Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Cloud Access

Cloud Access Overview

Internet2’s Cloud Access is a combination of Cloud Exchange and Cloud Connect.

Cloud Exchange

The Cloud Exchange provides Layer 3 routed access to Amazon, Google, and Microsoft via direct peering with these providers. Consider using the Cloud Exchange when accessing cloud providers if your applications don’t require your campus private network to be extended into the cloud. Additionally, if your application requires network layer encryption implemented with VPN tunneling, the Cloud Exchange can provide multiple high capacity paths for your tunnels into these cloud providers.

Cloud Connect

Using your regional’s infrastructure in conjunction with the Internet2 Network, you can reach cloud resources, including Microsoft Azure ExpressRoute, Amazon AWS Direct Connect and Google Cloud Platform Dedicated Interconnect. The robust regional and national networks allow access to these cloud providers available in the locations on the map (please see below). Depending on your preference, you can implement either a Layer 2 or Layer 3 solution. Additionally, you will need to subscribe to the cloud provider’s service. Internet2 offers the option to procure AWS or GCP through the NET+ program. For Microsoft, contact your representative directly.

Cloud Connect Provider Access Site Status

Pilot Project

Through June 30, 2019, Internet2 is offering Cloud Connect on a pilot basis. During the next year, Internet2 along with the community will be implementing and testing Cloud Access. Several regionals and higher education institutions are implementing the service now and together, we are learning valuable lessons for the community. We welcome your input. Please send your feedback to

Cloud Connect supports both Layer 2 or Layer 3 solutions

For either Layer 3 VPN delivery or Layer 2 VLAN delivery, there are BGP peerings over private circuits that connect to the connecting  institution and are presented as VLANs to the service provider. A connector needs to be able to pass VLANs from Internet2 to the connecting institution. For an institution’s L2 VLANs, the limit on the total number of VLANs, some of which may use "QinQ" stacked tags, is higher than the L3VPN case.

Layer 2 Solution

Internet2 provides Layer 2 VLAN(s) from the network connector to the provider for each service. Google and Amazon use standard 802.1q tags. Microsoft requires stacked VLANs (QinQ) using outer tag (S-Tag) identifier/ethertype 0x8100 (which is the also the standard 802.1q VLAN identifier). This passes the inner tag (C-tag)(also using 0x8100) transparently through AL2S pseudowires configured with OESS.

Layer 3 Solution

Internet2 creates a Layer 3 VPN using a virtual routing and forwarding instance (VRF) per institution. For resiliency purposes, there are one or more peerings that are established with the institution and the institution shares either public or private addresses over those peerings.


For service information and fees, send email to


For information about using the service, send email to



Do you need to use Cloud Exchange or Cloud Connect?




How do I decide between a Layer 2 and Layer 3 solution?

Layer 2 Pros:

  • Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
  • Paths of VLANs can be engineered to be completely separate physically.

Layer 2 Cons:

  • One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.

Layer 3 Pros:

  • Multiple peerings from an institution are required only if resiliency is needed.
  • Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
  • Handles private addressing, and the data center extension case
  • Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.

Layer 3 Cons:

  • Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service

Layer 2 and Layer 3 Solutions

Layer 2 Azure ExpressRoute

Layer 3 Azure ExpressRoute

Layer 2 Amazon Direct Connect

Layer 3 Amazon Direct Connect

Layer 3 Showing Access to Multiple Regions and Providers



What are the primary differentiators between the NET+ AWS agreement through DLT and the newly offered Cloud Connect service?

The Cloud Connect service is complimentary to the NET+ AWS Service. Cloud Connect uses your regional network’s infrastructure in conjunction with the Internet2 Network to access cloud resources such as Amazon AWS. You also need the AWS service and you may obtain that through NET+. Although Internet2 offers both Cloud Connect and NET+ AWS, Cloud Connect doesn’t require that you obtain AWS through Internet2 NET+ and it is possible to obtain NET+ AWS without using Cloud Connect.

What is the implementation process for Microsoft Azure ExpressRoute?

What is the implementation process for Amazon AWS Direct Connect?


What is the implementation process for Google Cloud Platform Dedicated Interconnect?

(Coming soon)

How does the data egress waiver work?

The providers have information on their websites regarding the data egress waiver for higher education institutions.

How do I get started?

Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Azure ExpressRoute, AWS Direct Connect and GCP Dedicated Interconnect. Please contact