Create a virtual interface - AWS Direct Connect

Create a virtual interface

You can create a transit virtual interface to connect to a transit gateway, a public virtual interface to connect to public resources (non-VPC services), or a private virtual interface to connect to a VPC.

To create a virtual interface for accounts within your AWS Organizations, or AWS Organizations that are different from yours, create a hosted virtual interface. For more information, see Create a hosted virtual interface.

Prerequisites

Before you begin, ensure that you have read the information in Prerequisites for virtual interfaces.

Create a public virtual interface

When you create a public virtual interface, it can take up to 72 hours for us to review and approve your request.

To provision a public virtual interface

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual Interfaces.

  3. Choose Create virtual interface.

  4. Under Virtual interface type, for Type, choose Public.

  5. Under Public virtual interface settings, do the following:

    1. For Virtual interface name, enter a name for the virtual interface.

    2. For Connection, choose the Direct Connect connection that you want to use for this interface.

    3. For VLAN, enter the ID number for your virtual local area network (VLAN).

    4. For BGP ASN, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.

      The valid values are 1-2147483647.

  6. Under Additional settings, do the following:

    1. To configure an IPv4 BGP or an IPv6 peer, do the following:

      [IPv4] To configure an IPv4 BGP peer, choose IPv4 and do one of the following:

      • To specify these IP addresses yourself, for Your router peer ip, enter the destination IPv4 CIDR address to which Amazon should send traffic.

      • For Amazon router peer IP, enter the IPv4 CIDR address to use to send traffic to AWS.

      [IPv6] To configure an IPv6 BGP peer, choose IPv6. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.

    2. To provide your own BGP key, enter your BGP MD5 key.

      If you do not enter a value, we generate a BGP key.

    3. To advertise prefixes to Amazon, for Prefixes you want to advertise, enter the IPv4 CIDR destination addresses (separated by commas) to which traffic should be routed over the virtual interface.

    4. (Optional) Add or remove a tag.

      [Add a tag] Choose Add tag and do the following:

      • For Key, enter the key name.

      • For Value, enter the key value.

      [Remove a tag] Next to the tag, choose Remove tag.

  7. Choose Create virtual interface.

  8. Download the router configuration for your device. For more information, see Download the router configuration file.

To create a public virtual interface using the command line or API

Create a private virtual interface

You can provision a private virtual interface to a virtual private gateway in the same Region as your AWS Direct Connect connection. For more information about provisioning a private virtual interface to an AWS Direct Connect gateway, see Working with Direct Connect gateways.

If you use the VPC wizard to create a VPC, route propagation is automatically enabled for you. With route propagation, routes are automatically populated to the route tables in your VPC. If you choose, you can disable route propagation. For more information, see Enable Route Propagation in Your Route Table in the Amazon VPC User Guide.

The maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be passed over the connection. The MTU of a virtual private interface can be either 1500 or 9001 (jumbo frames). The MTU of a transit virtual interface can be either 1500 or 8500 (jumbo frames). You can specify the MTU when you create the interface or update it after you create it. Setting the MTU of a virtual interface to 8500 (jumbo frames) or 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. To check whether a connection or virtual interface supports jumbo frames, select it in the AWS Direct Connect console and find Jumbo Frame Capable on the Summary tab.

To provision a private virtual interface to a VPC

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual Interfaces.

  3. Choose Create virtual interface.

  4. Under Virtual interface type, for Type, choose Private.

  5. Under Private virtual interface settings, do the following:

    1. For Virtual interface name, enter a name for the virtual interface.

    2. For Connection, choose the Direct Connect connection that you want to use for this interface.

    3. For Gateway type, choose Virtual private gateway, or Direct Connect gateway.

    4. For Virtual interface owner, choose Another AWS account, and then enter the AWS account.

    5. For Virtual private gateway, choose the virtual private gateway to use for this interface.

    6. For VLAN, enter the ID number for your virtual local area network (VLAN).

    7. For BGP ASN, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.

      The valid values are 1-2147483647.

  6. Under Additional Settings, do the following:

    1. To configure an IPv4 BGP or an IPv6 peer, do the following:

      [IPv4] To configure an IPv4 BGP peer, choose IPv4 and do one of the following:

      • To specify these IP addresses yourself, for Your router peer ip, enter the destination IPv4 CIDR address to which Amazon should send traffic.

      • For Amazon router peer ip, enter the IPv4 CIDR address to use to send traffic to AWS.

      [IPv6] To configure an IPv6 BGP peer, choose IPv6. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.

    2. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select Jumbo MTU (MTU size 9001).

