Q. What is AWS Direct Connect?

AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services.

Q. What can I do with AWS Direct Connect?

Using AWS Direct Connect, data that would have previously been transported over the Internet can now be delivered through a private network connection between AWS and your datacenter or corporate network.

Q. What are the benefits of using AWS Direct Connect and private network connections?

In many circumstances, private network connections can reduce costs, increase bandwidth, and provide a more consistent network experience than Internet-based connections.

Q. Which AWS services can be used with AWS Direct Connect?

All AWS services, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB can be used with AWS Direct Connect.

Q. Can I use the same private network connection with Amazon Virtual Private Cloud (VPC) and other AWS services simultaneously?

Yes. Each AWS Direct Connect connection can be configured with one or more virtual interfaces. Virtual interfaces may be configured to access AWS services such as Amazon EC2 and Amazon S3 using public IP space, or resources in a VPC using private IP space.

Q. If I’m using Amazon CloudFront and my origin is in my own data center, can I use AWS Direct Connect to transfer the objects stored in my own data center?

Yes. Amazon CloudFront supports custom origins including origins you run outside of AWS. The access to the CloudFront edge locations will be restricted to the geographically nearest AWS region. With the exception of the North America regions which currently allow access to all North American region's on-net CloudFront origins. With AWS Direct Connect, you will pay AWS Direct Connect data transfer rates for origin transfer.

Through Direct Connect, customer traffic will remain in Amazon backbone network after it enters it. Therefore, prefixes of CloudFront locations that are not on the Amazon backbone network will not be advertised through Direct Connect. You can also find more details about IP prefixes advertised on AWS Direct Connect public virtual interfaces here. You can also refer to this link to know more about Direct Connect routing policy.

Q. Where is AWS Direct Connect available?

You can find the complete list of Direct Connect locations on the Product Details page.

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

AWS Free Tier includes 750hrs of Micro Cache Node with Amazon ElastiCache.

View AWS Free Tier Details »

Q. Can I use AWS Direct Connect if my network is not present at an AWS Direct Connect location?

Yes. APN Partners supporting AWS Direct Connect can help you extend your preexisting data center or office network to an AWS Direct Connect location. Please see APN Partners for more information.

Q. How can I get started with AWS Direct Connect?

Use the AWS Direct Connect tab on the AWS Management Console to create a new connection. Then you will change the region to the region you wish to use. When requesting a connection, you will be asked to select the AWS Direct Connect location you wish to use, the number of ports, and the port speed. You will also have the opportunity to request to have an APN Partner contact you if you need assistance extending your office or data center network to the AWS Direct Connect location.

Q. Can I order a port for AWS GovCloud (US) in the AWS Management Console?

If you wish to order a port to connect to AWS GovCloud (US) you will need to use the AWS GovCloud (US) management console. Details about getting started in the AWS GovCloud (US) region can be found here.


Q. Are there any setup charges or a minimum service term commitment required to use AWS Direct Connect?

There are no setup charges, and you may cancel at any time. Services provided by APN Partners may have other terms or restrictions that apply.

Q. How will I be charged and billed for my use of AWS Direct Connect?

AWS Direct Connect has two separate charges: port-hours and Data Transfer. Pricing is per port-hour consumed for each port type. Partial port-hours consumed are billed as full hours.

Data Transfer via AWS Direct Connect will be billed in the same month in which the usage occurred. If you have a hosted virtual interface, you will only be charged for the data transferred out of that virtual interface at the applicable Data Transfer rates. The account that owns the port will be charged the port-hour charges. Read more about hosted virtual interfaces here.

For AWS Direct Connect pricing information, please see AWS Direct Connect pricing. If using an APN partner to facilitate a Direct Connect connection, contact the partner regarding any fees they may charge.

Q. Will regional data transfer be billed at the AWS Direct Connect rate?
No, data transfer between Availability Zones in a region will be billed at the regular regional data transfer rate in the same month in which the usage occurred.

Q. What defines billable port-hours?
Port-hours are billed once the connection between the AWS router and your router is established, or 90 days after you ordered the port, whichever comes first. Port charges will continue to be billed anytime the AWS Direct Connect port is provisioned for your use. If you no longer wish to be charged for your port, please follow the cancellation process detailed in How do I cancel the AWS Direct Connect service?.

Q. How does AWS Direct Connect work with consolidated billing?

AWS Direct Connect data transfer usage will be aggregated to your master account.

Q. How do I cancel the AWS Direct Connect service?

You can cancel AWS Direct Connect service by deleting your ports from the AWS management console. You should also cancel any service(s) offered by a third party. For example, contact the colocation provider to disconnect any cross-connects to AWS Direct Connect, and/or a network service provider who may be providing network connectivity from your remote locations to the AWS Direct Connect location.

Q: Do your prices include taxes?

Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax. Learn more.

Q. What connection speeds are supported by AWS Direct Connect?

1Gbps and 10Gbps ports are available.Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners supporting AWS Direct Connect. Read more about APN Partners supporting AWS Direct Connect.

Q. Are there limits on the amount of data that I can transfer using AWS Direct Connect?

No. You may transfer any amount of data up to the limit of your selected port speed.

Q. What are the technical requirements for the connection?

AWS Direct Connect supports 1000BASE-LX or 10GBASE-LR connections over singlemode fiber using Ethernet transport. Your device must support 802.1Q VLANs. See the AWS Direct Connect User Guide for more detailed requirements information.

Q. What AWS region(s) can I connect to via this connection?

Each AWS Direct Connect location enables connectivity to the geographically nearest AWS Local Region. See the AWS Direct Connect Details page for the list of AWS Direct Connect locations and their AWS Local Regions. You can access all AWS services available in that region.

Direct Connect locations in the North America can also access the public resources in any North America region using a public virtual interface

Q. What Availability Zone(s) can I connect to via this connection?

Each AWS Direct Connect location enables connectivity to all Availability Zones within the geographically nearest AWS region.

Q. Are connections to AWS Direct Connect redundant?

Each connection consists of a single dedicated connection between ports on your router and an Amazon router. We recommend establishing a second connection if redundancy is required. When you request multiple ports at the same AWS Direct Connect location, they will be provisioned on redundant Amazon routers.

Q. Will I lose connectivity if my AWS Direct Connect link fails?

If you have established a second AWS Direct Connect connection, traffic will failover to the second link automatically. We recommend enabling Bidirectional Forwarding Detection (BFD) when configuring your connections to ensure fast detection and failover. If you have configured a back-up IPsec VPN connection instead, all VPC traffic will failover to the VPN connection automatically. Traffic to/from public resources such as Amazon S3 will be routed over the Internet. If you do not have a backup AWS Direct Connect link or a IPsec VPN link, then Amazon VPC traffic will be dropped in the event of a failure. Traffic to/from public resources will be routed over the Internet.

Q. Can I extend one of my VLANs to the AWS Cloud using AWS Direct Connect?
No, VLANs are utilized in AWS Direct Connect only to separate traffic between virtual interfaces.

Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?

Not at this time.

Q: What are the technical requirements for virtual interfaces to public AWS services such as Amazon EC2 and Amazon S3?

This connection requires the use of the Border Gateway Protocol (BGP) with an Autonomous System Number (ASN) and IP Prefixes. You will need the following information to complete the connection:

  • A public or private ASN. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 64512 to 65535 range.
  • A new unused VLAN tag that you select
  • Public IPs (/30) allocated by you for the BGP session

Amazon will advertise public IP prefixes for the region via BGP. Direct Connect customers in the North America will receive the public IP prefixes for all US regions. You must advertise public IP prefixes (/30 or smaller) that you own via BGP. For more details, consult the AWS Direct Connect User Guide.

Q: What is an Autonomous System Number (ASN) and do I need one to use AWS Direct Connect?

Autonomous System numbers are used to identify networks that present a clearly defined external routing policy to the Internet. AWS Direct Connect requires an ASN to create a public or private virtual interface. You may use a public ASN which you own, or you can pick any private ASN number between 64512 to 65535 range.

