Public Virtual Interface (VIF) only advertising the AWS Prefixes on the same region

Last Updated on May 16, 2021

We have a Direct Connect (DX) connection in Mumbai Region and we need to access an S3 bucket or an EC2 Instance with Elastic IP in N. Virginia region. For this we will need to use Public Virtual Interface (VIF).

When we setup the Public VIF and configured the router in the Corporate Data Center, we cannot route traffic to any resources in the N. Virginia Region.

Is it possible to route traffic from a region where my Direct Connect is to AWS resources in another region using Public Virtual Interface (VIF)?

TL;DR – Yes, it is possible to connect to AWS resources in another region using DX Public VIF in a different region. A modification to the router configuration is required.


If you have setup a DX with Public VIF and can only access AWS Resources in the same region as your DX but unable to access AWS Resources in other regions then you should edit your router configuration.

In the routing policies and BGP communities in AWS docs, there are 3 options you can configure your router to receive public prefixes from AWS and to advertise your Public IPs.

  1. On the same region as your Direct Connect
  2. On the same continent as your Direct Connect
  3. Global – All public AWS Regions

1. On the Same Region as your Direct Connect

If you only want to route traffic from your DX Public VIF to publicly accessible AWS Resources in the same region as your DX then set the following BGP community tags.

Prefixes to advertise to AWS7224:9100
Prefixes from AWS7224:8100

2. On the same Continent as your Direct Connect

If you only want to route traffic from your DX Public VIF to publicly accessible AWS Resources in the same continent as your DX then set the following BGP community tags.

Prefixes to advertise to AWS7224:9200
Prefixes from AWS7224:8200

As of writing, there are only 3 AWS continent

  1. North America-wide
  2. Asia Pacific
  3. Europe, the Middle East and Africa

If you want a comprehensive list of the regions inside the continents you can check the Regions and Availability Zones AWS docs.

The issue now is the São Paulo Region (sa-east-1) which is located in the South America continent. I inquired with AWS Support on this and they said that since South America continent only has the São Paulo region, therefore the 7224:9200 and 7224:8200 will still work for the South America region but you can only access the São Paulo region since its the only region in the continent.


3. Global – All public AWS Regions

If you want to route traffic from your DX Public VIF to all publicly accessible AWS Resources across the globe, regardless of region then set the following BGP community tags.

Prefixes to advertise to AWS7224:9300
Prefixes from AWSNo tag

Tip

When you download the Sample Router Configuration of your Public Virtual Interface, there is a portion that mentions the router configuration on up to where you want your prefixes to be advertised.

! Community Based Tagging/Filtering Configuration for Public Virtual Interfaces (Optional)
!
! You can use community tags on the prefixes you advertise to AWS to specify how far these prefixes will be propagated into Amazon network. 
! You can also build filters based on the community tags on Amazon routes being received.
!
!                     To advertise to AWS    Prefixes from AWS
! LOCAL-AWS-REGION    7224:9100              7224:8100
! LOCAL-CONTINENT     7224:9200              7224:8200
! GLOBAL              7224:9300              No tag

I hope this help solve the issue that you cannot access AWS resources on different regions from your Direct Connect Public Virtual Interface (VIF) region.

Leave a Reply

Your email address will not be published. Required fields are marked *