    3. (Optional) Add or remove a tag.

      [Add a tag] Choose Add tag and do the following:

      • For Key, enter the key name.

      • For Value, enter the key value.

      [Remove a tag] Next to the tag, choose Remove tag.

  7. Choose Create virtual interface.

  8. Download the router configuration for your device. For more information, see Download the router configuration file.

To create a private virtual interface using the command line or API

Create a transit virtual interface to the Direct Connect gateway

To connect your AWS Direct Connect connection to the transit gateway, you must create a transit interface for your connection. Specify the Direct Connect gateway to which to connect.

The maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be passed over the connection. The MTU of a virtual private interface can be either 1500 or 9001 (jumbo frames). The MTU of a transit virtual interface can be either 1500 or 8500 (jumbo frames). You can specify the MTU when you create the interface or update it after you create it. Setting the MTU of a virtual interface to 8500 (jumbo frames) or 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. To check whether a connection or virtual interface supports jumbo frames, select it in the AWS Direct Connect console and find Jumbo Frame Capable on the Summary tab.

Important

If you associate your transit gateway with one or more Direct Connect gateways, the Autonomous System Number (ASN) used by the transit gateway and the Direct Connect gateway must be different. For example, if you use the default ASN 64512 for both the transit gateway and the Direct Connect gateway, the association request fails.

To provision a transit virtual interface to a Direct Connect gateway

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual Interfaces.

  3. Choose Create virtual interface.

  4. Under Virtual interface type, for Type, choose Transit.

  5. Under Transit virtual interface settings, do the following:

    1. For Virtual interface name, enter a name for the virtual interface.

    2. For Connection, choose the Direct Connect connection that you want to use for this interface.

    3. For Virtual interface owner, choose My AWS account if the virtual interface is for your AWS account.

    4. For Direct Connect gateway, select the Direct Connect gateway.

    5. For VLAN, enter the ID number for your virtual local area network (VLAN).

    6. For BGP ASN, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.

      The valid values are 1-2147483647.

  6. Under Additional Settings, do the following:

    1. To configure an IPv4 BGP or an IPv6 peer, do the following:

      [IPv4] To configure an IPv4 BGP peer, choose IPv4 and do one of the following:

      • To specify these IP addresses yourself, for Your router peer ip, enter the destination IPv4 CIDR address to which Amazon should send traffic.

      • For Amazon router peer ip, enter the IPv4 CIDR address to use to send traffic to AWS.

      [IPv6] To configure an IPv6 BGP peer, choose IPv6. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.

    2. To change the maximum transmission unit (MTU) from 1500 (default) to 8500 (jumbo frames), select Jumbo MTU (MTU size 8500).

    3. (Optional) Add or remove a tag.

      [Add a tag] Choose Add tag and do the following:

      • For Key, enter the key name.

      • For Value, enter the key value.

      [Remove a tag] Next to the tag, choose Remove tag.

  7. Choose Create virtual interface.

After you create the virtual interface, you can download the router configuration for your device. For more information, see Download the router configuration file.

To create a transit virtual interface using the command line or API

To view the virtual interfaces that are attached to a Direct Connect gateway using the command line or API

Download the router configuration file

After you create the virtual interface and the interface state is up, you can download the router configuration file for your router.

If you use any of the following routers for virtual interfaces that have MACsec turned on, we automatically create the configuration file for your router:

  • Cisco Nexus 9K+ Series switches running NX-OS 9.3 or later software

  • Juniper Networks M/MX Series Routers running JunOS 9.5 or later software

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual Interfaces.

  3. Select the virtual interface and then choose View details.

  4. Choose Download router configuration.

  5. For Download router configuration, do the following:

    1. For Vendor, select the manufacturer of your router.

    2. For Platform, select the model of your router.

    3. For Software, select the software version for your router.

  6. Choose Download, and then use the appropriate configuration for your router to ensure that you can connect to AWS Direct Connect.

MACsec considerations

If you need to manually configure your router for MACsec, use the following table as a guideline.

Parameter Description
CKN length This is a 64 hexadecimal character (0–9, A–E) string. Use the full length to maximize cross-platform compatibility.
CAK length This is a 64 hexadecimal character (0–9, A–E) string. Use the full length to maximize cross-platform compatibility.
Cryptographic algorithm AES_256_CMAC
SAK Cipher Suite GCM_AES_XPN_256
Key Cipher Suite 16
Confidentiality Offset 0
ICV Indicator No
SAK Rekey Time PN Rollover>
Replay Window (frames) 148809600