AWS Virtual Interfaces: Private, Public and Transit

Last Updated : 11-Oct-2020

You must create one of the following virtual interfaces to begin using your AWS Direct Connect connection.

  • Private virtual interface: Access an Amazon VPC using private IP addresses.
  • Public virtual interface: Access AWS services from your on-premises data center. Allow AWS services, or AWS customers access your public networks over the interface instead of traversing the internet.
  • Transit virtual interface: Access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.

Public Virtual Interface

To connect to AWS resources that are reachable by a public IP address (such as an Amazon Simple Storage Service bucket) or AWS public endpoints, use a public virtual interface. With a public virtual interface, you can:

  • Connect to all AWS public IP addresses globally.
  • Create public virtual interfaces in any DX location to receive Amazon’s global IP routes.
  • Access publicly routable Amazon services in any AWS Region (except the AWS China Region).

Private Virtual Interface

To connect to your resources hosted in an Amazon Virtual Private Cloud (Amazon VPC) using their private IP addresses, use a private virtual interface. With a private virtual interface, you can:

  • Connect VPC resources (such as Amazon Elastic Compute Cloud (Amazon EC2) instances or load balancers) on your private IP address or endpoint.
  • Connect a private virtual interface to a DX gateway. Then, associate the DX gateway with one or more virtual private gateways in any AWS Region (except the AWS China Region).
  • Connect to multiple VPCs in any AWS Region (except the AWS China Region), because a virtual private gateway is associated with a single VPC.

Note: For a private virtual interface, AWS advertises the VPC CIDR only over the Border Gateway Protocol (BGP) neighbor. AWS can’t advertise or suppress specific subnet blocks in the VPC for a private virtual interface.

Transit Virtual Interface

To connect to your resources hosted in an Amazon VPC (using their private IP addresses) through a transit gateway, use a transit virtual interface. With a transit virtual interface, you can:

  • Connect multiple VPCs in the same or different AWS account using DX.
  • Associate up to three transit gateways in the same AWS Region when you use a transit virtual interface to connect to a DX gateway.
  • Attach VPCs in the same AWS Region to the transit gateway. Then, access multiple VPCs in different AWS accounts in the same AWS Region using a transit virtual interface.

Note: For transit virtual interface, AWS advertises only routes that you specify in the allowed prefixes list on the DX gateway. For a list of all AWS Regions that offer DX support for AWS Transit Gateway, see AWS Transit Gateway Support under Direct Connect FAQs.

Pre-requisites

To create a virtual interface, you need the following information:

  • Connection: The AWS Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface.
  • Virtual Interface Name
  • Virtual interface owner account ID
  • VLAN: virtual local area network (VLAN) tag that’s not already in use on your connection. The value must be between 1 and 4094
  • Address Family: IPv4 or IPv6
  • Peer IP addresses: A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session. An Autonomous System Number can be used to specify the BCP routing address range.
  • BGP information: ASN, and an optional MD5 BGP authentication key

Private Virtual Interface Prerequisites

  • Connection to either VPG of the VPC or the Direct Connect Gateway
  • Jumbo Frames: The maximum transmission unit (MTU) of packets over AWS Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn’t updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. Jumbo frames apply only to propagated routes from AWS Direct Connect. If you add static routes to a route table that point to your virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU.

Public Virtual Interface Prerequisites

  • Prefixes you want to advertise: public IPv4 routes or IPv6 routes to advertise over BGP. You must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes.

Transit Virtual Interface Prerequisites

  • Jumbo Frames: The maximum transmission unit (MTU) of packets over AWS Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 8500 (jumbo frames) can cause an update to the underlying physical connection in the same way for private connections as described above.
Using Template: Template Post
magnifier linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram