded Internet2 Cloud Exchange) with the exception of the difference in rate for egress over the 15% threshold ($0.02/GB v $0.09/GB).
    • Correct – Direct Connect is covered. Traffic going out other paths as well are covered. Say for example a customer had a /24 on campus that didn’t go over Internet2 and used commercial transit for some reason. We don’t look to see the path as we don’t inspect the customer traffic. Traffic is billed at the source, so we just see it leaving (aka leave S3 to go to the Internet2) We assume a connected customer would be taking the Internet2 path, but are aware that may not always be the case. Also important to note, that the GDEW is for any eligible REN we are peering with. In the US we have several of the regionals included in the program as some of them have chosen to do direct peering with as well.
  3. Each eligible institution that manages AWS accounts and each eligible AWS provisioned independently needs to contact their AWS rep and specifically sign up to receive the DEFW, unless they are subscribed to the NET+ AWS program.
    • Sort of correct. Each top level payer account needs to be included in the program. We have seen schools use this to help bring some of the shadow IT groups out there under the umbrella to take advantage of the GDEW.

How do I get started?

Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Amazon AWS Direct Connect. Please contact