Direct Connect Public VIF

When you create a Public VIF the IP addresses on the link between you and AWS need to be public IP addresses. You will need two - one for your router and one for the AWS router. Customers can provide IP addresses from their public IP address allocation (if they own public IP addresses); for customers that do not you can request a /31 (two IP addresses) from AWS using a support case.

Per the documentation:

• ** Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
• For Amazon router peer IP, enter the IPv4 CIDR address to use to send traffic to AWS.

More details can be found here: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

For AWS Direct connect Public VIF, you need to specify the a /30 or /31 subnet which will be used for establishing BGP peering between your customer gateway device and AWS Direct Connect router. These IPs are used as BGP peers as you are seeing option in the creation of the Public VIF. In addition you also have to provide the Public IP address prefixes (which will act as the source of traffic to S3 from your on-premises) that you want to advertise over the peering. The Public IP addresses either need to be owned by you or should have been provided to you by your ISP, which in case needs a letter of authorization to use them.

As an alternate to Public VIF, if you already have a Private VIF configured over your Direct connect, then you can use AWS Private link for S3 and access it over Direct Connect Private VIF or VPN connection. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html