Connecting customer environments together is as important as connecting to clouds and the Internet for most customers. The ECX deployment guide contains significant detail regarding solution design and how to connect to various clouds.
To connect a virtual device to a physical environment, the user needs to access the “outside” physical world from a device that is deployed on a common server with virtual interfaces. It is a different process than literally connecting cables to your physical router. This traditional way was usually done with cross connects from one data center or cage space to the next:
In order to facilitate this same activity with a virtual device that does not occupy a cage in the same way as above, we will need to virtualize certain aspects of the solution, and there are many ways to do so.
All NE devices connect to the outside world through the ECX platform or through the Internet (aka Equinix Connect), and this satisfies many use cases with no further connection needs. However, many users find that they want their virtual devices connected to an NSP that they will or are already doing business with. Often this helps “normalize” the device with the rest of a global network deployment by integrating it with an existing MPLS network, for example:
This is facilitated through the ECX, and all traffic flowing in and out of the ECX does so through a port, whether it is dedicated to a single user or service/use case, or it is used in a multi-tenant way.
For a virtual device user to get to a network service that you have procured, there are a few ways this can be done through the ECX, and we call this “bringing your own connection” or BYOC:
- NSP is a Seller on ECX: The network provider offers its network products and services publicly through the ECX in the same way that others offer their services; and the virtual device owner will create a connection to the known, published service.
- Bring your own Network Service: The user will purchase connectivity from a network provider and the NSP will terminate that connectivity as a port in an Equinix facility and provide details to you so that you can order a port and connect to it through the ECX
- Connect to your Collocated Resources: The customer has at least one physical deployment in an Equinix facility somewhere globally; the needed network connectivity is already inside that collocation facility; and the virtual device will connect to that collocated space through a port at the “edge” of the customer’s space
Further details for each method are specified below.
The use cases and reasons for doing this are numerous, and may include:
- Connecting the virtual device to a LAN or WAN network
- Connecting the device to an existing global network service provider that the user is contracted with for MPLS, EVPL, Internet, or other telecommunications services
- Chain the virtual device to another virtual or physical device off the Equinix platform
- Attach the device to the edge of other private resources such as deployed servers, storage, or other IT equipment
Basic Steps and Concepts to Connect
In any of the above cases, the basic steps are about the same, as specified below. The implementation of them may differ depending on which method you need:
Additional details about each step are below. Note that there may be multiple steps within it, or none at all, depending on your connection needs.
Order Network Services
The first step is to order services from the network provider of choice, if you have not already. What you order will vary greatly and Equinix offers no specific guidance on which providers and products are best. That said, we hope to observe deployments and “certify” those that are known good and operational with virtual devices over time, so we welcome your feedback and input.
If the NSP is part of the ECX selling their services (browse the create connection choices to see if you can find your provider), there is a very good chance that their product will interoperate well with your device.
When terminating network services to your virtual device, there may be special configurations needed to ensure they operate properly. While Equinix cannot predict or specify the exact needs of every NSP and their portfolio of products globally, these generally boil down to a few categories:
- Ethernet type, Layer 2 services such as EVPL, E-LAN, or EPL
- Layer 2.5 type services such as MPLS
- True Layer 3 peering services such as IPVPN or DIA/high-speed internet
Each of these network services will drive different needs on your device, whether it be IP addresses, protocol configuration and enablement, VLAN assignment, rate limiting or others.
