How do I connect my private network to AWS public services using an AWS Direct Connect public VIF?

2 minute read
1

I want to connect my private network to AWS public services using an AWS Direct Connect public virtual interface (VIF).

Resolution

Create a Direct Connect public VIF to connect AWS public endpoints with public IP addresses that are advertised to AWS over Border Gateway Protocol (BGP).

You can configure:

  • The on-premises router associated with the public VIF to network address translation (NAT) 
    -or-
  • The on-premises router associated with the the public VIF to port address translation (PAT) 

NAT allows your private networks to access public routable Amazon services in any AWS Region except the AWS China Region. On-premises routing must accept all needed IP prefixes from AWS Direct Connect peer and use a public VIF to route traffic.

For example, a corporate network IP address is 192.168.0.0/24 and it accesses AWS public resources with the following Direct Connect Public VIF IP addresses:

  • 198.51.100.1/30 as the local peer IP address (On-premises Router IP)
  • 198.51.100.2/30 as the remote peer IP address (AWS Device IP)

In this scenario, you must do the following:

  • Use the local peer IP address associated with the public VIF as the PAT IP address.
  • Advertise 198.51.100.0/30 over the Direct Connect public VIF.

Related information

How can I set up a Direct Connect public VIF?

Which type of Direct Connect virtual interface should I use to connect different AWS resources?

List of AWS services available by Region

IP Network Address Translator (NAT) Terminology and Considerations - RFC 2663 (on the IETF Datatracker website)

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago