How can I advertise VPC routes over a Direct Connect connection to a on-premises network over BGP?

4 minute read
0

I want to advertise Virtual Private Cloud (Amazon VPC) routes over an AWS Direct Connect VIF BGP session to an on-premises network.

Short description

The routes that AWS advertises to an on-premises network over a Direct Connect Border Gateway Protocol (BGP) session depends on these connection types:

  • Direct Connect private VIF connected to a virtual private gateway (VGW)
  • Direct Connect private VIF connected to a Direct Connect gateway associated with a VGW
  • Direct Connect transit VIF connected to a Direct Connect gateway associated with a transit gateway

Resolution

The Direct Connect on-premises network advertises the routes manually through BGP or through redistribution into BGP. The routes that AWS advertises back to on-premises depend on the type of gateways.

Direct Connect private VIF connecting to a VGW

The VGW-associated VPC's IPv4/IPv6 CIDR advertise automatically to an on-premises BGP peer. For example, a VPC with CIDR 10.55.0.0/16 VGW is associated directly with a private VIF. The prefix 10.55.0.0/16 advertises to on-premises automatically. If there are additional CIDRs that are associated with the VPC, then those prefixes advertise over to the BGP peer.

Direct Connect Private VIF connected to a Direct Connect gateway associated with VGW

You can have up to 20 VGWs associated with a Direct Connect gateway. All VPC CIDR prefixes are advertised to the on-premises BGP Peer. The allowed prefixes list filters BGP advertisements from AWS towards the on-premises BGP peer.

The allowed prefix list allows the same CIDRs or a smaller subnet of the CIDRs to advertise to the Direct Connect gateway.

In the following example, VPC-A CIDR 10.77.0.0/16, VPC-B CIDR 10.66.0.0/16, and VPC-C 192.168.0.0/16 are attached to a Direct Connect gateway

If the allowed prefixes list allows only 10.0.0.0/8, then the on-premises BGP peer receives the prefixes 10.77.0.0/16 and 10.66.0.0/16 receive. The prefixes are subnets of the allowed prefix list, but the on-premises BGP peer doesn't receive 192.168.0.0/16.

If the allowed prefixes list allows 10.0.0.0/8 and 192.168.5.0/24, then the on-premises BGP peer receives prefixes 10.77.0.0/16 and 10.66.0.0/16. The prefixes are subnets of the allowed prefix list, but the on-premises BGP peer doesn't receive 192.168.0.0/16 because that range doesn't match the allowlist.

Direct Connect transit VIF connecting to a Direct Connect gateway associated with a transit gateway

You can associate one Direct Connect gateway to up to six transit gateways. Hundreds of VPCs can send traffic across the transit gateway and through the Direct Connect connection. The on-premises network must have the routes for all individual VPCs or use a summarized route. Routes that are advertised from the transit gateway towards on-premises with Direct Connect are defined in the allowed prefixes.

All prefixes advertise to the on-premises BGP peer. The allowed prefixes list advertises from the transit gateway to the on-premises Direct Connect peer. You can advertise a route for any IP address like 8.8.8.8/32 even though it's not a VPC CIDR connected to the transit gateway.

The allowed prefix list for the transit gateway has a 200 prefix limit combined total for IPv4 and IPv6. In the following example, VPC-A CIDR 10.77.0.0/16, VPC-B CIDR 10.66.0.0/16 and VPC-C 192.168.0.0/16 are attached to a transit gateway that connects to a Direct Connect gateway. If the allowed prefixes list is set to allow 10.0.0.0/8 and 192.168.5.0/24, then you don't receive the three VPC CIDR prefixes on the on-premises network. Instead, you receive the prefixes 10.0.0.0/8 and 192.168.5.0/24 advertised over the BGP.

If the allowed prefixes list is set to allow 10.0.0.0/8 and 192.168.0.0/16, then you receive the prefixes 10.0.0.0/8 and 192.168.0.0/16 advertised over the BGP.

If the allowed prefixes list is set to allow only 0.0.0.0/0, then you receive only the default route 0.0.0.0/0 advertised over the BGP.

Changes to allowed prefixes on a VGW or a transit gateway association with a Direct Connect gateway update for the routes. They don't bring down the BGP session.

Note: Changes made to the allowed prefixes list can take several minutes to propagate.

Related information

Allowed prefixes interactions

Direct Connect quotas

AWS OFFICIAL
AWS OFFICIALUpdated a year ago