thenetworking.guru

A little blog on Cloud stuff, trying to simplify topics that took me a while to get my head around.

AWS Networking

What the VIF

By Mev

Last Updated: 07/10/2023

Not sure what type of Virtual Interface you need on your Direct Connect? How many VIFs you can run on your type of Direct Connect? You’re in the right place.

I’m going to assume you know what Direct Connects are, and how to design them – if not, check out my Direct Connect post.

A Direct Connect just creates a link between you and AWS, almost like building a tunnel. You then need to pave the road, and thats our VIFs. There’s a few different types of roads we can build in our tunnel, depending on the type of car driving on it.

Private VIFs: This is the one if you want to connect to your RFC1918 CIDRs and terminating onto Virtual Gateways (or Direct Connect Gateway associated with Virtual Gateways). If you want to terminate the Direct Connect on your Transit Gateway, this is NOT the one for you.

Transit VIFs: Pretty much the same as Private VIFs, with the special use case that you MUST use this if you are terminating your Direct Connect (Gateway) to a Transit Gateway.

Public VIFs: This is the one you’re going to need if you want to connect to AWS’s Public IP Space via your Direct Connect and NOT the Internet. For instance, if you want to connect to the public IPs of S3 Buckets, Public IPs of EC2s, and other Public AWS Services. If you want to connect to those services using VPC Interface Endpoints, this is NOT the VIF for you. You’re going to need Private or Transit VIFs.

Note: If you want to run a IPSEC tunnel over your Direct Connect to – you are going to need a Public VIF. Why? Well, don’t forget you’re terminating the IPSEC tunnels into Public IP addresses on the AWS side, which belong to their Public IP space. You can still use RFC1918 CIDRs within the IPSEC tunnel.

How many VIFs can you run over your Direct Connect? Really depends on the type of Direct Connect you have.

As a reminder, Direct Connects come in two flavours – Dedicated and Hosted. Dedicated ones are physical connections you request via AWS. Hosted ones are logical connections you request via Direct Connect Delivery Partners.

On a Dedicated Direct Connect – you can have up to 50 Public OR Private VIFs + 4 Transit VIFs, though you have a total maximum of 51 VIFs. I know, this is a little confusing, but its a recent change AWS introduced allowing up to 4 TVIFs, versus the 1 you were allowed before.

On a Hosted Direct Connect – you can only have 1 single VIF.

If you’re a Network Engineer, setting up the VIF is fairly straightforward. You’ll need to assign a VLAN ID, allocate a BGP ASN, configure your BGP Peer IPs, MD5 Key and thats pretty much it.

For the ASN, it’ll need to be a Private (16 and 32 bit is supported) one as AWS don’t validate ownership of ASNs, and they do it to protect customers from BGP spoofing.