How can I use BGP communities to control the routes advertised and received over the AWS public virtual interface with Direct Connect?

Short description

AWS Direct Connect locations in AWS Regions or in the AWS GovCloud (US) Region can access public services in any AWS Region (excluding the China (Beijing) Region). Direct Connect advertises all local and remote AWS Region prefixes where available, and includes on-net prefixes from other AWS non-Region points of presence (POPs) where available, such as Amazon CloudFront. For more information, see Routing policies and BGP communities.

Resolution

Direct Connect supports a range of Border Gateway Protocol (BGP) community tags to help control the scope (Regional, continent, or global) of routes advertised and received over a public VIF.

Direct Connect BGP community tags that AWS advertises to your customer gateway device over the public VIF include:

• 7224:8100—Routes that originate from the AWS Region where the Direct Connect point of presence is located.
• 7224:8200—Routes that originate from the continent where the Direct Connect point of presence is located.
• No tag—Global (all public AWS Regions).

If you have a public VIF in the us-east-1 Region, then AWS advertises the routes associated for public resources in us-east-1 Region with a community tag of 7224:8100. For routes for public resources in North America, AWS advertises the routes with a community tag of 7224:8200. For all other prefixes, there is no tag.

Direct Connect BGP community tags that you can use to select the scope of your prefixes to AWS:

• 7224:9100—Local AWS Region where the Direct Connect point of presence is located.
• 7224:9200—All AWS Regions for the continent (for example, North America) where the Direct Connect point of presence is located.
• 7224:9300 or no tag—Global (all public AWS Regions).

If you have a public VIF in the us-east-1 Region, you can limit the scope of the routes you advertise to us-east-1 Region with the community tag of 7224:9100. If you tag your routes with the community tag of 7224:9200, then your prefixes are advertised to all US Regions (North America continent). If you tag your routes with the community tag of 7224:9300, or if you do not tag your prefixes with a community tag, then your prefixes are advertised to all AWS Regions.

For example, to limit the routes received and advertised over the public VIF to a specific local Region, make sure that you configure a prefix filter and a route map that matches the routes received from AWS with the community tag of 7224:8100, and then install only those routes. You also must advertise your prefixes to AWS with a community tag of 7224:9100. This makes sure that the routes received and advertised over the public VIF are limited to the local Region.

You can use any combination of the community tags to control the routes advertised and received over an AWS public VIF.

AWS Direct Connect advertises all public prefixes with the NO_EXPORT BGP community tag.

For the current list of prefixes advertised by AWS, download the AWS JSON IP address ranges. For more information, see AWS IP address ranges.

Related information

Routing policies and BGP communities