How can I setup a Direct Connect public VIF?
Last updated: 2022-01-12
I want to setup a AWS Direct Connect public VIF.
A public VIF uses a public IP address to access all AWS public services like Amazon Elastic Compute Cloud (Amazon EC2).
Note: Public VIFs can't be used to access the Internet.
Follow these instructions to setup a AWS Direct Connect public VIF based on your scenario.
IPv4 address allocation and addressing and Border Gateway Protocol (BGP) Autonomous System Number (ASN)
- Use an public IPv4 CIDR block that you own.
- If you don't own a public IPv4 block, check with your partner in the AWS Direct Connect Partner Program or ISP to see if they can provide you with an public IPv4 CIDR. Be sure to include the LOA-CFA authorization form stating that they authorize you to use those public IP prefixes.
- You can also contact AWS Support to request a public IPv4 CIDR. Be sure to provide your use case. Note that AWS can't guarantee approval for all public IPv4 CIDR requests. For more information, see Prerequisites for virtual interfaces.
- A public or private BGP ASN for your side of the BGP session. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 1 to 2147483647 range. Autonomous System (AS) prepending does not work if you use a private ASN for a public virtual interface.
Note: For IPv6 addresses, AWS automatically allocates you a /125 IPv6 CIDR. You can't specify your own peer IPv6 addresses.
Approving prefixes and BGP ASN over public VIF
- The BGP Autonomous System Number (only if it's a public ASN)
- The Public peer IP addresses
- The Public prefixes that you plan to advertise over the virtual interface
If you advertised the prefixes before they have been approved, you may need to clear the BGP session and re-advertise the prefixes after approval.
For more information, see My Direct Connect public virtual interface is stuck in the "Verifying" state. How can I get it approved?
Advertising prefixes over public VIF
The public IP addresses used for peering and public IP addresses advertised can't overlap with other public IP addresses announced or used in Direct Connect. You can verify ownership of BGP ASN and IP address prefixes using a WHOIS query.
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name 12345 | 192.0.2.0 | 192.0.2.0/24 | US | arin | 1991-12-19 | EXAMPLE-02, US
AWS prefixes received on premises over public VIF
AWS Direct Connect applies the following BGP communities to its advertised routes:
- 7224:8100—Routes that originate from the AWS Region where the Direct Connect point of presence is located
- 7224:8200—Routes that originate from the continent where the Direct Connect point of presence is located
- No tag—Global (all public AWS Regions)
Connecting to AWS over public VIF
Be sure that you connect from a prefix that's advertising to a public VIF. You can't connect from a prefix that isn't advertised to a public VIF.