How can I use BGP communities to control the routes advertised and received over the AWS public virtual interface with Direct Connect?

3 minute read
1

I want to control the routes advertised and received over the AWS public virtual interface to a specific AWS Region, continent, or globally.

Short description

AWS Direct Connect locations in AWS Regions or AWS GovCloud (US) can access public services in any AWS Region, excluding the China (Beijing) Region. Direct Connect advertises all local and remote AWS Region prefixes where available. Direct Connect includes on-net prefixes from other AWS non-Region points of presence (POPs) where available, such as Amazon CloudFront. For more information, see Routing policies and Border Gateway Protocol (BGP) communities.

Resolution

Direct Connect supports a range of BGP community tags to help control the scope of routes advertised and received over a public virtual interface. For example, BGP community tags can be at the Regional, continental, or global level.

AWS advertises the following Direct Connect BGP community tags to your customer gateway device over the public virtual interface:

  • 7224:8100: Routes that originate from the AWS Region where the Direct Connect point of presence is located
  • 7224:820: Routes that originate from the continent where the Direct Connect point of presence is located
  • No tag: Global (all public AWS Regions)

For public virtual interfaces in the us-east-1 AWS Region, AWS advertises the routes associated for public resources in us-east-1 AWS Region with a 7224:8100 community tag. For routes for public resources in North America, AWS advertises the routes with a 7224:8100 community tag. For all other prefixes, there's no tag.

Use the following Direct Connect BGP community tags to select the scope of your prefixes to AWS:

  • 7224:9100: Local AWS Region where the Direct Connect point of presence is located
  • 7224:9200: All AWS Regions for the continent, such as North America, where the Direct Connect point of presence is located
  • 7224:9300 or no tag: Global, or all public AWS Regions

If you have a public virtual interface in the us-east-1 AWS Region, then limit the scope of the routes that you advertise to us-east-1 AWS Region. To limit the scope, use the 7224:9100 community tag. If you tag your routes with the 7224:9200 community tag, then your prefixes are advertised to all US AWS Regions. If you tag your routes with the 7224:9300 community tag, then your prefixes are advertised to all AWS Regions. If you don't tag your prefixes with a community tag, then your prefixes are advertised to all AWS Regions.

For example, you can limit the routes received and advertised over the public virtual interface to a specific local AWS Region. First, configure a prefix filter and route map that matches the routes received from AWS with the 7224:8100 community tag. Then, install only those routes. You also must advertise your prefixes to AWS with a 7224:9100 community tag. The routes received and advertised over the public virtual interface are limited to the local Region.

You can use any combination of the community tags to control the routes advertised and received over an AWS public virtual interface. AWS Direct Connect advertises all public prefixes with the NO_EXPORT BGP community tag. For more information or to download the current list of prefixes that AWS advertises, see AWS IP address ranges.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago