# Direct Connect connection options
AWS offers customers the ability to achieve highly resilient network connections between Amazon Virtual Private Cloud (Amazon VPC) and their on-premises infrastructure. The AWS Direct Connect Resiliency Toolkit provides a connection wizard with multiple resiliency models. These models help you to determine, and then place an order for the number of dedicated connections to achieve your SLA objective. You select a resiliency model, and then the AWS Direct Connect Resiliency Toolkit guides you through the dedicated connection ordering process. The resiliency models are designed to ensure that you have the appropriate number of dedicated connections in multiple locations.
The following connection options are available for Direct Connect.
+ **Maximum Resiliency**: This model is available in the AWS Direct Connect Resiliency Toolkit and provides you a way to order dedicated connections to achieve an SLA of 99.99%. It requires you to meet all of the requirements for achieving the SLA that are specified in the [Direct Connect Service Level Agreement](https://aws.amazon.com/directconnect/sla/). For more information, see the [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md).
+ **High Resiliency**: This model is available in the AWS Direct Connect Resiliency Toolkit and provides you a way to order dedicated connections to achieve an SLA of 99.9%. It requires you to meet all of the requirements for achieving the SLA that are specified in the [Direct Connect Service Level Agreement](https://aws.amazon.com/directconnect/sla/). For more information, see the [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md).
+ **Development and Test**: This model is available in the AWS Direct Connect Resiliency Toolkit and provides you a way to achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices in one location. For more information, see the [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md).
+ **Classic**: A Classic connection creates a connection without the need of the AWS Direct Connect Resiliency Toolkit. It's intended for users that have existing connections and want to add additional connections without using the toolkit. This model has a 95% SLA but does not provide resiliency or redundancy. For more information, see [Classic connection](classic_connection.md).
**Topics**
+ [Connection prerequisites](#prerequisites)
+ [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md)
+ [Classic connection](classic_connection.md)
## Connection prerequisites
Direct Connect supports the following port speeds over single-mode fiber: 1000BASE-LX (1310 nm) transceiver for 1 gigabit Ethernet, a 10GBASE-LR (1310 nm) transceiver for 10 gigabit, a 100GBASE-LR4 for 100 gigabit Ethernet, or a 400GBASE-LR4 for 400 Gbps Ethernet.
You can set up an Direct Connect connection using the AWS Direct Connect Resiliency Toolkit or a Classic connection in one of the following ways:
| Model | Bandwidth | Method |
| --- | --- | --- |
| Dedicated connection | 1 Gbps, 10 Gbps, 100 Gbps, and 400 Gbps | Work with an Direct Connect Partner or a network provider to connect a router from your data center, office, or colocation environment to an Direct Connect location. The network provider does not have to be an [AWS Direct Connect Partner](https://aws.amazon.com/directconnect/partners) to connect you to a dedicated connection. Direct Connect dedicated connections support these port speeds over single-mode fiber: 1 Gbps: 1000BASE-LX (1310 nm), 10 Gbps: 10GBASE-LR (1310 nm), 100Gbps: 100GBASE-LR4, or 400GBASE-LR4 for 400 Gbps Ethernet. |
| Hosted connection | 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 25 Gbps. | Work with a partner in the [AWS Direct Connect Partner Program](https://aws.amazon.com/directconnect/partners) to connect a router from your data center, office, or colocation environment to an Direct Connect location. Only certain partners provide higher capacity connections. |
For connections to Direct Connect with bandwidths of 1 Gbps or higher, ensure that your network meets the following requirements:
+ Your network must use single-mode fiber with a 1000BASE-LX (1310 nm) transceiver for 1 gigabit Ethernet, a 10GBASE-LR (1310 nm) transceiver for 10 gigabit, a 100GBASE-LR4 for 100 gigabit Ethernet, or a 400GBASE-LR4 for 400 Gbps Ethernet.
+ Depending on the AWS Direct Connect endpoint serving your connection, on-premises device auto-negotiation might need to be enabled or disabled for any dedicated connection. If a virtual interface remains down when a Direct Connect connection is up, see [Troubleshoot layer 2 (data link) issues](ts-layer-2.md).
+ 802.1Q VLAN encapsulation must be supported across the entire connection, including intermediate devices.
+ Your device must support Border Gateway Protocol (BGP) and BGP MD5 authentication.
+ (Optional) You can configure Bidirectional Forwarding Detection (BFD) on your network. Asynchronous BFD is automatically enabled for each Direct Connect virtual interface. It's automatically enabled for Direct Connect virtual interfaces, but does not take effect until you configure it on your router. For more information, see [Enable BFD for a Direct Connect connection](https://aws.amazon.com/premiumsupport/knowledge-center/enable-bfd-direct-connect/).
Make sure you have the following information before you begin your configuration:
+ The resiliency model that you want to use if you're not creating a Classic connection. For AWS Direct Connect Resiliency Toolkit connection options, see the [AWS Direct Connect Resiliency Toolkit](resiliency_toolkit.md).
+ The speed, location, and partner for all of your connections.
You only need the speed for one connection.
# AWS Direct Connect Resiliency Toolkit
AWS offers customers the ability to achieve highly resilient network connections between Amazon Virtual Private Cloud (Amazon VPC) and their on-premises infrastructure. The AWS Direct Connect Resiliency Toolkit provides a connection wizard with multiple resiliency models. These models help you to determine, and then place an order for the number of dedicated connections to achieve your SLA objective. You select a resiliency model, and then the AWS Direct Connect Resiliency Toolkit guides you through the dedicated connection ordering process. The resiliency models are designed to ensure that you have the appropriate number of dedicated connections in multiple locations.
The AWS Direct Connect Resiliency Toolkit has the following benefits:
+ Provides guidance on how you determine and then order the appropriate redundant Direct Connect dedicated connections.
+ Ensures that the redundant dedicated connections have the same speed.
+ Automatically configures the dedicated connection names.
