AWS Direct Connect
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Associating a Virtual Private Gateway Across Accounts

You can associate a Direct Connect gateway with a virtual private gateway that's in a different AWS account. The Direct Connect gateway can be an existing gateway, or you can create a new gateway. The owner of the virtual private gateway creates an association proposal and the owner of the Direct Connect gateway must accept the association proposal.

An association proposal can contain prefixes that will be allowed from the virtual private gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.

You can only associate a Direct Connect gateway and virtual private gateway when the account that owns the Direct Connect gateway and the account that owns the virtual private gateway have the same payer ID.

Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's virtual private gateway or Account B's virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.

Allowed Prefixes

When you associate a virtual private gateway with a Direct Connect gateway, you specify a list of Amazon VPC prefixes to advertise to the Direct Connect gateway. The prefix list acts as a filter that allows the same CIDRs, or smaller CIDRs to be advertised to the Direct Connect gateway. You must set the Allowed prefixes to a range that is the same or wider than the VPC CIDR because we provision entire VPC CIDR on the virtual private gateway.

Consider the case where the VPC CIDR is 10.0.0.0/16. You can set the Allowed prefixes to 10.0.0.0/16 (the VPC CIDR value), or 10.0.0.0/15 ( a value that is wider than the VPC CIDR).

For more information on how allowed prefixes interact with virtual private gateways and transit gateways, see Allowed Prefixes Interactions.

Creating an Association Proposal

If you own the virtual private gateway, you must create an association proposal. The virtual private gateway must be attached to a VPC in your AWS account. The owner of the Direct Connect gateway must share the ID of the Direct Connect gateway and the ID of its AWS account. After you create the proposal, the owner of the Direct Connect gateway must accept it in order for you to gain access to the on-premises network over AWS Direct Connect.

To create an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual private gateways and select the virtual private gateway.

  3. Choose View details.

  4. Choose Direct Connect gateway associations and choose Associate Direct Connect gateway.

  5. Under Association account type, for Account owner, choose Another account.

  6. For Direct Connect gateway owner, enter the id of the AWS account that owns the Direct Connect gateway.

  7. Under Association settings, do the following:

    1. For Direct Connect gateway ID, enter the ID of the Direct Connect gateway.

    2. For Virtual interface owner, enter the ID of the AWS account that owns the virtual interface for the association.

    3. (Optional) To specify a list of prefixes to be allowed from the virtual private gateway, add the prefixes to Allowed prefixes, separating them using commas.

  8. Choose Associate Direct Connect gateway.

To create an association proposal using the command line or API

Accepting or Rejecting an Association Proposal

If you own the Direct Connect gateway, you must accept the association proposal in order to create the association. Otherwise, you can reject the association proposal.

To accept an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Direct Connect gateways.

  3. Select the Direct Connect gateway with pending proposals and choose View details.

  4. On the Pending proposals tab, select the proposal and choose Accept proposal.

  5. (Optional) To specify a list of prefixes to be allowed from the virtual private gateway, add the prefixes to Allowed prefixes, separating them using commas.

  6. Choose Accept proposal.

To reject an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Direct Connect gateways.

  3. Select the Direct Connect gateway with pending proposals and choose View details.

  4. On the Pending proposals tab, select the virtual private gateway and choose Reject proposal.

  5. In the Reject proposal dialog box, enter Delete and choose Reject proposal.

To view association proposals using the command line or API

To accept an association proposal using the command line or API

To reject an association proposal using the command line or API

Updating the Allowed Prefixes for an Association

You can update the prefixes that are allowed from the virtual private gateway over the Direct Connect gateway.

If you're the owner of the virtual private gateway, create a new association proposal for the same Direct Connect gateway and virtual private gateway, specifying the prefixes to allow.

If you're the owner of the Direct Connect gateway, update the allowed prefixes when you accept the association proposal or update the allowed prefixes for an existing association as follows.

To update the allowed prefixes for an existing association using the command line or API

Deleting an Association Proposal

The owner of the virtual private gateway can delete the Direct Connect gateway association proposal if it is still pending acceptance. After an association proposal is accepted, you can't delete it, but you can disassociate the virtual private gateway from the Direct Connect gateway. For more information, see Associating and Disassociating Virtual Private Gateways.

To delete an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Virtual private gateways and select the virtual private gateway.

  3. Choose View details.

  4. Choose Pending Direct Connect gateway associations, select the association and choose Delete association.

  5. In the Delete association proposal dialog box, enter Delete and choose Delete.

To delete a pending association proposal using the command line or API