Virtual private gateway associations

You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in any account that are located in the same or different Regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC. Then, you create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway.

The following rules apply to virtual private gateway associations:

• Do not enable route propagation until after you've associated a virtual gateway with a Direct Connect gateway. If you enable route propagation before associating the gateways, routes might be propagated incorrectly.

• There are limits for creating and using Direct Connect gateways. For more information, see AWS Direct Connect quotas.

• You cannot attach a Direct Connect gateway to a virtual private gateway when the Direct Connect gateway is already associated with a transit gateway.

• The VPCs to which you connect through a Direct Connect gateway cannot have overlapping CIDR blocks. If you add an IPv4 CIDR block to a VPC that's associated with a Direct Connect gateway, ensure that the CIDR block does not overlap with an existing CIDR block for any other associated VPC. For more information, see Adding IPv4 CIDR Blocks to a VPC in the Amazon VPC User Guide.

• You cannot create a public virtual interface to a Direct Connect gateway.

• A Direct Connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only, and may enable a virtual private gateway to another private gateway. The following traffic flows are not supported:

  • Direct communication between the VPCs that are associated with a single Direct Connect gateway. This includes traffic from one VPC to another by using a hairpin through an on-premises network through a single Direct Connect gateway.

  • Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway.

  • Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway and a VPN connection on a virtual private gateway that's associated with the same Direct Connect gateway.

• You cannot associate a virtual private gateway with more than one Direct Connect gateway and you cannot attach a private virtual interface to more than one Direct Connect gateway.

• A virtual private gateway that you associate with a Direct Connect gateway must be attached to a VPC.

• A virtual private gateway association proposal expires 7 days after it is created.

• An accepted virtual private gateway proposal, or a deleted virtual private gateway proposal remains visible for 3 days.

• A virtual private gateway can be associated with a Direct Connect gateway and also attached to a virtual interface.

• Detaching a virtual private gateway from a VPC also disassociates the virtual private gateway from a Direct Connect gateway.

To connect your AWS Direct Connect connection to a VPC in the same Region only, you can create a Direct Connect gateway. Or, you can create a private virtual interface and attach it to the virtual private gateway for the VPC. For more information, see Create a private virtual interface and VPN CloudHub.

To use your AWS Direct Connect connection with a VPC in another account, you can create a hosted private virtual interface for that account. When the owner of the other account accepts the hosted virtual interface, they can choose to attach it either to a virtual private gateway or to a Direct Connect gateway in their account. For more information, see AWS Direct Connect virtual interfaces.

Contents

• Creating a virtual private gateway
• Associating and disassociating virtual private gateways
• Creating a private virtual interface to the Direct Connect gateway
• Associating a virtual private gateway across accounts

Creating a virtual private gateway

The virtual private gateway must be attached to the VPC to which you want to connect.

Note

If you are planning to use the virtual private gateway for a Direct Connect gateway and a dynamic VPN connection, set the ASN on the virtual private gateway to the value that you require for the VPN connection. Otherwise, the ASN on the virtual private gateway can be set to any permitted value. The Direct Connect gateway advertises all connected VPCs over the ASN assigned to it.

After you create a virtual private gateway, you must attach it to your VPC.

To create a virtual private gateway and attach it to your VPC

1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

2. In the navigation pane, choose Virtual Private Gateways, and then choose Create Virtual Private Gateway.

3. (Optional) Enter a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.

4. For ASN, leave the default selection to use the default Amazon ASN. Otherwise, choose Custom ASN and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294 range.

5. Choose Create Virtual Private Gateway.

6. Select the virtual private gateway that you created, and then choose Actions, Attach to VPC.

7. Select your VPC from the list and choose Yes, Attach.

To create a virtual private gateway using the command line or API

• CreateVpnGateway (Amazon EC2 Query API)

• create-vpn-gateway (AWS CLI)

• New-EC2VpnGateway (AWS Tools for Windows PowerShell)

To attach a virtual private gateway to a VPC using the command line or API

• AttachVpnGateway (Amazon EC2 Query API)

• attach-vpn-gateway (AWS CLI)

• Add-EC2VpnGateway (AWS Tools for Windows PowerShell)

Associating and disassociating virtual private gateways

You can associate or disassociate a virtual private gateway and Direct Connect gateway. The account owner of the virtual private gateway performs these operations.

To associate a virtual private gateway

1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

2. In the navigation pane, choose Direct Connect gateways and then choose the Direct Connect gateway.

3. Choose View details.

4. Choose Gateway associations, and then choose Associate gateway.

5. For Gateways, choose the virtual private gateways to associate, and then choose Associate gateway.

You can view all of the virtual private gateways that are associated with the Direct Connect gateway by choosing Gateway associations.

To disassociate a virtual private gateway

1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

2. In the navigation pane, choose Direct Connect Gateways and then select the Direct Connect gateway.

3. Choose View details.

4. Choose Gateway associations and then select the virtual private gateway.

5. Choose Disassociate.

To associate a virtual private gateway using the command line or API

• create-direct-connect-gateway-association (AWS CLI)

• CreateDirectConnectGatewayAssociation (AWS Direct Connect API)

To view the virtual private gateways associated with a Direct Connect gateway using the command line or API

• describe-direct-connect-gateway-associations (AWS CLI)

• DescribeDirectConnectGatewayAssociations (AWS Direct Connect API)

To disassociate a virtual private gateway using the command line or API

• delete-direct-connect-gateway-association (AWS CLI)

• DeleteDirectConnectGatewayAssociation (AWS Direct Connect API)

Creating a private virtual interface to the Direct Connect gateway

To connect your AWS Direct Connect connection to the remote VPC, you must create a private virtual interface for your connection. Specify the Direct Connect gateway to which to connect.

Note

If you're accepting a hosted private virtual interface, you can associate it with a Direct Connect gateway in your account. For more information, see Accept a hosted virtual interface.

To provision a private virtual interface to a Direct Connect gateway

1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

2. In the navigation pane, choose Virtual Interfaces.

3. Choose Create virtual interface.

4. Under Virtual interface type, choose Private.

5. Under Private virtual interface settings, do the following:

   1. For Virtual interface name, enter a name for the virtual interface.

   2. For Connection, choose the Direct Connect connection that you want to use for this interface.

   3. For Virtual interface owner, choose My AWS account if the virtual interface is for your AWS account.

   4. For Direct Connect gateway, select the Direct Connect gateway.

   5. For VLAN, enter the ID number for your virtual local area network (VLAN).

   6. For BGP ASN, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.

      The valid values are 1 to 2147483647.

6. Under Additional Settings, do the following:

   1. To configure an IPv4 BGP or an IPv6 peer, do the following:

      [IPv4] To configure an IPv4 BGP peer, choose IPv4 and do one of the following:

      • To specify these IP addresses yourself, for Your router peer ip, enter the destination IPv4 CIDR address to which Amazon should send traffic.

      • For Amazon router peer ip, enter the IPv4 CIDR address to use to send traffic to AWS.

        Important

        If you let AWS auto-assign IPv4 addresses, a /29 CIDR will be allocated from 169.254.0.0/16 IPv4 Link-Local according to RFC 3927 for point-to-point connectivity. AWS does not recommend this option if you intend to use the customer router peer IP address as the source and/or destination for VPC traffic. Instead you should use RFC 1918 or other addressing (non-RFC 1918), and specify the address yourself.

        • For more information about RFC 1918, see Address Allocation for Private Internets.

        • For more information about RFC 3927, see Dynamic Configuration of IPv4 Link-Local Addresses.

      [IPv6] To configure an IPv6 BGP peer, choose IPv6. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.

   2. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select Jumbo MTU (MTU size 9001).

   3. (Optional) Under Enable SiteLink, choose Enabled to enable direct connectivity between Direct Connect points of presence.

   4. (Optional) Add or remove a tag.

      [Add a tag] Choose Add tag and do the following:

      • For Key, enter the key name.

      • For Value, enter the key value.

      [Remove a tag] Next to the tag, choose Remove tag.

7. Choose Create virtual interface.

After you've created the virtual interface, you can download the router configuration for your device. For more information, see Download the router configuration file.

To create a private virtual interface using the command line or API

• create-private-virtual-interface (AWS CLI)

• CreatePrivateVirtualInterface (AWS Direct Connect API)

To view the virtual interfaces that are attached to a Direct Connect gateway using the command line or API

• describe-direct-connect-gateway-attachments (AWS CLI)

• DescribeDirectConnectGatewayAttachments (AWS Direct Connect API)