+ Automatically approves your dedicated connections when you have an existing AWS account and you select a known AWS Direct Connect Partner. The Letter of Authority (LOA) is available for immediate download.
+ Automatically creates a support ticket for the dedicated connection approval when you are a new AWS customer, or you select an unknown (**Other**) partner.
+ Provides an order summary for your dedicated connections, with the SLA that you can achieve and the port-hour cost for the ordered dedicated connections.
+ Creates link aggregation groups (LAGs), and adds the appropriate number of dedicated connections to the LAGs when you choose a speed other than 1 Gbps, 10 Gbps, 100 Gbps, or 400 Gbps.
+ Provides a LAG summary with the dedicated connection SLA that you can achieve, and the total port-hour cost for each ordered dedicated connection as part of the LAG.
+ Prevents you from terminating the dedicated connections on the same Direct Connect device.
+ Provides a way for you to test your configuration for resiliency. You work with AWS to bring down the BGP peering session in order to verify that traffic routes to one of your redundant virtual interfaces. For more information, see [Direct Connect Failover Test](resiliency_failover.md).
+ Provides Amazon CloudWatch metrics for connections and virtual interfaces. For more information, see [Monitor Direct Connect resources](monitoring-overview.md).
After you select the resiliency model, the AWS Direct Connect Resiliency Toolkit steps you through the following procedures:
+ Selecting the number of dedicated connections
+ Selecting the connection capacity, and the dedicated connection location
+ Ordering the dedicated connections
+ Verifying that the dedicated connections are ready to use
+ Downloading your Letter of Authority (LOA-CFA) for each dedicated connection
+ Verifying that your configuration meets your resiliency requirements
## Available resiliency models
The following resiliency models are available in the AWS Direct Connect Resiliency Toolkit:
+ **Maximum resiliency**: This model provides you a way to order dedicated connections to achieve an SLA of 99.99%. It requires you to meet all of the requirements for achieving the SLA that are specified in the [Direct Connect Service Level Agreement](https://aws.amazon.com/directconnect/sla/).
+ **High resiliency**: This model provides you a way to order dedicated connections to achieve an SLA of 99.9%. It requires you to meet all of the requirements for achieving the SLA that are specified in the [Direct Connect Service Level Agreement](https://aws.amazon.com/directconnect/sla/).
+ **Development and test**: This model provides you a way to achieve development and test resiliency for non-critical workloads, by using separate connections that terminate on separate devices in one location.
The best practice is to use the **Connection wizard** in the AWS Direct Connect Resiliency Toolkit to order to achieve your SLA objective.
**Note**
If you do not want to create a resiliency model using the AWS Direct Connect Resiliency Toolkit, you can create a Classic connection. For more information about Classic connections, see [Classic connection](classic_connection.md).
## AWS Direct Connect Resiliency Toolkit prerequisites
Note the following information before you begin your configuration:
+ Familiarize yourself with the [Connection prerequisites](connection_options.md#connect-prereqs.title).
+ The available resiliency model that you want to use.
## Maximum resiliency
You can achieve maximum resiliency for critical workloads by using separate connections that terminate on separate devices in more than one location (as shown in the following figure). This model provides resiliency against device, connectivity, and complete location failures. The following figure shows both connections from each customer data center going to the same Direct Connect locations. You can optionally have each connection from a customer data center going to different locations.
![\[Maximum resiliency model\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dc-max-resiliency.png)
For the procedure for using the AWS Direct Connect Resiliency Toolkit to configure a maximum resiliency model, see [Configure maximum resiliency](max-resiliency-set-up.md).
## High resiliency
You can achieve high resiliency for critical workloads by using two single connections to multiple locations (as shown in the following figure). This model provides resiliency against connectivity failures caused by a fiber cut or a device failure. It also helps prevent a complete location failure.
![\[High resiliency model\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dc-high-resiliency.png)
For the procedure for using the AWS Direct Connect Resiliency Toolkit to configure a high resiliency model, see [Configure high resiliency](high-resiliency-set-up.md).
## Development and test
You can achieve development and test resiliency for non-critical workloads by using separate connections that terminate on separate devices in one location (as shown in the following figure). This model provides resiliency against device failure, but does not provide resiliency against location failure.
![\[Development and Test Model\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dc-devtest.png)
For the procedure for using the AWS Direct Connect Resiliency Toolkit to configure a maximum resiliency model, see [Configure development and test resiliency](devtest-resiliency-set-up.md).
## AWS Direct Connect FailoverTest
Use the AWS Direct Connect Resiliency Toolkit to verify traffic routes and that those routes meet your resiliency requirements.
For the procedures for using the AWS Direct Connect Resiliency Toolkit to perform failover tests, see [Direct Connect failover test](resiliency_failover.md).
# Configure Direct Connect for maximum resiliency with the AWS Direct Connect Resiliency Toolkit
In this example, the Direct Connect Resiliency Toolkit is used to configure a maximum resiliency model
**Topics**
+ [Step 1: Sign up for AWS](#max-resiliency-signup)
+ [Step 2: Configure the resiliency model](#max-resiliency-select-model)
+ [Step 3: Create your virtual interfaces](#max-resiliency-createvirtualinterface)
+ [Step 4: Verify your virtual interface resiliency configuration](#max-resiliency-failover)
+ [Step 5: Verify your virtual interfaces connectivity](#max-resiliency-connected)
## Step 1: Sign up for AWS
To use Direct Connect, you need an AWS account if you don't already have one.
### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Step 2: Configure the resiliency model
**To configure a maximum resiliency model**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**, and then choose **Create a connection**.
1. Under **Connection ordering type**, choose **Connection wizard**.
1. Under **Resiliency level**, choose **Maximum Resiliency**, and then choose **Next**.
1. On the **Configure connections** pane, under **Connection settings,** do the following:
1. For **Bandwidth**, choose the dedicated connection bandwidth.
This bandwidth applies to all of the created connections.
