I want to advertise Virtual Private Cloud (Amazon VPC) routes over an AWS Direct Connect VIF BGP session to an on-premises network.
Short description
The routes AWS advertised to an on-premises network over a Direct Connect Border Gateway Protocol (BGP) session depends on these connection types:
- Direct Connect private VIF connected to a virtual private gateway (VGW)
- Direct Connect private VIF connected to a Direct Connect gateway associated with a VGW
- Direct Connect transit VIF connected to a Direct Connect gateway associated with a transit gateway
Resolution
The Direct Connect on-premises network advertises the routes manually through BGP or through redistribution into BGP. The routes AWS advertises back to on-premises change depending on the type of gateways.
Direct Connect private VIF connecting to a VGW
The VGW associated VPC's IPv4/IPv6 CIDR are advertised automatically to an on-premises BGP peer. For example, a VPC with CIDR 10.55.0.0/16 VGW is associated directly with a private VIF. The prefix 10.55.0.0/16 is advertised to on-premises automatically. If there are additional CIDRs associated with the VPC, then those prefixes are advertised over to the BGP peer.
Direct Connect Private VIF connected to a Direct Connect gateway associated with VGW
You can have up to 10 VGWs associated with a Direct Connect gateway. All VPC CIDR prefixes are advertised to the on-premises BGP Peer. The allowed prefixes list filters BGP advertisements from AWS towards the on-premises BGP peer.
The allowed prefix list allows the same CIDRs or a smaller subnet of the CIDRs to advertise to the Direct Connect gateway.
In the following example, VPC-A CIDR 10.77.0.0/16, VPC-B CIDR 10.66.0.0/16 and VPC-C 192.168.0.0/16 are attached to a Direct Connect gateway
If the allowed prefixes list is set to allow only 10.0.0.0/8, the prefixes 10.77.0.0/16 and 10.66.0.0/16 are received on the on-premises BGP peer. This is because the prefixes are subnets of the allowed prefix list, but 192.168.0.0/16 isn't received on the on-premises BGP peer.
If the allowed prefixes list is set to allow 10.0.0.0/8 and 192.168.5.0/24, then the prefixes 10.77.0.0/16 and 10.66.0.0/16 are received on the on-premises BGP peer. This is because the prefixes are subnets of the allowed prefix list, but 192.168.0.0/16 isn't received on the on-premises BGP peer because that IP range doesn't match the allow list.
Direct Connect transit VIF connecting to a Direct Connect gateway associated with a transit gateway
You can connect one Direct Connect gateway to up to three transit gateways. Hundreds of VPCs can send traffic across the transit gateway and through the Direct Connect connection. The on-premises network must have the routes for all individual VPCs or use a summarized route. Routes advertised from the transit gateway towards on-premises with Direct Connect is defined in the allowed prefixes.
All prefixes are advertised to the on-premises BGP peer. The allowed prefixes list advertises from the transit gateway to the on-premises Direct Connect peer. You can advertise a route for any IP address like 8.8.8.8/32 even though it's not a VPC CIDR connected to the transit gateway.
The allowed prefix list for the transit gateway has a 20 prefix limit. In the following example, VPC-A CIDR 10.77.0.0/16, VPC-B CIDR 10.66.0.0/16 and VPC-C 192.168.0.0/16 are attached to a transit gateway that connects to a Direct Connect gateway. If the allowed prefixes list is set to allow 10.0.0.0/8 and 192.168.5.0/24, you won't receive the three VPC CIDR prefixes on the on-premises network. Instead, you receive the prefixes 10.0.0.0/8 and 192.168.5.0/24 advertised over the BGP.
If the allowed prefixes list is set to allow 10.0.0.0/8 and 192.168.0.0/16, you receive the prefixes 10.0.0.0/8 and 192.168.0.0/16 advertised over the BGP.
If the allowed prefixes list is set to allow only 0.0.0.0/0, you only receive the default route 0.0.0.0/0 advertised over the BGP.
Changes to allowed prefixes on a VGW or a transit gateway association with a Direct Connect gateway are updated for the routes and don't bring down the BGP session.
Note: Changes made to the allowed prefixes list can take several minutes to propagate.
Related information
Allowed prefixes interactions
Direct Connect quotas