Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Cloud Access

overview

Cloud Access Overview

Internet2's Cloud Access is a combination of Cloud Exchange and Cloud Connect.

Cloud Exchange

The Cloud Exchange provides Layer 3 routed access to Amazon, Google, and Microsoft via direct peering with these providers. Consider using the Cloud Exchange when accessing cloud providers if your applications don't require your campus private network to be extended into the cloud. Additionally, if your application requires network layer encryption implemented with VPN tunneling, the Cloud Exchange can provide multiple high capacity paths for your tunnels into these cloud providers.

Cloud Connect

Using your regional's infrastructure in conjunction with the Internet2 Network, you can reach cloud resources, including Microsoft Azure ExpressRoute, Amazon AWS Direct Connect and Google Cloud Platform Dedicated Interconnect. The robust regional and national networks allow access to these cloud providers available in the locations on the map (please see below). Depending on your preference, you can implement either a Layer 2 or Layer 3 solution. Additionally, you will need to subscribe to the cloud provider’s service. Internet2 offers the option to procure AWS or GCP through the NET+ program. For Microsoft, contact your representative directly.

Cloud Connect Provider Access Site Status

The map below shows the locations where Cloud Connect access to the service providers is available.

Pilot Project

Through June 30, 2019, Internet2 is offering Cloud Connect on a pilot basis. During the next year, Internet2 along with the community will be implementing and testing Cloud Access. Several regionals and higher education institutions are implementing the service now and together, we are learning valuable lessons for the community. We welcome your input. Please send your feedback to Cloudconnect_request@internet2.edu

 


 

Do you need to use Cloud Exchange or Cloud Connect?

Cloud Connect Service Providers

features

Cloud Connect supports both Layer 2 or Layer 3 solutions

Internet2 connectors can use their connection points on the Internet2 packet network to establish packet connectivity at either Layer 2 or Layer 3 to Cloud providers. In both cases, the connector or member can establish BGP peerings over these private pathways between the connecting  institution and the service provider who will see these connections presented as vlans. An Internet2 connector needs to be able to pass VLANs from the Internet2 connection point to the connecting institution. For an institution’s L2 VLANs, the limit on the total number of VLANs, some of which may use "QinQ" stacked tags, is higher than the L3VPN case.

Internet2 creates a Layer 3 VPN using a virtual routing and forwarding instance (VRF) per institution. For resiliency purposes, there are one or more peerings that are established with the institution and the institution shares either public or private addresses over those peerings.

Cloud Architecture Group

This Wiki was created out of a meeting at the University of Chicago during the Summer of 2014. As the community's cloud architectural expertise has grown, this Wiki has become home to, and has developed as an index for, its collective documentation and best practices

fees

For service information and fees, send email to Cloudconnect_request@internet2.edu.

participate

For information about participating in either Cloud Exchange or Cloud Connect please contact Cloudconnect_request@internet2.edu for more information.

faq

Amazon Direct Connect FAQ

What are the primary differentiators between the NET+ AWS agreement through DLT and the newly offered Cloud Connect service?

The Cloud Connect service is complimentary to the NET+ AWS Service. Cloud Connect uses your regional network’s infrastructure in conjunction with the Internet2 Network to access cloud resources such as Amazon AWS. You also need the AWS service and you may obtain that through NET+. Although Internet2 offers both Cloud Connect and NET+ AWS, Cloud Connect doesn’t require that you obtain AWS through Internet2 NET+ and it is possible to obtain NET+ AWS without using Cloud Connect.

What is the implementation process for Amazon AWS Direct Connect?

How do I decide between a Layer 2 and Layer 3 solution?

Layer 2 Pros:
  • Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
  • Paths of VLANs can be engineered to be completely separate physically.
Layer 2 Cons:
  • One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.
Layer 3 Pros:
  • Multiple peerings from an institution are required only if resiliency is needed.
  • Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
  • Handles private addressing, and the data center extension case
  • Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.
Layer 3 Cons:
  • Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service

Can you provide some details on the Global Data Egress Waiver?

Global Data Egress Waiver (GDEW) program.

Questions and Answers
  1. The DEFW is a per AWS account benefit, and the 15% calculation is made at the AWS account level, not the Payer Account level.
    • No, it is calculated and applied at the payer level. This is done to help benefit the entire institution. A great example of this is up at Cornell. We had a department in a single, standlaone AWS account hosting a 1 GB dictionary file in S3 and was being downloaded about 45 TB worth in a month. This was all they had in the account, so the bill was 1 GB = $0.023 and the data egress was about $4k. We pulled that account into the master account so that the aggregate spend for all of Cornell wiped out the charges. I know data egress is always a huge concern, but we haven’t had a customer go over that 15% to date.
  2. The DEFW applies over AWS Direct Connect, with the same ruleset as it does over Internet2 Peering (soon to be rebranded Internet2 Cloud Exchange) with the exception of the difference in rate for egress over the 15% threshold ($0.02/GB v $0.09/GB).
    • Correct – Direct Connect is covered. Traffic going out other paths as well are covered. Say for example a customer had a /24 on campus that didn’t go over Internet2 and used commercial transit for some reason. We don’t look to see the path as we don’t inspect the customer traffic. Traffic is billed at the source, so we just see it leaving (aka leave S3 to go to the Internet2) We assume a connected customer would be taking the Internet2 path, but are aware that may not always be the case. Also important to note, that the GDEW is for any eligible REN we are peering with. In the US we have several of the regionals included in the program as some of them have chosen to do direct peering with as well.
  3. Each eligible institution that manages AWS accounts and each eligible AWS provisioned independently needs to contact their AWS rep and specifically sign up to receive the DEFW, unless they are subscribed to the NET+ AWS program.
    • Sort of correct. Each top level payer account needs to be included in the program. We have seen schools use this to help bring some of the shadow IT groups out there under the umbrella to take advantage of the GDEW.

How do I get started?

Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Amazon AWS Direct Connect. Please contact Cloudconnect_request@internet2.edu.

Microsoft Azure ExpressRoute

What is the implementation process for Microsoft Azure ExpressRoute?

How do I decide between a Layer 2 and Layer 3 solution?

Layer 2 Pros:
  • Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
  • Paths of VLANs can be engineered to be completely separate physically.
Layer 2 Cons:
  • One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.
Layer 3 Pros:
  • Multiple peerings from an institution are required only if resiliency is needed.
  • Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
  • Handles private addressing, and the data center extension case
  • Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.
Layer 3 Cons:
  • Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service

How does the data egress waiver work?

The providers have information on their websites regarding the data egress waiver for higher education institutions.
Microsoft Azure: https://azure.microsoft.com/en-us/blog/azure-egress-fee-waiver-for-the-academic-community/

How do I get started?

Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Microsoft Azure ExpressRoute. Please contact Cloudconnect_request@internet2.edu.

Google Cloud Platform Dedicated Interconnect FAQ

What is the implementation process for Google Cloud Platform Dedicate Internconnect?

Coming soon.

How do I decide between a Layer 2 and Layer 3 solution?

Layer 2 Pros:
  • Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
  • Paths of VLANs can be engineered to be completely separate physically.
Layer 2 Cons:
  • One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.
Layer 3 Pros:
  • Multiple peerings from an institution are required only if resiliency is needed.
  • Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
  • Handles private addressing, and the data center extension case
  • Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.
Layer 3 Cons:
  • Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service

How does the Global Data Egress Waiver work?

The providers have information on their websites regarding the data egress waiver for higher education institutions.
Google: https://cloud.google.com/billing/docs/how-to/egress-waiver

How do I get started?

Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Google Cloud Platform Dedicated Interconnect. Please contact Cloudconnect_request@internet2.edu.