1. For **First location service provider**, select the appropriate Direct Connect location for the dedicated connection.
1. If applicable, for **First Sub location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) on multiple floors of the building.
1. If you selected **Other** for **First location service provider**, for **Name of other provider**, enter the name of the partner that you use.
1. For **Second location service provider**, select the appropriate Direct Connect location.
1. If applicable, for **Second Sub location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) on multiple floors of the building.
1. If you selected **Other** for **Second location service provider**, for **Name of other provider**, enter the name of the partner that you use.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Next**.
1. Review your connections, and then choose **Continue**.
If your LOAs are ready, you can choose **Download LOA**, and then click **Continue**.
It can take up to 72 business hours for AWS to review your request and provision a port for your connection. During this time, you might receive an email with a request for more information about your use case or the specified location. The email is sent to the email address that you used when you signed up for AWS. You must respond within 7 days or the connection is deleted.
## Step 3: Create your virtual interfaces
You can create a private virtual interface to connect to your VPC. Or, you can create a public virtual interface to connect to public AWS services that aren't in a VPC. When you create a private virtual interface to a VPC, you need a private virtual interface for each VPC that you're connecting to. For example, you need three private virtual interfaces to connect to three VPCs.
Before you begin, ensure that you have the following information:
| Resource | Required information |
| --- | --- |
| Connection | The Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface. |
| Virtual interface name | A name for the virtual interface. |
| Virtual interface owner | If you're creating the virtual interface for another account, you need the AWS account ID of the other account. |
| (Private virtual interface only) Connection | For connecting to a VPC in the same AWS Region, you need the virtual private gateway for your VPC. The ASN for the Amazon side of the BGP session is inherited from the virtual private gateway. When you create a virtual private gateway, you can specify your own private ASN. Otherwise, Amazon provides a default ASN. For more information, see [Create a Virtual Private Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-create-vpg) in the Amazon VPC User Guide. For connecting to a VPC through a Direct Connect gateway, you need the Direct Connect gateway. For more information, see [Direct Connect Gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html). |
| VLAN | A unique virtual local area network (VLAN) tag that's not already in use on your connection. The value must be between 1 and 4094 and must comply with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the Direct Connect connection. If you have a hosted connection, your AWS Direct Connect Partner provides this value. You can’t modify the value after you have created the virtual interface. |
| Peer IP addresses | A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). Do not use Elastic IPs (EIPs) or Bring your own IP addresses (BYOIP) from the Amazon Pool to create a public virtual interface. You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/max-resiliency-set-up.html) |
| Address family | Whether the BGP peering session will be over IPv4 or IPv6. |
| BGP information | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/max-resiliency-set-up.html) |
| (Public virtual interface only) Prefixes you want to advertise | Public IPv4 routes or IPv6 routes to advertise over BGP. You must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/max-resiliency-set-up.html) |
| (Private and transit virtual interfaces only) Jumbo frames | The maximum transmission unit (MTU) of packets over Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. Jumbo frames apply only to propagated routes from Direct Connect. If you add static routes to a route table that point to your virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU. To check whether a connection or virtual interface supports jumbo frames, select it in the Direct Connect console and find Jumbo frame capable on the virtual interface General configuration page. |
If your public prefixes or ASNs belong to an ISP or network carrier, we request additional information from you. This can be a document using an official company letterhead, or an email from the company's domain name verifying that the network prefix/ASN can be used by you.
When you create a public virtual interface, it can take up to 72 business hours for AWS to review and approve your request.
**To provision a public virtual interface to non-VPC services**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Public**.
1. Under **Public virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your gateway.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer IP**, enter the IPv4 CIDR address to use to send traffic to AWS.
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To provide your own BGP key, enter your BGP MD5 key.
If you do not enter a value, we generate a BGP key.
1. To advertise prefixes to Amazon, for **Prefixes you want to advertise**, enter the IPv4 CIDR destination addresses (separated by commas) to which traffic should be routed over the virtual interface.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
**To provision a private virtual interface to a VPC**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Private**.
1. Under **Private virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Gateway type**, choose **Virtual private gateway**, or **Direct Connect gateway**.
1. For **Virtual interface owner**, choose **Another AWS account**, and then enter the AWS account.
1. For **Virtual private gateway**, choose the virtual private gateway to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select **Jumbo MTU (MTU size 9001)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
## Step 4: Verify your virtual interface resiliency configuration
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, perform a virtual interface failover test to verify that your configuration meets your resiliency requirements. For more information, see [Direct Connect Failover Test](resiliency_failover.md).
## Step 5: Verify your virtual interfaces connectivity
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, you can verify your AWS Direct Connect connection using the following procedures.
**To verify your virtual interface connection to the AWS Cloud**
+ Run `traceroute` and verify that the Direct Connect identifier is in the network trace.
**To verify your virtual interface connection to Amazon VPC**
1. Using a pingable AMI, such as an Amazon Linux AMI, launch an EC2 instance into the VPC that is attached to your virtual private gateway. The Amazon Linux AMIs are available in the **Quick Start** tab when you use the instance launch wizard in the Amazon EC2 console. For more information, see [Launch an Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance_linux.html) in the *Amazon EC2 User Guide.* Ensure that the security group that's associated with the instance includes a rule permitting inbound ICMP traffic (for the ping request).
1. After the instance is running, get its private IPv4 address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance details.
1. Ping the private IPv4 address and get a response.
# Configure Direct Connect for high resiliency with the AWS Direct Connect Resiliency Toolkit
In this example, the Direct Connect Resiliency Toolkit is used to configure a high resiliency model
**Topics**
+ [Step 1: Sign up for AWS](#high-resiliency-signup)
+ [Step 2: Configure the resiliency model](#high-resiliency-select-model)
+ [Step 3: Create your virtual interfaces](#high-resiliency-createvirtualinterface)
+ [Step 4: Verify your virtual interface resiliency configuration](#high-res-resiliency-failover)
+ [Step 5: Verify your virtual interfaces connectivity](#high-resiliency-connected)
## Step 1: Sign up for AWS
To use Direct Connect, you need an AWS account if you don't already have one.
### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Step 2: Configure the resiliency model
**To configure a high resiliency model**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**, and then choose **Create a connection**.
1. Under **Connection ordering type**, choose **Connection wizard**.
1. Under **Resiliency level**, choose **High Resiliency**, and then choose **Next**.
1. On the **Configure connections** pane, under **Connection settings,** do the following:
1. For **bandwidth**, choose the connection bandwidth.
This bandwidth applies to all of the created connections.
1. For **First location service provider**, select the appropriate Direct Connect location.
1. If applicable, for **First Sub location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) on multiple floors of the building.
1. If you selected **Other** for **First location service provider**, for **Name of other provider**, enter the name of the partner that you use.
1. For **Second location service provider**, select the appropriate Direct Connect location.
1. If applicable, for **Second Sub location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) on multiple floors of the building.
1. If you selected **Other** for **Second location service provider**, for **Name of other provider**, enter the name of the partner that you use.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Next**.
1. Review your connections, and then choose **Continue**.
If your LOAs are ready, you can choose **Download LOA**, and then click **Continue**.
It can take up to 72 business hours for AWS to review your request and provision a port for your connection. During this time, you might receive an email with a request for more information about your use case or the specified location. The email is sent to the email address that you used when you signed up for AWS. You must respond within 7 days or the connection is deleted.
## Step 3: Create your virtual interfaces
You can create a private virtual interface to connect to your VPC. Or, you can create a public virtual interface to connect to public AWS services that aren't in a VPC. When you create a private virtual interface to a VPC, you need a private virtual interface for each VPC that you're connecting to. For example, you need three private virtual interfaces to connect to three VPCs.
Before you begin, ensure that you have the following information:
| Resource | Required information |
| --- | --- |
| Connection | The Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface. |
| Virtual interface name | A name for the virtual interface. |
| Virtual interface owner | If you're creating the virtual interface for another account, you need the AWS account ID of the other account. |
| (Private virtual interface only) Connection | For connecting to a VPC in the same AWS Region, you need the virtual private gateway for your VPC. The ASN for the Amazon side of the BGP session is inherited from the virtual private gateway. When you create a virtual private gateway, you can specify your own private ASN. Otherwise, Amazon provides a default ASN. For more information, see [Create a Virtual Private Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-create-vpg) in the Amazon VPC User Guide. For connecting to a VPC through a Direct Connect gateway, you need the Direct Connect gateway. For more information, see [Direct Connect Gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html). |
| VLAN | A unique virtual local area network (VLAN) tag that's not already in use on your connection. The value must be between 1 and 4094 and must comply with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the Direct Connect connection. If you have a hosted connection, your AWS Direct Connect Partner provides this value. You can’t modify the value after you have created the virtual interface. |
| Peer IP addresses | A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). Do not use Elastic IPs (EIPs) or Bring your own IP addresses (BYOIP) from the Amazon Pool to create a public virtual interface. You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/high-resiliency-set-up.html) |
| Address family | Whether the BGP peering session will be over IPv4 or IPv6. |
| BGP information | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/high-resiliency-set-up.html) |
| (Public virtual interface only) Prefixes you want to advertise | Public IPv4 routes or IPv6 routes to advertise over BGP. You must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/high-resiliency-set-up.html) |
| (Private and transit virtual interfaces only) Jumbo frames | The maximum transmission unit (MTU) of packets over Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. Jumbo frames apply only to propagated routes from Direct Connect. If you add static routes to a route table that point to your virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU. To check whether a connection or virtual interface supports jumbo frames, select it in the Direct Connect console and find Jumbo frame capable on the virtual interface General configuration page. |
If your public prefixes or ASNs belong to an ISP or network carrier, AWS requests additional information from you. This can be a document using an official company letterhead, or an email from the company's domain name verifying that the network prefix/ASN can be used by you.
When you create a public virtual interface, it can take up to 72 business hours for AWS to review and approve your request.
**To provision a public virtual interface to non-VPC services**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Public**.
1. Under **Public virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your gateway.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer IP**, enter the IPv4 CIDR address to use to send traffic to AWS.
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To provide your own BGP key, enter your BGP MD5 key.
If you do not enter a value, we generate a BGP key.
1. To advertise prefixes to Amazon, for **Prefixes you want to advertise**, enter the IPv4 CIDR destination addresses (separated by commas) to which traffic should be routed over the virtual interface.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
**To provision a private virtual interface to a VPC**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Private**.
1. Under **Private virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Gateway type**, choose **Virtual private gateway**, or **Direct Connect gateway**.
1. For **Virtual interface owner**, choose **Another AWS account**, and then enter the AWS account.
1. For **Virtual private gateway**, choose the virtual private gateway to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select **Jumbo MTU (MTU size 9001)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
## Step 4: Verify your virtual interface resiliency configuration
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, perform a virtual interface failover test to verify that your configuration meets your resiliency requirements. For more information, see [Direct Connect Failover Test](resiliency_failover.md).
## Step 5: Verify your virtual interfaces connectivity
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, you can verify your AWS Direct Connect connection using the following procedures.
**To verify your virtual interface connection to the AWS Cloud**
+ Run `traceroute` and verify that the Direct Connect identifier is in the network trace.
**To verify your virtual interface connection to Amazon VPC**
1. Using a pingable AMI, such as an Amazon Linux AMI, launch an EC2 instance into the VPC that is attached to your virtual private gateway. The Amazon Linux AMIs are available in the **Quick Start** tab when you use the instance launch wizard in the Amazon EC2 console. For more information, see [Launch an Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance_linux.html) in the *Amazon EC2 User Guide.* Ensure that the security group that's associated with the instance includes a rule permitting inbound ICMP traffic (for the ping request).
