VPN DX public VIF termination advice

The first line of defense would be using a firewall filter (based on the source/destination address of packets) to control traffic to and from, based on IP address ranges. This could be done on a stand alone device, on the router, or through your provider's network (e.g. in an SD-WAN configuration).

We recommend that you use a firewall filter (based on the source/destination address of packets) to control traffic to and from some prefixes. If you're using a prefix filter (route map), ensure that it accepts prefixes with an exact match or longer. Prefixes advertised from AWS Direct Connect may be aggregated and may differ from the prefixes defined in your prefix filter.