How do I set up an Active/Active or Active/Passive Direct Connect connection to AWS from a public virtual interface?

Short description

When you configure public virtual interfaces, use a public or private Autonomous System Number (ASN) for your on-premises peer router for the new virtual interface. The valid values are from 1 to 2,147,483,647.

According to the Internet Assigned Numbers Authority (IANA), ASNs 64,512 to 65,534 are available for 2-byte private use. ASNs 4,200,000,000 to 4,294,967,294 are available for 4-byte private use.

Note: If you use a private ASN, then you can't load balance on a public virtual interface.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Configure an Active/Active connection

Important:

• To use load share with multiple public virtual interfaces, you must put all the virtual interfaces in the same Direct Connect location.
• When redundant Direct Connect connections end on different routers in your data center, you can configure multipathing to multiple virtual interfaces within the same location. If you use two Direct Connect connections with two virtual interfaces, then you must deactivate both interfaces on different AWS devices. You must also deactivate both interfaces in the same location or point of presence (POP). To find the location and AWS device IDs, run the describe-connections AWS CLI command or use the DescribeConnections API.

Private ASN

To use a private ASN to configure an Active/Active connection, take the following actions:

• From the customer gateway, advertise the same prefixes across all Direct Connect connections with the same Border Gateway Protocol (BGP) attribute. The prefix can be a public IP address or a network that you own.
• Check the vendor documentation for device-specific commands for your customer gateway device.

Public ASN

To use a public ASN to configure an Active/Active connection, take the following actions:

• From the customer gateway, advertise the same prefixes across all Direct Connect connections with the same BGP attribute. The prefix can be a public IP address or a network that you own.
• Use the same ASN path length across all Direct Connect connections. If the prefixes are all the same, then it's a best practice to use the shortest AS paths.
• Check the vendor documentation for device-specific commands for your customer gateway device.

Configure an Active/Passive connection

Private ASN

If you use a private ASN, then you can't use AS_PATH prepending to configure an Active/Passive connection. Instead, advertise a more specific prefix over the active Direct Connect connections. Then, you can prefer a connection over other connections.

To use a private ASN to configure an Active/Passive connection, take the following actions:

• Configure your customer gateway to advertise the longer prefix on your primary connection. For example, if you advertise prefix X.X.X.0/24, then your customer gateway can advertise two prefixes (X.X.X.0/25 and X.X.X.128/25) on your primary connection. In this example, your customer gateway can also advertise prefix X.X.X.0/24 on your secondary connection.
• If both interfaces are UP, then make sure that you advertise the longer prefix on the primary connection.

Public ASN

To use a public ASN to configure an Active/Passive connection, take the following actions:

• Use shorter AS path lengths to prefer a specific Direct Connect connection over other connections. If all the prefixes are the same, then it's a best practice to use the shortest AS paths.
  Note: AS_PATH prepending also works when public virtual interfaces are in different AWS Regions.
• To send traffic from AWS to your on-premises network, advertise the on-premises public prefixes with additional AS_PATH prepends in the BGP attributes on a secondary connection. For example, your customer gateway uses ASN 123. Set AS_PATH to 123 123 123 123 and the primary prefix to 123 so that the gateway can advertise the prefix on the secondary connection. AWS then sends traffic to the on-premises prefixes on the connection that has the shorter AS_PATH.
• To send traffic from your on-premises network to AWS, identify the connection that you plan to set as the primary connection. Then, increase the local preference (local-pref) so that the on-premises router always chooses the correct path to send traffic to AWS. BGP chooses the higher local-pref value. The default local-pref value is 100. For more information, see Public virtual interface routing policies.

Note: The primary connection is the primary path. When a failure occurs, Direct Connect shifts traffic to the secondary connection as a secondary path.

Related information

AWS Direct Connect virtual interfaces and hosted virtual interfaces

Configure redundant connections

Which type of Direct Connect virtual interface should I use to connect different AWS resources?

Active/Active with Public VIF diagram