1. After the instance is running, get its private IPv4 address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance details.
1. Ping the private IPv4 address and get a response.
# Configure AWS Direct Connect for development and test resiliency with the AWS Direct Connect Resiliency Toolkit
In this example, the Direct Connect Resiliency Toolkit is used to configure a development and test resiliency model
**Topics**
+ [Step 1: Sign up for AWS](#dev-test-signup)
+ [Step 2: Configure the resiliency model](#dev-test-select-model)
+ [Step 3: Create a virtual interface](#dev-test-createvirtualinterface)
+ [Step 4: Verify your virtual interface resiliency configuration](#dev-test-resiliency-failover)
+ [Step 5: Verify your virtual interface](#dev-test-connected)
## Step 1: Sign up for AWS
To use Direct Connect, you need an AWS account if you don't already have one.
### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Step 2: Configure the resiliency model
**To configure the resiliency model**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**, and then choose **Create a connection**.
1. Under **Connection ordering type**, choose **Connection wizard**.
1. Under **Resiliency level**, choose **Development and test**, and then choose **Next**.
1. On the **Configure connections** pane, under **Connection settings,** do the following:
1. For **bandwidth**, choose the connection bandwidth.
This bandwidth applies to all of the created connections.
1. For **First location service provider**, select the appropriate Direct Connect location.
1. If applicable, for **First Sub location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) on multiple floors of the building.
1. If you selected **Other** for **First location service provider**, for **Name of other provider**, enter the name of the partner that you use.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Next**.
1. Review your connections, and then choose **Continue**.
If your LOAs are ready, you can choose **Download LOA**, and then click **Continue**.
It can take up to 72 business hours for AWS to review your request and provision a port for your connection. During this time, you might receive an email with a request for more information about your use case or the specified location. The email is sent to the email address that you used when you signed up for AWS. You must respond within 7 days or the connection is deleted.
## Step 3: Create a virtual interface
To begin using your Direct Connect connection, you must create a virtual interface. You can create a private virtual interface to connect to your VPC. Or, you can create a public virtual interface to connect to public AWS services that aren't in a VPC. When you create a private virtual interface to a VPC, you need a private virtual interface for each VPC that you're connecting to. For example, you need three private virtual interfaces to connect to three VPCs.
Before you begin, ensure that you have the following information:
| Resource | Required information |
| --- | --- |
| Connection | The Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface. |
| Virtual interface name | A name for the virtual interface. |
| Virtual interface owner | If you're creating the virtual interface for another account, you need the AWS account ID of the other account. |
| (Private virtual interface only) Connection | For connecting to a VPC in the same AWS Region, you need the virtual private gateway for your VPC. The ASN for the Amazon side of the BGP session is inherited from the virtual private gateway. When you create a virtual private gateway, you can specify your own private ASN. Otherwise, Amazon provides a default ASN. For more information, see [Create a Virtual Private Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-create-vpg) in the Amazon VPC User Guide. For connecting to a VPC through a Direct Connect gateway, you need the Direct Connect gateway. For more information, see [Direct Connect Gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html). |
| VLAN | A unique virtual local area network (VLAN) tag that's not already in use on your connection. The value must be between 1 and 4094 and must comply with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the Direct Connect connection. If you have a hosted connection, your AWS Direct Connect Partner provides this value. You can’t modify the value after you have created the virtual interface. |
| Peer IP addresses | A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). Do not use Elastic IPs (EIPs) or Bring your own IP addresses (BYOIP) from the Amazon Pool to create a public virtual interface. You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/devtest-resiliency-set-up.html) |
| Address family | Whether the BGP peering session will be over IPv4 or IPv6. |
| BGP information | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/devtest-resiliency-set-up.html) |
| (Public virtual interface only) Prefixes you want to advertise | Public IPv4 routes or IPv6 routes to advertise over BGP. You must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/devtest-resiliency-set-up.html) |
| (Private and transit virtual interfaces only) Jumbo frames | The maximum transmission unit (MTU) of packets over Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. Jumbo frames apply only to propagated routes from Direct Connect. If you add static routes to a route table that point to your virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU. To check whether a connection or virtual interface supports jumbo frames, select it in the Direct Connect console and find Jumbo frame capable on the virtual interface General configuration page. |
If your public prefixes or ASNs belong to an ISP or network carrier, we request additional information from you. This can be a document using an official company letterhead, or an email from the company's domain name verifying that the network prefix/ASN can be used by you.
When you create a public virtual interface, it can take up to 72 business hours for AWS to review and approve your request.
**To provision a public virtual interface to non-VPC services**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Public**.
1. Under **Public virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your gateway.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer IP**, enter the IPv4 CIDR address to use to send traffic to AWS.
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To provide your own BGP key, enter your BGP MD5 key.
If you do not enter a value, we generate a BGP key.
1. To advertise prefixes to Amazon, for **Prefixes you want to advertise**, enter the IPv4 CIDR destination addresses (separated by commas) to which traffic should be routed over the virtual interface.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
**To provision a private virtual interface to a VPC**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Private**.
1. Under **Private virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Gateway type**, choose **Virtual private gateway**, or **Direct Connect gateway**.
1. For **Virtual interface owner**, choose **Another AWS account**, and then enter the AWS account.
1. For **Virtual private gateway**, choose the virtual private gateway to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select **Jumbo MTU (MTU size 9001)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
## Step 4: Verify your virtual interface resiliency configuration
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, perform a virtual interface failover test to verify that your configuration meets your resiliency requirements. For more information, see [Direct Connect Failover Test](resiliency_failover.md).
## Step 5: Verify your virtual interface
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, you can verify your AWS Direct Connect connection using the following procedures.
**To verify your virtual interface connection to the AWS Cloud**
+ Run `traceroute` and verify that the Direct Connect identifier is in the network trace.