Not all traffic types have been tested to work with every virtual device, but the platform is designed to be quite open and flexible. Your NSP’s guidance on configuration will be very important to the success of the interconnection. Equinix has a few rules of thumb when deciding and provisioning network services:
- The handoff from your network provider must be a tagged service; thus, the port you are connecting to at the Z-end must be configured as a dot1q or Q-in-Q format
- Per above, you will need to know the VLAN assigned to the traffic so you can configure it properly on the ECX and possibly your virtual device
- We expect that your network service provider will provide the necessary IP addressing, label switches, VLAN, or other logical inventory needs to configure your device and the port fully
- In theory, nearly any protocol can be supported if the specification from your virtual device vendor says it is supported, but we cannot test every single one. Consult the ECX documentation to discover if there are any limitations to that platform for your traffic type
- If you terminate a public Internet service, the number of routes may be restricted as a full Internet routing table could heavily burden the performance of a virtual device. We recommend you either consider physical deployments for route tables beyond 2-5K routes, or deploy with NAT
- Your NSP service should be policed or rate limited and should never exceed the total size of your virtual devices’ licensed throughput
Buy and Configure ECX Resources
In order to connect through the ECX, certain things must be present, whether they are owned by the NSP or the customer. In very simple terms, in order to connect from one side to the other, two ports and a connection between them is required. Fortunately, many of these components are already present.
On the virtual device side, each device already comes with a virtual port facing the ECX, and the method for creating a connection is covered extensively elsewhere. Therefore, most of the work needed is to get to the network service (or the Z-Side):
- If the NSP is an active participant on the ECX selling services, you simply need to create a connection to that service, so you can jump to the next step
- If the NSP can provide a port to you on the ECX, they will specify which service to connect to – and it could be a “private” service (more on service profiles below). You can jump to the next step to connect the device, but must first have permission from the NSP to see the service to connect to
- If the NSP will provide a physical tie-down location only in an Equinix data center, you will need to procure a port to connect the NSP to, and then you will define a service around that port so that you can connect to it
A Note About Service Profiles:
As of the current release, the way you connect to anything on the ECX as a destination or Z-end is by using a Service Profile. Anyone can create a service profile on ECX with a port or routing instance, and the service profile can be set to private so that only users in your customer organization can see and use it. You can also whitelist other NE and ECX users to see your private profile even if they are not part of your organization or account.
Additionally, you can delete the profile or remove the port from the profile immediately after creating a connection from your device to the port, and the connection remains in place. Users can also add BGP settings as with other services to ensure peering occurs between the environments. For this type of connectivity, Equinix recommends a Layer-2 service profile. Information about configuring a Layer-2 service profile can be found here.
More information on service profiles in general can be found in the ECX documentation here.
NSP is a Seller on ECX
This is by far the simplest method for virtual device owners, and we encourage network providers to participate in the ECX ecosystem wherever possible.
Bring Your Own Network Service
If you'd like to connect to a network provider with a virtual device, the network provider must be able to do one of two things:
- Have a presence on the ECX Fabric and a defined service that you can create a connection to
- Have a physical presence in Equinix facilities where they can reserve a port for you and generate a Letter of Authorization/Customer Facilities Assignment - LOA/CFA for short
If the NSP has a presence on the ECX Fabric, you can easily find them in the list of services available, just as you would with a cloud provider.
A remote port can be used when there is no physical CPE router collocated in an Equinix datacenter. In this case, the virtual router can be connected to the ECX switch via a Layer-2 service profile with the NSP connection terminated directly on the ECX switch. In this scenario the service profile is owned by the customer and is responsible for setting the correct attributes to establish connectivity. Additionally, a separate VRF will be created and dedicated to the NSP connection. When the NSP is present on the ECX Fabric, the NSP owns the Layer-2 service profile and will provide the attributes for connectivity, as shown below.
To connect, you place an order from your NSP and then provide Equinix with a LOA/CFA. The LOA/CFA gives Equinix the authorization to connect between the NSP demarc and the ECX switch to establish connectivity as shown below. As in the case of a physical connection, you can also connect to any location on the fabric—either local or remote.
Connect To Your Collocated Resources
With this deployment, your CPE may be collocated within an Equinix data center. In order to reach it, you will need a physical port on the cloud exchange and a defined service profile, explained later and also here, to connect the virtual router to it. In the diagram below, the physical router in your cabinet connects to the virtual router via the ECX fabric by means of a Layer-2 service profile applied to the ECX switchport at the collocation.
Note: this virtual cross-connect can happen between any two locations that are on the ECX Fabric—either local or remote.