I created a private virtual interface in AWS Direct Connect (DX). How do I check if I'm routing properly over DX?

After you create your private virtual interface, do the following to verify that routing is set up correctly.

Verify that the virtual private gateway associated with your private virtual interface is attached to the correct virtual private cloud (VPC) in Amazon VPC:

  1. Sign in to the Direct Connect console.
  2. In the navigation pane, choose Virtual Interfaces.
  3. In the content pane, select your private virtual interface.
  4. Choose the Summary view.
  5. Note the Virtual Gateway value.
  6. Sign in to the VPC console.
  7. In the navigation pane under VPN Connections, select Virtual Private Gateways.
  8. In the content pane, select the virtual private gateway that you noted before.
  9. Choose the Details view.
  10. Note the VPC ID value. If there isn't a VPC listed, for Actions, choose Attach to VPC, and then select the VPC you want to attach to your virtual private gateway.

Verify that you're advertising and receiving the correct routes through Border Gateway Protocol (BGP). For more information, see Routing Policies and BGP Communities.

  • Be sure that you're advertising routes to AWS that cover the networks that are communicating with your VPC.
  • Be sure that you're receiving the VPC CIDR route from AWS.

Verify that you've enabled route propagation to your subnet route tables. This step propagates the routes learned through VPN connections and Direct Connect virtual interfaces to your VPC route tables. Any changes to the routes are updated dynamically, and you don't need to manually enter or update routes.

Verify that your security groups allow traffic from your local network.

  1. Sign in to the VPC console.
  2. In the navigation pane under Security, choose Security Groups.
  3. In the content pane, select the security group that's associated with your instances.
  4. Choose the Inbound Rules view.
  5. Be sure that there are rules permitting traffic from your local network over the desired ports.
  6. Choose the Outbound Rules view.
  7. Be sure that there are rules permitting traffic to your local network over the desired ports.

Verify that your network access control lists (ACLs) allow traffic from your local network.

  1. Sign in to the VPC console.
  2. In the navigation pane under Security, choose Network ACLs.
  3. In the content pane, select the network ACL that's associated with your VPC and subnets.
  4. Choose the Inbound Rules view.
  5. Be sure that there are rules permitting traffic from your local network over the desired ports.
  6. Choose the Outbound Rules view.
  7. Be sure that there are rules permitting traffic to your local network over the desired ports.

Verify that your DX private virtual interface is traversable using the ping utility. Security groups, network ACLs, and on-premises security allow for bidirectional connectivity tests using ping.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-11-14