Q. What IP address will be assigned to each end of a virtual interface?

If you are configuring a virtual interface to the public AWS cloud, the IP addresses for both ends of the connection must be allocated from public IP space that you own. If the virtual interface is to a VPC and you choose to have AWS auto-generate the peer IP CIDR, the IP address space for both ends of the connection will be allocated by AWS in the 169.254.0.0/16 range.

Q: Can I connect to the Internet via this connection?

No.

Q: If I have more than one virtual interface attached, can I exchange traffic between the two ports?

Not for public Direct Connect virtual interfaces; but you can exchange traffic between the two ports in the same region if they are connecting to the same VGW.

Q. Can I locate my hardware next to the equipment that powers AWS Direct Connect?

You can procure rack space within the facility housing the AWS Direct Connect location and deploy your equipment nearby. However, AWS customer equipment cannot be placed within AWS Direct Connect racks or cage areas for security reasons. For more information, contact the APN Partner for the particular facility. Once deployed, you can connect this equipment to AWS Direct Connect using a cross-connect.

Q. How do I enable BFD on my Direct Connect connection?

Asynchronous BFD is automatically enabled for each Direct Connect virtual interface, but will not take effect until it's configured on your router. AWS has set the BFD liveness detection minimum interval to 300, and the BFD liveness detection multiplier to 3.

Q. How do I set up Direct Connect for the AWS GovCloud (US) Region?

See the AWS GovCloud (US) User Guide for detailed instructions on how to set up a Direct Connect connection for the AWS GovCloud (US) region.

Q. What is this feature?

Link Aggregation Groups (LAG) are a way for customers to order and manage multiple direct connect ports as a single larger connection instead of as separate discrete connections.

Q. What’s the max number of links I can have in a LAG group?

The maximum number of links will be 4x in a LAG group.

Q. What does the LOA look like?

You will receive a single LOA document with dedicated page for each connection.

Q. What are you using for Link Aggregation Groups?

We are using the industry standard of LACP.

Q. Are these LAGs Static or Dynamic LACP?

We are configuring Dynamic LACP bundles. Static LACP bundles are not supported.

Q. Are these in Active/Active or Active/Passive mode?

They will be in Active/Active. That means, that AWS ports will always be sending Link Aggregation Control Protocol Data Units (LACPDUs).

Q. Does the MTU change at all?
The MTU does not change.

Q. Can I have my ports configured for Active/Passive instead of Active/Active?

You could configure LAG at your endpoint with LACP active or passive mode, AWS side is always configured as Active mode LACP.

Q. Can I mix interface types and have a few 1G ports and a few 10G ports in the same bundle?

Only like interface types (ie. No mixing 1G and 10G in a bundle)

Q. What ports types will this be available on?

It will be available for 1G and 10G ports.

Q. Can I LAG hosted connections as well?

It will only be available for dedicated 1G and 10G connections. It will not be available for hosted connections on partner NNIs.

Q. Can I create a LAG out of my existing ports?

Yes, if your ports are on the same chassis. Please note this will cause your ports to go down for a moment while they are reconfigured as a LAG. They will not come back up until LAG is configured on your side as well.

Q. Can I have a LAG that spans multiple AWS routers?

LAG will only include ports on the same AWS device. We don’t support multi- chassis LAG.

Q. How do I add links to my LAG once it’s set up?

You can request another port for your LAG, but if we do not have ports available in the same chassis you will need to order a new LAG and migrate your connections. For example, if you have 3x 1G links, and would like to add a fourth but we do not have a port available on that chassis, you will need to order a new LAG of 4x 1G ports.

Q. What does the new LOA look like when I order additional connection to add to the LAG?

You will receive a separate LOA for each the new members of the LAG group.  

Q. You’re out of ports and I have to order a new LAG, but I have VIFs configured! How do I move those?

You can have multiple VIFs attached to a VGW at once, and you can configure VIFs on a connection even when it’s down. We suggest you create the new VIFs on your new bundle, and then move the connections over to the new bundle once you’ve created all of your VIFS. Remember to delete the old connections so we stop billing you for them.

Q. Can I delete a single port from my LAG?

Yes, but only if your min links is set to lower than the ports you’ll have left. Ex: You have 4 ports and Min links set to 4 – you won’t be able to delete a port from the bundle. If min links is set to 3, you can then delete a port from the bundle. We will return a notification with the specific panel/port you’ve deleted and a reminder to disconnect the cross connect and circuit from Amazon.

Q. Can I delete my LAG bundle all at once?

Yes, but just like a regular connection you won’t be able to delete it if you have VIFs configured.

Q. If I have only 2 ports in my LAG can I still delete one?

Yes, you can have a single port in a LAG.

Q. Can I order a LAG with only one port?

Yes you can. Please note we can’t guarantee there will be more ports available on the same
chassis in the future if you wish to add more ports.

Q. Can I convert a bundle back to individual ports?
Yes. This can be done with the DisassociateConnectionWithLag API call. See the API section.

Q. Can you just create a tool to move my VIFs for me?

You can use AssociateVirtualInterface API or console to do this operation.

Q. Does the LAG show as a single connection or a collection of connections?

It will show as a single dxlag and we’ll list the connection id’s under it.

Q. What does Min Links mean, and why do I have a check box for it when I order my bundle?

Min links is a feature in LACP where you can set the minimum number of links needed to be active in a bundle for that bundle to be active and pass traffic. If, for example, you have 4 ports, your min links is set to 3, and you only have 2 active ports, your bundle will not be active. If you have 3 or more then the bundle is active and will pass traffic if you have a VIF configured.

Q. What’s the behavior if I don’t click the Min Links?

We’ll set Min Links to 0 by default.

Q. Can I change the Min Links after I’ve set up my bundle?

Yes. You can change the min links value after you’ve set up the bundle, either via console or via API.

Q. When I associate my existing DirectConnect connection with a LAG what happens with existing Virtual Interfaces already created with DirectConnect connection?

When a DirectConnect connection with existing Virtual Interfaces (VIFs) is associated to a LAG, Virtual Interfaces are migrated to the LAG.  Please note that certain parameters associated with VIFs needs to be unique like VLAN numbers to be moved to LAG.

Q. If I have multiple LAGs, can I still use BFD to improve fail over time between paths?

BFD is still supported.

Q. Can I set link priority on a specific link?

We’ll treat all links as equal, so we won’t set “link priority” on any specific link

Q. Does having a LAG make my connection more resilient?

LAG will let you protect against single path failures between your data center and AWS. It won’t protect against a single device failure at AWS.

Q. Can I have VIFs on two different LAG connected to the same VGW?

Yes. This behavior is exactly like creating VIFs on single ports.

Q. Can I have a 40GE interface on my side that connects to 4x 10GE on the AWS side?

You will need 4x 10GE interfaces on your router to connect to AWS. A single 40GE interface connecting to a 4x 10GE LACP is not supported.

Q. Is there a charge for LAG?
There is no extra charge for LAG.

Q. Can I run IPv4 and IPv6 on the same virtual interface (VIF)?

AWS Direct Connect supports both single and dual stack configurations on public and private VIFs. You will be able to add an IPv6 peering session to an existing VIF with IPv4 peering session (or vice versa). You can also create 2 separate VIFs – one for IPv4 and another one for IPv6

Q. I need a public IPv6 range, can Amazon assign me a range?

Yes. Addressing for both public and private VIFs is provided by default and with a netmask of /125.

Q. What IP address will Amazon assign my private VIF if I select “assign an IP” in the console?

For a private IPv4 VIF, Amazon will provide you a /30 CIDR. For a private IPv6 VIF, Amazon will provide you a /125 CIDR.

Q. Will I still need to run BGP on my VIFs?

Yes. Both private and public Direct Connect require a native peering from IPv4 or IPv6. Multiprotocol BGP is not supported at this time.

Q. Are there any changes to VLAN assignment?

No. Layer 2 functionality remains the same for IPv4 and IPv6.

Q. Will I still be able to use BFD for faster BGP failover times?

Yes. BFD is supported for IPv6 BGP peerings.

Q. Are there any changes in the length of CIDR you can advertise to AWS?

Yes, for IPv6 we will limit the length of CIDR you can advertise to AWS to /64 (or shorter) for public Direct Connect Virtual Interface. For IPv4, prefix limits will remain the same.

Q. What routes will AWS announce to me over a public VIF?

All public routes.

Q. Will you support multicast or anycast over IPv6 VIFs?

We will not support multicast or anycast on Direct Connect.

Q. What routes will I learn from AWS over a public VIF?

AWS Public Direct Connect will advertise IPv6 prefixes for all IPv6 enabled services.

Q. Can I create a hosted virtual interface for someone that is IPv6 enabled?

Yes you can.

Q. Will this impact partner policers on their NNI ports at all?

It will not.

Q. Will cloudhub still work in my VGW? (note also impacts VPN)

It will only work for like for like traffic. You can’t send v4 traffic out a v6 interface, for example. Translation between IPv4 and IPv6 is not supported.

Q. What are the technical requirements for virtual interfaces to VPCs?

This connection requires the use of Border Gateway Protocol (BGP). You will need the following information to complete the connection:

  • A public or private ASN. If you are using a public ASN you must own it. If you are using a private ASN, it must be in the 64512 to 65535 range.
  • A new unused VLAN tag that you select
  • The VPC Virtual Private Gateway (VGW) ID

AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP session and will advertise the VPC CIDR block over BGP. You can advertise the default route via BGP.

Q. How does AWS Direct Connect differ from an IPSec VPN Connection?

A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

Q. Can I use AWS Direct Connect and a VPN Connection to the same VPC simultaneously?

Yes. However, only in fail-over scenarios. The Direct Connect path will always be preferred, when established, regardless of AS path prepending.

Q. Can I establish a Layer 2 connection between VPC and my network?

No, Layer 2 connections are not supported.

 

Q. What is Direct Connect Gateway?

Direct Connect Gateway is a grouping of Virtual Private Gateways (VGWs) and Private Virtual Interfaces (VIFs) that belongs to the same AWS account.

Q. Why is Direct Connect Gateway needed?

It provides two main functions.  First; Direct Connect Gateway will enable you to interface with VPCs in any AWS Region (except AWS China Region), enabling you to use your AWS Direct Connect connections to interface with more than one AWS Regions.

Second; you can share private virtual interface to interface with more than one Virtual Private Clouds (VPCs), enabling you to reduce the number of Border Gateway Protocol sessions between your on premise network and AWS deployments.

Q. Are there additional fees when using Direct Connect Gateway and working with remote regions?

You will pay applicable egress data charges and port hour charges as per AWS Direct Connect Pricing.

Q. Do the private Virtual Interfaces(s), Direct Connect Gateway, and VGWs need to be in the same account to use Direct Connect Gateway functionality?

Yes, private virtual interface, direct connect gateway, and VGW (associated with VPC) must be in the same AWS account to use Direct Connect Gateway functionality.

Q.  Can I continue to use all my VPC features if I associate VGW (associated with VPC) to Direct Connect Gateway?

Yes, Networking features such as Elastic File System, Elastic Load Balancer, Application Load Balancer, Security Groups, Access Control List, will still work with Direct Connect Gateway.

Direct Connect Gateway will not support CloudHub functionality, but if you are using AWS Classic VPN or AWS VPN connection to VGW that is assocaited with your Direct Connect Gateway, you will be able to use your VPN connection to failover.

Features that are currently not supported by Direct Connect, AWS Classic VPN, or AWS VPN, such as edge-to-edge routing, VPC peering, VPC endpoint, will not be supported by Direct Connect Gateway.

Q. I am working with one of the AWS Direct Connect partners to get private virtual interface provisioned for my account, can I use Direct Connect Gateway?

Yes, you can associate provisioned Private Virtual Interface with your Direct Connect Gateway when you confirm your provisioned Private Virtual Interface in your AWS account.

Q. What if I just want to connect to VPCs in my local region?

You can continue to use the current practice of attaching your VIF to VGW; you will continue to have intra-region VPC connectivity, and will be charged egress rate that is applicable based on geographical regions.

Q. What are the limits associated with Direct Connect Gateway usage?

Please refer to AWS Direct Connect Limits to get limits associated with the Direct Connect Gateway feature.

