How can I setup a Direct Connect public VIF?

Last updated: 2022-01-12

I want to setup a AWS Direct Connect public VIF.

Short description

A public VIF uses a public IP address to access all AWS public services like Amazon Elastic Compute Cloud (Amazon EC2).

Note:  Public VIFs can't be used to access the Internet.

Resolution

Follow these instructions to setup a AWS Direct Connect public VIF based on your scenario.

IPv4 address allocation and addressing and Border Gateway Protocol (BGP) Autonomous System Number (ASN)

For IPv4 addresses, use one of the following options:

  • Use an public IPv4 CIDR block that you own.
  • If you don't own a public IPv4 block, check with your partner in the AWS Direct Connect Partner Program or ISP to see if they can provide you with an public IPv4 CIDR. Be sure to include the LOA-CFA authorization form stating that they authorize you to use those public IP prefixes.
  • You can also contact AWS Support to request a public IPv4 CIDR. Be sure to provide your use case. Note that AWS can't guarantee approval for all public IPv4 CIDR requests. For more information, see Prerequisites for virtual interfaces.
  • A public or private BGP ASN for your side of the BGP session. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 1 to 2147483647 range. Autonomous System (AS) prepending does not work if you use a private ASN for a public virtual interface.

Note: For IPv6 addresses, AWS automatically allocates you a /125 IPv6 CIDR. You can't specify your own peer IPv6 addresses.

Approving prefixes and BGP ASN over public VIF

When you create a public virtual interface, the following information is subject to approval by the Direct Connect team:

  • The BGP Autonomous System Number (only if it's a public ASN)
  • The Public peer IP addresses
  • The Public prefixes that you plan to advertise over the virtual interface

If you advertised the prefixes before they have been approved, you may need to clear the BGP session and re-advertise the prefixes after approval.

For more information, see My Direct Connect public virtual interface is stuck in the "Verifying" state. How can I get it approved?

Advertising prefixes over public VIF

You must advertise at least one public prefix using BGP.

The public IP addresses used for peering and public IP addresses advertised can't overlap with other public IP addresses announced or used in Direct Connect. You can verify ownership of BGP ASN and IP address prefixes using a WHOIS query.

Example output:

AS    | IP        | BGP Prefix   | CC | Registry | Allocated  | AS Name
12345 | 192.0.2.0 | 192.0.2.0/24 | US | arin     | 1991-12-19 | EXAMPLE-02, US

AWS prefixes received on premises over public VIF

Once BGP is established over your public VIF, you should receive all available local and remote AWS Region prefixes. To verify the available prefixes, check the BGP communities on the prefixes received from AWS. For more information, see How can I control the routes advertised and received over the AWS public virtual interface with Direct Connect?

AWS Direct Connect applies the following BGP communities to its advertised routes:

  • 7224:8100—Routes that originate from the AWS Region where the Direct Connect point of presence is located
  • 7224:8200—Routes that originate from the continent where the Direct Connect point of presence is located
  • No tag—Global (all public AWS Regions)

Connecting to AWS over public VIF

Direct Connect performs inbound packet filtering to validate that the source of the traffic originated from your advertised prefix.

Be sure that you connect from a prefix that's advertising to a public VIF. You can't connect from a prefix that isn't advertised to a public VIF.