How do I configure routing for my Direct Connect private virtual interface?

Last updated: 2022-02-16

I created a private virtual interface (VIF) in AWS Direct Connect. How do I check if I'm routing properly over my Direct Connect connection?

Resolution

After you create your private virtual interface, do the following to verify that routing is set up correctly.

Verify that the virtual private gateway associated with your private virtual interface is attached to the correct Amazon Virtual Private Cloud (Amazon VPC):

  1. Sign in to the Direct Connect console.
  2. In the navigation pane, choose Virtual Interfaces.
  3. Choose the virtual interface (VIF), and then choose View details.
  4. For private VIFs attached to a virtual gateway (VGW), in General configuration choose the VGW ID.
  5. If the virtual gateway isn't attached to your VPC, follow the instructions to attach it.
  6. For private VIFs attached to a Direct Connect gateway, in General configuration choose the gateway ID.
  7. In Gateway associations, verify the Direct Connect gateway is attached to your virtual gateway.
  8. Confirm that the allowed prefixes contains the VPC CIDR.

Verify that you're advertising and receiving the correct routes through Border Gateway Protocol (BGP). For more information, see Routing policies and BGP communities.

  • Be sure that you're advertising routes to AWS that cover the networks that are communicating with your VPC.
  • Be sure that you're receiving the VPC CIDR route from AWS.

Verify that you've enabled route propagation to your subnet route tables. This step propagates the routes learned through VPN connections and Direct Connect virtual interfaces to your VPC route tables. Any changes to the routes are updated dynamically, and you don't need to manually enter or update routes.

Verify that your security groups allow traffic from your local network.

  1. Sign in to the VPC console.
  2. In the navigation pane under Security, choose Security Groups.
  3. In the content pane, select the security group that's associated with your instances.
  4. Choose the Inbound Rules view.
  5. Be sure that there are rules permitting traffic from your local network over the desired ports.
  6. Choose the Outbound Rules view.
  7. Be sure that there are rules permitting traffic to your local network over the desired ports.

Verify that your network access control lists (ACLs) allow traffic from your local network.

  1. Sign in to the VPC console.
  2. In the navigation pane under Security, choose Network ACLs.
  3. In the content pane, select the network ACL that's associated with your VPC and subnets.
  4. Choose the Inbound Rules view.
  5. Be sure that there are rules permitting traffic from your local network over the desired ports.
  6. Choose the Outbound Rules view.
  7. Be sure that there are rules permitting traffic to your local network over the desired ports.

Verify that your Direct Connect private virtual interface is traversable using the ping utility. Security groups, network ACLs, and on-premises security allow for bidirectional connectivity tests using ping.