Q.  Can a VGW (associated with a VPC) be part of more than one Direct Connect Gateway?

No, a VGW- VPC pair can not be part of more than one Direct Connect Gateway.

Q.  Can a Private Virtual Interface be attached to more than one Direct Connect Gateway?

No, one Private Virtual Interface can only attach to a single Direct Connect Gateway OR a single VGW.

Q. Can I assocate multiple VGWs (each assocaited with a VPC) to a Direct Connect Gateway?

Yes, this will be allowed as long as the IP CIDR blocks of the VPC associated with the VGW do not overlap.

Q.  How do I connect to the remote VPC?

Once the Private VIF has been associated with your Direct Connect Gateway, you can configure BGP as you would with a traditional Private Virtual Interface.  For each VGW that is then associated with the Direct Connect Gateway, you will recieve a BGP announcement for the additional CIDR ranges.

Q.  Does Direct Connect Gateway break existing CloudHub functionality for customers?

No, Direct Connect Gateway does not break existing CloudHub for customers.  Direct Connect Gateway enables connectivity between on-premise networks and ANY AWS region's VPC.  CloudHub enables connectivity between on-premise network using Direct Connect or VPN within the same region the VIF is associated with the VGW directly.  Existing CloudHub functionality will continue to be supported.

Q.  What type of traffic is supported, and not supported by Direct Connect Gateway?

Please refer to AWS Direct Connect User Guide to review supported and not supported traffic patterns.

Q.  Will intra-region CloudHub continue to be supported?

Yes, customers will still be able to attach a Direct Connect VIF directly to a VGW to support CloudHub

Q.  I currently have a VPN in us-east-1 attached to a VGW.  I want to enable CloudHub in us-east-1 between that VPN and a new VIF.  Can I do this with Direct Connect Gateway?

No, you cannot do this with a Direct Connect Gateway, but the option to attach a VIF directly to a VGW is available to enable the VPN <-> Direct Connect CloudHub use case.

Q.  I have existing private virtual interface associated with VGW, can I associate my existing private virtual interface with Direct Connect Gateway?

No, existing private virtual interface associated with VGW can not be associated with the Direct Connect Gateway.  Please create a new private virtual interface, and at the time of creation, associate with your Direct Connect Gateway.

Q. Does Direct Connect Gateway deprecate CloudHub functionality?

No.  You can continue using your already created CloudHub.

Q.  Can I create new CloudHub between my VPN connection and Direct Connect VIF?

Yes, you can create new CloudHub between your VPN and Direct Connect VIF by using a VGW attachment instead of a Direct Connect Gateway attachement.

Q. If I have a VGW attached to a VPN and a Direct Connect Gateway and my Direct Connect circuit goes down, will my VPC traffic route out the VPN?

Yes, as long as the VPC route table still has routes to the VGW towards the VPN.

Q.  Can I attach a VGW that is not attached to a VPC to a Direct Connect Gateway?

No, you cannot associate an unattached VGW to Direct Connect Gateway.

Q.  I have created Direct Connect Gateway with one Direct Connect Private Virtual Interface, and three non-overlapping VGWs (each associated with a VPC), what happens if I detach one of the VGW from the VPC?

Traffic from your on-premise network to the detached VPC will stop, and VGW's association with the Direct Connect Gateway will be deleted.

Q.  I have created Direct Connect Gateway with one Direct Connect VIF, and three non-overlapping VGW-VPC pairs, what happens if I detach one of the VGW from the Direct Connect Gateway?

Traffic from your on-premise network to the detached VGW (associated with a VPC) will stop.

Q.  Can I send traffic from one VPC associated with a Direct Connect Gateway to another VPC associated to the same Direct Connect Gateway?

No, Direct Connect Gateway only supports routing traffic from Direct Connect VIFs to VGW (associated with VPC).  In order to send traffic between 2 VPCs, you would configure a VPC peering connection, the same as you do today.

Q.  I currently have a VPN in us-east-1 attached to a VGW.  If I associate this VGW to a Direct Connect Gateway, can I send traffic from that VPN to a VIF attached to the Direct Connect Gateway in a different region?