**To verify your virtual interface connection to Amazon VPC**
1. Using a pingable AMI, such as an Amazon Linux AMI, launch an EC2 instance into the VPC that is attached to your virtual private gateway. The Amazon Linux AMIs are available in the **Quick Start** tab when you use the instance launch wizard in the Amazon EC2 console. For more information, see [Launch an Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance_linux.html) in the *Amazon EC2 User Guide.* Ensure that the security group that's associated with the instance includes a rule permitting inbound ICMP traffic (for the ping request).
1. After the instance is running, get its private IPv4 address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance details.
1. Ping the private IPv4 address and get a response.
# Direct Connect Failover Test
The AWS Direct Connect Resiliency Toolkit resiliency models are designed to ensure that you have the appropriate number of virtual interface connections in multiple locations. After you complete the wizard, use the AWS Direct Connect Resiliency Toolkit failover test to bring down the BGP peering session in order to verify that traffic routes to one of your redundant virtual interfaces, and meets your resiliency requirements.
Use the test to make sure that traffic routes over redundant virtual interfaces when a virtual interface is out of service. You start the test by selecting a virtual interface, BGP peering session, and how long to run the test. AWS places the selected virtual interface BGP peering session in the down state. When the interface is in this state, traffic should go over a redundant virtual interface. If your configuration does not contain the appropriate redundant connections, the BGP peering session fails, and traffic does not get routed. When the test completes, or you manually stop the test, AWS restores the BGP session. After the test is complete, you can use the AWS Direct Connect Resiliency Toolkit to adjust your configuration.
**Note**
Do not use this feature during a Direct Connect maintenance period as the BGP session might be restored prematurely either during or after the maintenance.
## Test history
AWS deletes the test history after 365 days. The test history includes the status for tests that were run on all BGP peers. The history includes which BGP peering sessions were tested, the start and end times, and the test status, which can be any of the following values:
+ **In progress** - The test is currently running.
+ **Completed** - The test ran for the time that you specified.
+ **Cancelled** - The test was cancelled before the specified time.
+ **Failed** - The test did not run for the time that you specified. This can happen when there is an issue with the router.
For more information, see [View AWS Direct Connect Resiliency Toolkit virtual interface failover test history](view_failover_test.md).
## Validation permissions
The only account that has permission to run the failover test is the account that owns the virtual interface. The account owner receives an indication through AWS CloudTrail that a test ran on a virtual interface.
**Topics**
+ [Test history](#test_history)
+ [Validation permissions](#permissions)
+ [Start a virtual interface failover test](start_failover_test.md)
+ [View a virtual interface failover test history](view_failover_test.md)
+ [Stop a virtual interface failover test](stop_failover_test.md)
# Start an AWS Direct Connect Resiliency Toolkit virtual interface failover test
You can start the virtual interface failover test using the Direct Connect console, or the AWS CLI.
**To start the virtual interface failover test from the Direct Connect console**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. Choose **Virtual interfaces**.
1. Select the virtual interfaces and then choose **Actions**, **Bring down BGP**.
You can run the test on a public, private, or transit virtual interface.
1. In the **Start failure test** dialog box, do the following:
1. For **Peerings to bring down to test**, choose which peering sessions to test, for example IPv4.
1. For **Test maximum time**, enter the number of minutes that the test will last.
The maximum value is 4,320 minutes (72 business hours).
The default value is 180 minutes (3 hours).
1. For **To confirm test**, enter **Confirm**.
1. Choose **Confirm**.
The BGP peering session is placed in the DOWN state. You can send traffic to verify that there are no outages. If needed, you can stop the test immediately.
**To start the virtual interface failover test using the AWS CLI**
Use [StartBgpFailoverTest](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_StartBgpFailoverTest.html).
# View AWS Direct Connect Resiliency Toolkit virtual interface failover test history
You can view the virtual interface failover test history using the Direct Connect console, or the AWS CLI.
**To view the virtual interface failover test history from the Direct Connect console**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. Choose **Virtual interfaces**.
1. Select the virtual interface and then choose **View details**.
1. Choose **Test history**.
The console displays the virtual interface tests that you performed for the virtual interface.
1. To view the details for a specific test, select the test id.
**To view the virtual interface failover test history using the AWS CLI**
Use [ListVirtualInterfaceTestHistory](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_ListVirtualInterfaceTestHistory.html).
# Stop an AWS Direct Connect Resiliency Toolkit virtual interface failover test
You can stop the virtual interface failover test using the Direct Connect console, or the AWS CLI.
**To stop the virtual interface failover test from the Direct Connect console**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. Choose **Virtual interfaces**.
1. Select the virtual interface, and then choose **Actions**, **Cancel test**.
1. Choose **Confirm**.
AWS restores the BGP peering session. The testing history displays "cancelled" for the test.
**To stop the virtual interface failover test using the AWS CLI**
Use [StopBgpFailoverTest](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_StopBgpFailoverTest.html).
# Direct Connect Classic connection
A Classic connection offers a straightforward approach to establishing dedicated network connectivity between your on-premises infrastructure and AWS. This connection type is ideal for organizations that prefer to manage their own network configurations and have existing Direct Connect infrastructure in place. The Classic connection does not rely on the AWS Direct Connect Resiliency Toolkit.
Select Classic when you have existing connections and you want to add additional connections. A Classic connection has a 95% SLA. However, it does not provide resiliency or redundancy, which are found only in the AWS Direct Connect Resiliency Toolkit when creating a connection.
**Note**
Before you configure a Classic connection, familiarize yourself with the [Connection prerequisites](connection_options.md#connect-prereqs.title).
**Topics**
+ [Configure a Classic connection](toolkit-classic.md)
# Configure an Direct Connect Classic connection
Configure a Classic connection when you have existing Direct Connect connections.
## Step 1: Sign up for AWS
To use Direct Connect, you need an account if you don't already have one.
### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Step 2: Request an Direct Connect dedicated connection
For dedicated connections, you can submit a connection request using the Direct Connect console. For hosted connections, work with an AWS Direct Connect Partner to request a hosted connection. Ensure that you have the following information:
+ The port speed that you require. You cannot change the port speed after you create the connection request.
+ The Direct Connect location at which the connection is to be terminated.
**Note**
You cannot use the Direct Connect console to request a hosted connection. Instead, contact an AWS Direct Connect Partner, who can create a hosted connection for you, which you then accept. Skip the following procedure and go to [Accept your hosted connection](#get-started-accept-hosted-connection).
**To create a new Direct Connect connection**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane choose **Connections**, and then choose **Create a connection**.
1. Choose **Classic**.
1. On the **Create Connection** pane, under **Connection settings,** do the following:
1. For **Name**, enter a name for the connection.
1. For **Location**, select the appropriate Direct Connect location.
1. If applicable, for **Sub Location**, choose the floor closest to you or your network provider. This option is only available if the location has meet-me rooms (MMRs) in multiple floors of the building.
1. For **Port Speed**, choose the connection bandwidth.
1. For **On-premises**, select **Connect through an Direct Connect partner** when you use this connection to connect to your data center.
1. For **Service provider**, select the AWS Direct Connect Partner. If you use a partner that is not in the list, select **Other**.
1. If you selected **Other** for **Service provider**, for** Name of other provider**, enter the name of the partner that you use.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create Connection**.
It can take up to 72 business hours for AWS to review your request and provision a port for your connection. During this time, you might receive an email with a request for more information about your use case or the specified location. The email is sent to the email address that you used when you signed up for AWS. You must respond within 7 days or the connection is deleted.
For more information, see [Direct Connect dedicated and hosted connections](WorkingWithConnections.md).
### Accept your hosted connection
You must accept the hosted connection in the Direct Connect console before you can create a virtual interface. This step only applies to hosted connections.
**To accept a hosted virtual interface**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the hosted connection, and then choose **Accept**.
Choose **Accept**.
## (Dedicated connection) Step 3: Download the LOA-CFA
After you request a connection, we make a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) available to you to download, or emails you with a request for more information. The LOA-CFA is the authorization to connect to AWS, and is required by the colocation provider or your network provider to establish the cross-network connection (cross-connect).
**To download the LOA-CFA**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Connections**.
1. Select the connection and choose **View Details**.
1. Choose **Download LOA-CFA**.
The LOA-CFA is downloaded to your computer as a PDF file.
**Note**
If the link is not enabled, the LOA-CFA is not yet available for you to download. Check your email for a request for more information. If it's still unavailable, or you haven't received an email after 72 business hours, contact [AWS Support](https://aws.amazon.com/support/createCase).
1. After you download the LOA-CFA, do one of the following:
+ If you're working with an AWS Direct Connect Partner or network provider, send them the LOA-CFA so that they can order a cross-connect for you at the Direct Connect location. If they cannot order the cross-connect for you, you can [contact the colocation provider](Colocation.md) directly.
+ If you have equipment at the Direct Connect location, contact the colocation provider to request a cross-network connection. You must be a customer of the colocation provider. You must also present them with the LOA-CFA that authorizes the connection to the AWS router, and the necessary information to connect to your network.
Direct Connect locations that are listed as multiple sites (for example, Equinix DC1-DC6 & DC10-DC11) are set up as a campus. If your or your network provider’s equipment is located in any of these sites, you can request a cross-connect to your assigned port even if it resides in a different campus building.
**Important**
A campus is treated as a single Direct Connect location. To achieve high availability, configure connections to different Direct Connect locations.
If you or your network provider experience issues establishing a physical connection, see [Troubleshoot layer 1 (physical) issues](ts_layer_1.md).
## Step 4: Create a virtual interface
To begin using your Direct Connect connection, you must create a virtual interface. You can create a private virtual interface to connect to your VPC. Or, you can create a public virtual interface to connect to public AWS services that aren't in a VPC. When you create a private virtual interface to a VPC, you need a private virtual interface for each VPC to which to connect. For example, you need three private virtual interfaces to connect to three VPCs.
Before you begin, ensure that you have the following information:
| Resource | Required information |
| --- | --- |
| Connection | The Direct Connect connection or link aggregation group (LAG) for which you are creating the virtual interface. |
| Virtual interface name | A name for the virtual interface. |
| Virtual interface owner | If you're creating the virtual interface for another account, you need the AWS account ID of the other account. |
| (Private virtual interface only) Connection | For connecting to a VPC in the same AWS Region, you need the virtual private gateway for your VPC. The ASN for the Amazon side of the BGP session is inherited from the virtual private gateway. When you create a virtual private gateway, you can specify your own private ASN. Otherwise, Amazon provides a default ASN. For more information, see [Create a Virtual Private Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-create-vpg) in the Amazon VPC User Guide. For connecting to a VPC through a Direct Connect gateway, you need the Direct Connect gateway. For more information, see [Direct Connect Gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html). |
| VLAN | A unique virtual local area network (VLAN) tag that's not already in use on your connection. The value must be between 1 and 4094 and must comply with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the Direct Connect connection. If you have a hosted connection, your AWS Direct Connect Partner provides this value. You can’t modify the value after you have created the virtual interface. |
| Peer IP addresses | A virtual interface can support a BGP peering session for IPv4, IPv6, or one of each (dual-stack). Do not use Elastic IPs (EIPs) or Bring your own IP addresses (BYOIP) from the Amazon Pool to create a public virtual interface. You cannot create multiple BGP sessions for the same IP addressing family on the same virtual interface. The IP address ranges are assigned to each end of the virtual interface for the BGP peering session. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/toolkit-classic.html) |
| Address family | Whether the BGP peering session will be over IPv4 or IPv6. |
| BGP information | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/toolkit-classic.html) |
| (Public virtual interface only) Prefixes you want to advertise | Public IPv4 routes or IPv6 routes to advertise over BGP. You must advertise at least one prefix using BGP, up to a maximum of 1,000 prefixes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/toolkit-classic.html) |
| (Private and transit virtual interfaces only) Jumbo frames | The maximum transmission unit (MTU) of packets over Direct Connect. The default is 1500. Setting the MTU of a virtual interface to 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. Jumbo frames apply only to propagated routes from Direct Connect. If you add static routes to a route table that point to your virtual private gateway, then traffic routed through the static routes is sent using 1500 MTU. To check whether a connection or virtual interface supports jumbo frames, select it in the Direct Connect console and find Jumbo frame capable on the virtual interface General configuration page. |
We request additional information from you if your public prefixes or ASNs belong to an ISP or network carrier. This can be a document using an official company letterhead or an email from the company's domain name verifying that the network prefix/ASN may be used by you.
