How can I set up a Direct Connect public VIF?

4 minute read

I want to set up a AWS Direct Connect public VIF.

Short description

A public VIF uses a public IP address to access all AWS public services such as Amazon Elastic Compute Cloud (Amazon EC2).

Note: Public VIFs can't be used to access the Internet.


Follow these instructions to set up a AWS Direct Connect public VIF based on your scenario.

IPv4 address allocation and addressing and Border Gateway Protocol (BGP) Autonomous System Number (ASN)

For IPv4 addresses, use one of the following options:

  • Use a public IPv4 CIDR block that you own.
  • If you don't own a public IPv4 block, then check with your partner in the AWS Direct Connect Partner Program or ISP to see if they can provide you with a public IPv4 CIDR. Be sure to include the LOA-CFA authorization form stating that they authorize you to use those public IP prefixes.
  • You can also contact AWS Support to request a public IPv4 CIDR. Be sure to provide your use case. Note that AWS can't guarantee approval for all public IPv4 CIDR requests. For more information, see Prerequisites for virtual interfaces.
  • A public or private BGP ASN for your side of the BGP session. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 1 to 2147483647 range. Autonomous System (AS) prepending does not work if you use a private ASN for a public virtual interface.

Note: For IPv6 addresses, AWS automatically allocates you a /125 IPv6 CIDR. You can't specify your own peer IPv6 addresses.

Approving prefixes and BGP ASN over public VIF

When you create a public virtual interface, the following information is subject to approval by the Direct Connect team:

  • The BGP Autonomous System Number (only if it's a public ASN)
  • The Public peer IP addresses
  • The Public prefixes that you plan to advertise over the virtual interface

If you advertised the prefixes before they are approved, you might need to clear the BGP session and then re-advertise the prefixes after approval.

For more information, see My Direct Connect public virtual interface is stuck in the "Verifying" state. How can I get it approved?

Advertising prefixes over public VIF

You must advertise at least one public prefix using BGP.

The public IP addresses used for peering and public IP addresses advertised can't overlap with other public IP addresses announced or used in Direct Connect. You can verify ownership of BGP ASN and IP address prefixes using a WHOIS query.

Example output:

AS    | IP        | BGP Prefix   | CC | Registry | Allocated  | AS Name
12345 | | | US | arin     | 1991-12-19 | EXAMPLE-02, US

AWS prefixes received on premises over public VIF

After BGP is established over your public VIF, you receive all available local and remote AWS Region prefixes. To verify the available prefixes, check that the BGP communities on the prefixes received from AWS. For more information, see How can I control the routes advertised and received over the AWS public virtual interface with Direct Connect?

AWS Direct Connect applies the following BGP communities to its advertised routes:

  • 7224:8100—Routes that originate from the AWS Region where the Direct Connect point of presence is located
  • 7224:8200—Routes that originate from the continent where the Direct Connect point of presence is located
  • No tag—Global (all public AWS Regions)

Connecting to AWS over public VIF

Direct Connect performs inbound packet filtering to validate that the source of the traffic originated from your advertised prefix.

Be sure that you connect from a prefix that's advertising to a public VIF. You can't connect from a prefix that isn't advertised to a public VIF.

Related information

How do I connect my private network to AWS public services using an AWS Direct Connect public VIF?

AWS OFFICIALUpdated 2 years ago