No, a Direct Connect Gateway will not route traffic between a VPN and a Direct Connect VIF.  To enable this use case, you would create a VPN in the region of the VIF and attach the VIF and the VPN to the same VGW.

Q.  How do I detach my VGW-VPC pair from a Direct Connect Gateway?

You can detach a VGW-VPC pair from a Direct Connect Gateway using the AWS Console or API.

Q.  Do you provide any SLA for Direct Connect Gateway?

No, at this time we do not provide a SLA for Direct Connect Gateway.



Q. What is this feature?

Configurable Private Autonomous System Number (ASN).  This allows customers to set the ASN on the Amazon side of the BGP session for private VIFs on any newly created Direct Connect Gateway.

Q. Where are these features available?

All commercial AWS Regions (except AWS China Region) and GovCloud (US).

Q. How can I configure/assign my ASN to be advertised as Amazon side ASN?

You can configure/assign an ASN to be advertised as the Amazon side ASN during creation of the new Direct Connect Gateway.  You can create a Direct Connect Gateway using the AWS Direct Connect console or a CreateDirectConnectGateway API call.

Q. Can I use any ASN - public and private?
You can assign any private ASN to the Amazon side.  You cannot assign any other public ASN.

Q.  Why can't I assign a public ASN for the Amazon half of the BGP session?

Amazon is not validating ownership of the ASNs, therefore, we're limiting the Amazon-side ASN to private ASNs.  We want to protect customers from BGP spoofing.

Q. What ASN can I choose?

You can choose any private ASN.  Ranges for 16-bit private ASNs include 64512 to 65534.  You can also provide 32-bit ASNs between 4200000000 and 4294967294.

Q. What will happen if I try to assign a public ASN to the Amazon half of the BGP session?

We will ask you to re-enter a private ASN once you attempt to create the Direct Connect Gateway.

Q. If I don't provide an ASN for the Amazon half of the BGP session, what ASN can I expect Amazon to assign to me?

Amazon will provide an ASN of 64512 for the Direct Connect Gateway if you don't choose one.

Q.  Where can I view the Amazon side ASN?

You can view the Amazon side ASN in the AWS Direct Connect console and in the response of the DescribeDirectConnectGateways or using DescribeVirtualInterfaces API.

Q.  If I have a public ASN, will it work with a private ASN on the AWS side?

Yes, you can configure the Amazon side of the BGP session with a private ASN and your side with a public ASN.

Q. I have private VIFs already configured and want to set a different Amazon side ASN for the BGP session on an existing VIF.  How can I make this change?

You will need to create a new Direct Connect Gateway with desired ASN, and create a new VIF with the newly created Direct Connect Gateway.  Your device configuration also needs to change appropriately.

Q.  I'm attaching multiple private VIFs to a single Direct Connect Gateway.  Can each VIF have a separate Amazon side ASN?

No, you can assign/configure separate Amazon side ASN for each Direct Connect Gateway, not each VIF.  Amazon side ASN for VIF is inherited from the Amazon side ASN of the attached Direct Connect Gateway.

Q.  Can I use different private ASNs for my Direct Connect Gateway and Virtual Private Gateway?

Yes, you can use different private ASNs for your Direct Connect Gateway and Virtual Private Gateway.  Please note, the Amazon side ASN you will recieve depends on your private virtual interface association.

Q.  Can I use same private ASNs for my Direct Connect Gateway and Virtual Private Gateway?

Yes, you can use same private ASNs for your Direct Connect Gateway and Virtual Private Gateway.  Please note, the Amazon side ASN you will recieve depends on your private virtual interface association.

Q.  I'm attaching multiple Virtual Private Gateways with their own private ASN to a single Direct Connect Gateway configured with its own private ASN.  Which private ASN takes precedence, VGW or Direct Connect Gateway?

Direct Connect Gateway private ASN will be used as the Amazon side ASN for the Border Gateway Protocol (BGP) session between your network and AWS.