For private virtual interface and public virtual interfaces, the maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be passed over the connection. The MTU of a private virtual interface can be either 1500 or 9001 (jumbo frames). The MTU of a transit virtual interface can be either 1500 or 8500 (jumbo frames). You can specify the MTU when you create the interface or update it after you create it. Setting the MTU of a virtual interface to 8500 (jumbo frames) or 9001 (jumbo frames) can cause an update to the underlying physical connection if it wasn't updated to support jumbo frames. Updating the connection disrupts network connectivity for all virtual interfaces associated with the connection for up to 30 seconds. To check whether a connection or virtual interface supports jumbo frames, select it in the Direct Connect console and find **Jumbo Frame Capable** on the **Summary** tab.
When you create a public virtual interface, it can take up to 72 business hours for AWS to review and approve your request.
**To provision a public virtual interface to non-VPC services**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Public**.
1. Under **Public virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the The Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface. The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer IP**, enter the IPv4 CIDR address to use to send traffic to AWS.
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To provide your own BGP key, enter your BGP MD5 key.
If you do not enter a value, we generate a BGP key.
1. To advertise prefixes to Amazon, for **Prefixes you want to advertise**, enter the IPv4 CIDR destination addresses (separated by commas) to which traffic should be routed over the virtual interface.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
**To provision a private virtual interface to a VPC**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Private**.
1. Under **Private virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Gateway type**, choose **Virtual private gateway**, or **Direct Connect gateway**.
1. For **Virtual interface owner**, choose **Another AWS account**, and then enter the AWS account.
1. For **Virtual private gateway**, choose the virtual private gateway to use for this interface.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select **Jumbo MTU (MTU size 9001)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
1. You need to use your BGP device to advertise the network that you use for the public VIF connection.
## Step 5: Download the router configuration
After you have created a virtual interface for your Direct Connect connection, you can download the router configuration file. The file contains the necessary commands to configure your router for use with your private or public virtual interface.
**To download a router configuration**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Select the connection and choose **View Details**.
1. Choose **Download router configuration**.
1. For **Download router configuration**, do the following:
1. For **Vendor**, select the manufacturer of your router.
1. For **Platform**, select the model of your router.
1. For **Software**, select the software version for your router.
1. Choose **Download**, and then use the appropriate configuration for your router to ensure that you can connect to Direct Connect.
For more information about manually configuring your router, see [Download the router configuration file](vif-router-config.md).
After you configure your router, the status of the virtual interface goes to `UP`. If the virtual interface remains down and you cannot ping the Direct Connect device's peer IP address, see [Troubleshoot layer 2 (data link) issues](ts-layer-2.md). If you can ping the peer IP address, see [Troubleshoot layer 3/4 (Network/Transport) issues](ts-layer-3.md). If the BGP peering session is established but you cannot route traffic, see [Troubleshoot routing issues](ts-routing.md).
## Step 6: Verify your virtual interface
After you have established virtual interfaces to the AWS Cloud or to Amazon VPC, you can verify your AWS Direct Connect connection using the following procedures.
**To verify your virtual interface connection to the AWS Cloud**
+ Run `traceroute` and verify that the Direct Connect identifier is in the network trace.
**To verify your virtual int\$1erface connection to Amazon VPC**
1. Using a pingable AMI, such as an Amazon Linux AMI, launch an EC2 instance into the VPC that is attached to your virtual private gateway. The Amazon Linux AMIs are available in the **Quick Start** tab when you use the instance launch wizard in the Amazon EC2 console. For more information, see [Launch an Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance_linux.html) in the *Amazon EC2 User Guide.* Ensure that the security group that's associated with the instance includes a rule permitting inbound ICMP traffic (for the ping request).
1. After the instance is running, get its private IPv4 address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance details.
1. Ping the private IPv4 address and get a response.
## (Recommended) Step 7: Configure redundant connections
To provide for failover, we recommend that you request and configure two dedicated connections to AWS, as shown in the following figure. These connections can terminate on one or two routers in your network.
![\[Redundant connection diagram\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/redundant_connection.png)
There are different configuration choices available when you provision two dedicated connections:
+ Active/Active (BGP multipath). This is the default configuration, where both connections are active. Direct Connect supports multipathing to multiple virtual interfaces within the same location, and traffic is load-shared between interfaces based on flow. If one connection becomes unavailable, all traffic is routed through the other connection.
+ Active/Passive (failover). One connection is handling traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection. You need to prepend the AS path to the routes on one of your links for that to be the passive link.
How you configure the connections doesn't affect redundancy, but it does affect the policies that determine how your data is routed over both connections. We recommend that you configure both connections as active.
If you use a VPN connection for redundancy, ensure that you implement a health check and failover mechanism. If you use either of the following configurations, then you need to check your [route table routing](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-configure-routing) to route to the new network interface.
+ You use your own instances for routing, for example the instance is the firewall.
+ You use your own instance that terminates a VPN connection.
To achieve high availability, we strongly recommend that you configure connections to different Direct Connect locations.
For more information about Direct Connect resiliency, see [Direct Connect Resiliency Recommendations](https://aws.amazon.com/directconnect/resiliency-recommendation/).