How do I set up a Direct Connect public VIF?

Short description

A public VIF uses a public IP address to access all AWS public services, such as Amazon Elastic Compute Cloud (Amazon EC2).

Note: You can't access the internet with public VIFs.

Resolution

Allocate IPv4 address and BGP ASN

For IPv4 addresses, use one of the following options:

• Use a public IPv4 Classless Inter-Domain Routing (CIDR) block that you own.
• If you don't own a public IPv4 CIDR block, then check with your partner in the AWS Direct Connect Delivery partners or Internet Service Provider (ISP). Be sure to include the LOA-CFA that states that you're authorized to use those public IP address prefixes.
• To request a public IPv4 CIDR block, contact AWS Support with your use case. AWS can't guarantee approval for all public IPv4 CIDR requests. For more information, see Prerequisites for virtual interfaces.
• A public or private Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your side of the BGP session. If you use a public ASN, then you must own it and the ASN must be 1-2147483647. Also, the ASN must exclude the private ASN range of 64512-65534. If you use a private ASN, then the ASN must be 64512-65534. If you use a private ASN for a public VIF, then Autonomous System (AS) prepending doesn't work.

Note: For IPv6 addresses, AWS automatically allocates you a /125 IPv6 CIDR. You can't specify your own peer IPv6 addresses.

Approve prefixes and BGP ASN

When you create a public VIF, the Direct Connect team must approve the following information:

• The BGP ASN (only for public ASNs)
• The public peer IP addresses
• The public prefixes that you plan to advertise over the VIF

If you advertise the prefixes before the Direct Connect team's approval, then you must clear the BGP session and re-advertise the prefixes after approval.

For more information, see My Direct Connect public virtual interface is stuck in the "Verifying" state. How can I get it approved?

Advertise prefixes

You must use BGP to advertise at least one public prefix.

The public IP addresses used for peering and public IP addresses advertised can't overlap with other public IP addresses announced or used in Direct Connect. To verify ownership of BGP ASN and IP address prefixes, use a WHOIS query.

Example output:

AS    | IP        | BGP Prefix   | CC | Registry | Allocated  | AS Name
12345 | 192.0.2.0 | 192.0.2.0/24 | US | arin     | 1991-12-19 | EXAMPLE-02, US

Receive AWS prefixes on premises

When BGP establishes over your public VIF, you receive all available local and remote AWS Region prefixes. To verify the available prefixes, check that the BGP communities are on the prefixes received from AWS.

Direct Connect applies the following BGP communities to its advertised routes:

• 7224:8100 — Routes that originate from the Region where the Direct Connect point of presence is located
• 7224:8200 — Routes that originate from the continent where the Direct Connect point of presence is located
• No tag — Global (all public Regions)

Connect to AWS

Direct Connect performs inbound packet filtering to validate that the source of the traffic originated from your advertised prefix.

You can only connect from a prefix that advertises to a public VIF.

Related information

How do I connect my private network to AWS public services using an AWS Direct Connect public VIF?

Create an AWS Direct Connect public virtual interface