Q.  Where can I select my own private ASN?

When creating a Direct Connect Gateway in the AWS Direct Connect Gateway console.  Once Direct Connect Gateway is configured with Amazon side ASN, the private virtual interfaces associated with the Direct Connect Gateway will use your configured ASN as the Amazon side ASN.

Q.  I use CloudHub today.  Will I have to adjust my configuration in the future?

You will not have to make any changes.

Q. I want to select a 32-bit ASN.  What is the range of 32-bit private ASNs?

We will support 32-bit ASNs from 4200000000 to 4294967294.

Q.  Once the Direct Connect Gateway is created, can I change or modify the Amazon side ASN?

No, you cannot modify the Amazon side ASN after creation.  You can delete the Direct Connect Gateway and recreate a new Direct Connect Gateway with the desired private ASN.

 

Q. When creating a virtual interface to work with AWS services using public IP space, what IP prefixes will I recieve via BGP?

You will receive all Amazon IP prefixes for the region that you are connecting to in supported AWS Regions, and on-net prefixes from other AWS non-regional point of presence (PoP) as available such as CloudFront you can refer to this link for more information.  This includes prefixes necessary to reach AWS services, and may include prefixes for other Amazon affiliates, including those of www.amazon.com.  For the current list of prefixes advertised by AWS, please download the JSON of AWS IP Address Ranges.

When customers use AWS Direct Connect, customers' traffic will remain in AWS global network backbone, after it enters AWS global network backbone.  Therefore, prefixes of services such as Route53 or certain CloudFront locations that are not on the Amazon backbone network will not be advertised through Direct Connect. 

For the newly created public VIF, Direct Connect customers will receive all Amazon public IP prefixes in supported AWS regions and on-net prefixes from other AWS non-region points of presence (POP) as available such as CloudFront.  Standard AWS Direct Connect data transfer out rates apply for all traffic routed through your AWS Direct Connect connection.  Please see the AWS Direct Connect community forum for the additional details in the routing policy of the public virtual interface.

Q.  What IP prefixes should I advertise over BGP for virtual interfaces to public AWS services?

You should advertise appropriate public IP prefixes that you own over BGP.  Traffic from AWS services destined for these prefixes will be routed over your AWS Direct Connect connection.

Q. I have existing public virtual interface, can I start receiving Amazon's global IP prefixes on my existing public virtual interface?

No, you will need to create a new public virtual interface to receive Amazon's global IP prefixes.

Q. I am going to create a new public virtual interface; do I need to do anything special to get global Amazon public IP prefixes?

No, you will receive Amazon's global IP prefixes.

Q. Will this new capability affect my existing public virtual interfaces?

No, your existing public virtual interfaces will not get affected.

Q.  How many prefixes will you advertise over my newly created public virtual interface?

You should receive approximately 2,000 prefixes, and it will continue to increase.

Q. I do not want global public IP prefixes, can I opt out?

Yes, you can opt out using scoping communities.  Please refer to this link to learn more about scoping communities suported by AWS Direct Connect.

Q. I want to migrate my existing public virtual interface to recieve global prefixes; how can I do this migration?

You have two options to do such a migration.  First, create a new public virtual interface, migrate traffic from your existing public virtual interface to the newly created public virtual interface; delete your old public virtual interface.  Second, open a support case to request scope change for your existing public virtual interface, you will experience a Border Gateway Protocol flap during the scope change.

 

Q. Can I have v4 and v6 BGP sessions running over a single VPN tunnel?

At this time, we will only allow v4 BGP session running single VPN tunnel with IPv4 address. In future, we will allow v6 BGP sessions running over the single VPN tunnel with IPv4 endpoint address.

Q. Is there any difference to the BGP configuration/setup details outlined for DX?

VPN BGP will work the same as DX

Q. Can I terminate my tunnel to an endpoint with an IPv6 address?

At this time, we will only support IPv4 endpoint address for VPN. In future, we will support VPN endpoint with IPv6 address.

Q. Can I terminate my tunnel to an IPv4 address and run IPv6 BGP sessions over the tunnel?

At this time, we will only allow v4 BGP session running single VPN tunnel with IPv4 address. In future, we will allow v6 BGP sessions running over the single VPN tunnel with IPv4 endpoint address.