Cloud Access Overview
Internet2’s Cloud Access is a combination of Cloud Exchange and Cloud Connect.
The Cloud Exchange provides Layer 3 routed access to Amazon, Google, and Microsoft via direct peering with these providers. Consider using the Cloud Exchange when accessing cloud providers if your applications don’t require your campus private network to be extended into the cloud. Additionally, if your application requires network layer encryption implemented with VPN tunneling, the Cloud Exchange can provide multiple high capacity paths for your tunnels into these cloud providers.
Using your regional’s infrastructure in conjunction with the Internet2 Network, you can reach cloud resources, including Microsoft Azure ExpressRoute, Amazon AWS Direct Connect and Google Cloud Platform Dedicated Interconnect. The robust regional and national networks allow access to these cloud providers available in the locations on the map (please see below). Depending on your preference, you can implement either a Layer 2 or Layer 3 solution. Additionally, you will need to subscribe to the cloud provider’s service. Internet2 offers the option to procure AWS or GCP through the NET+ program. For Microsoft, contact your representative directly.
Cloud Connect Provider Access Site Status
Through June 30, 2019, Internet2 is offering Cloud Connect on a pilot basis. During the next year, Internet2 along with the community will be implementing and testing Cloud Access. Several regionals and higher education institutions are implementing the service now and together, we are learning valuable lessons for the community. We welcome your input. Please send your feedback to Cloudconnect_request@internet2.edu.
Cloud Connect supports both Layer 2 or Layer 3 solutions
For either Layer 3 VPN delivery or Layer 2 VLAN delivery, there are BGP peerings over private circuits that connect to the connecting institution and are presented as VLANs to the service provider. A connector needs to be able to pass VLANs from Internet2 to the connecting institution. For an institution’s L2 VLANs, the limit on the total number of VLANs, some of which may use "QinQ" stacked tags, is higher than the L3VPN case.
Internet2 provides Layer 2 VLAN(s) from the network connector to the provider for each service. Google and Amazon use standard 802.1q tags. Microsoft requires stacked VLANs (QinQ) using outer tag (S-Tag) identifier/ethertype 0x8100 (which is the also the standard 802.1q VLAN identifier). This passes the inner tag (C-tag)(also using 0x8100) transparently through AL2S pseudowires configured with OESS.
Layer 3 Solution
Internet2 creates a Layer 3 VPN using a virtual routing and forwarding instance (VRF) per institution. For resiliency purposes, there are one or more peerings that are established with the institution and the institution shares either public or private addresses over those peerings.
For service information and fees, send email to Cloudconnect_request@internet2.edu
For information about using the service, send email to Cloudconnect_request@internet2.edu
Do you need to use Cloud Exchange or Cloud Connect?
How do I decide between a Layer 2 and Layer 3 solution?
Layer 2 Pros:
- Conceptually simpler/straightforward when thinking about each cloud provider. Institutions configure BGP directly with cloud providers over the VLANs and have complete control of which addresses are advertised or accepted on each peering. Addresses could even be re-used by different providers.
- Paths of VLANs can be engineered to be completely separate physically.
Layer 2 Cons:
- One or more VLANs per provider. Additional providers, provider locations, or services require additional VLANs. The number of VLANs can become large, with commensurate complexity, as an end-user (school) grows to multiple providers with multiple peerings.
Layer 3 Pros:
- Multiple peerings from an institution are required only if resiliency is needed.
- Adding cloud providers or other network-connected services (e.g., caches) that are specific to an institution leverage the existing L3VPN peering to the school and don’t require new paths to be configured to the institution.
- Handles private addressing, and the data center extension case
- Allows for provider-to-provider communication specific to an institution to occur over Internet2 and using private addresses, if necessary, eliminating the need to have traffic between providers hairpin through the campus.
Layer 3 Cons:
- Control is through BGP peering with the L3VPN, which makes it harder to control precisely which addresses are advertised to or used by each cloud service
Layer 2 and Layer 3 Solutions
Layer 2 Azure ExpressRoute
Layer 3 Azure ExpressRoute
Layer 2 Amazon Direct Connect
Layer 3 Amazon Direct Connect
Layer 3 Showing Access to Multiple Regions and Providers
What are the primary differentiators between the NET+ AWS agreement through DLT and the newly offered Cloud Connect service?
The Cloud Connect service is complimentary to the NET+ AWS Service. Cloud Connect uses your regional network’s infrastructure in conjunction with the Internet2 Network to access cloud resources such as Amazon AWS. You also need the AWS service and you may obtain that through NET+. Although Internet2 offers both Cloud Connect and NET+ AWS, Cloud Connect doesn’t require that you obtain AWS through Internet2 NET+ and it is possible to obtain NET+ AWS without using Cloud Connect.
What is the implementation process for Microsoft Azure ExpressRoute?
What is the implementation process for Amazon AWS Direct Connect?
What is the implementation process for Google Cloud Platform Dedicated Interconnect?
How does the data egress waiver work?
The providers have information on their websites regarding the data egress waiver for higher education institutions.
- AWS: https://aws.amazon.com/blogs/publicsector/aws-offers-data-egress-discount-to-researchers/
- Google Cloud Platform: https://cloud.google.com/billing/docs/how-to/egress-waiver
- Microsoft Azure: https://azure.microsoft.com/en-us/blog/azure-egress-fee-waiver-for-the-academic-community/
How do I get started?
Contact your network connector as their network connections will be used to support Cloud Connect. Let your connector know that you are interested in Cloud Connect. Internet2 would be pleased to talk with your institution along with the network connector about using the Internet2 Network to reach Azure ExpressRoute, AWS Direct Connect and GCP Dedicated Interconnect. Please contact Cloudconnect_request@internet2.edu.