Public VIF routing

Inbound:

• Own the prefix
• Traffic destined to amazon public prefix
• DX will filter to validate source is from advertized prefix

Outbound:

• AS_PATH and longest Prefix Match for traffic sourced from amazon
• DX advertises all local and remove region prefixes
• DX advertises prefixes with a min path length of 3 #more?
• DX advertises all public prefixes with NO_EXPORT
• adjust the load sharing of inbound traffic by advertising prefixes with similar path attributes
• Prefixes send by DX must not be advertised beyond the network boundaries of your connection
• DX will not advertise your prefix outside of the network or to any of the following
  • Other DX customers
  • Peered networks
  • transit providers

Public VIF BGP communities

Community tags for public prefixes that you advertise to amazon indicate how far to propagate your prefixes in the amazon network. BGP Community tags:

• 7224:9100—Local AWS Region
• 7224:9200—All AWS Regions for a continent
  • North America–wide
  • Asia Pacific
  • Europe, the Middle East and Africa
• 7224:9300—Global (all public AWS Regions)

Note If you dont apply any tag you get global 7224:9300 The communities 7224:1 – 7224:65535 are reserved by AWS Direct Connect. 7224:9xxx = PUBLIC Customer Prefixes 7224:8xxx = PUBLIC AWS advertised Prefixes
7224:7xxx = PRIVATE Community tags NO_EXPORT BGP community tag is added to all advertises routes from AWS on public VIF.

AWS Direct Connect applies the following BGP communities to its advertised routes: AWS BGP Community tags:

• 7224:8100—Routes same AWS Region
• 7224:8200—Routes same continent
• No tag—Global (all public AWS Regions).

Private VIF and Transit VIF routing rules

Some rules for private/transit

• Longest prefix match first
• defautl distance from local region to aws direct connect determines the Virtual or transit interface you can adjust this by assinging local preference communities to virtual interfaces
• If you have multiple VIF’s you can set the AS_PATH attribute to prioritize thich is used for AWS Traffic

Private VIF and Trasit VIF BGP communities

• DX supports local pref tags to control route preference of traffic LOW/MEDIUM/HIGH 7100/7200/7300 The following local preference BGP community tags are supported:
• 7224:7100—Low preference
• 7224:7200—Medium preference
• 7224:7300—High preference

Examples for Private:

• You can do AS_PATH prepending or longest prefix match

Examples for Transit with Direct Connect GW:

From on prem you go Customer GW -> DX location -> Transit VIF -> Direct connect GW -> Transit GW association to one Transit GW that can be peered w/other transit GW’s

Private and Transit VIFs support up to 100 advertised customer BGP prefixes, Public VIFs support 1000. TGW attachments may propagate to 20 AWS does not automatically enable network traffic encryption AWS Shield mitigates attacks that occur at layers 3 and 4 of the OSI model 7 = WAF only

MTU support:0

• VPC: 9001
• Private VIF: 9001
• Transit VIF: 8500
• Public VIF: 1500
• VPC Peer : 1500
• Internet : 1500

Direct connect GW limits:0

• 30 Private VIF to a single DCGW
• 10 VPGW
• The VPCs to which you connect through a Direct Connect gateway cannot have overlapping CIDR blocks
• You cannot create a public virtual interface to a Direct Connect gateway
• A virtual private gateway that you associate with a Direct Connect gateway must be attached to a VPC
• You cannot use a Direct Connect gateway to connect to a VPC in the China (Beijing) region
• You cannot use a Direct Connect gateway to connect to a VPC in a different AWS account

Transit GW limits:0

• 5 TGW per region

Global Accelerator:1

• Static IPs
• Instant regional failover
• Global Accelerator VS CloudFront
• GA proxy packets at edge TCP/UDP
• CF cache images/video and dynamic contents

VPC

Secondary CIDR Blocks:1

• If you use 10.0.0/8 you cant add another from the bogone
• If you start with routable you stick w/routable same other wya unless its 10.0.0/16

VPC Peering

• VPC Peering does NOT support edge-to-edge routing.
• You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.
• If the VPCs are in the same region, you can enable the resources on either side of a VPC peering connection to communicate with each other over IPv6.
• For inter-region peering, you cannot create a security group rule that references a peer VPC security group. Communication over IPv6 is not supported as well.

R53

• GW vs endpoint
• GW route to GW endpoint
• Endpoint use Private Hosted zone

Ref: AW Routing and BGP

Back to Home