Virtual Private Gateway - Bring your own Autonomous System Number

Question 1

Does ClassicLink allow EC2-Classic Security Group rules to reference VPC Security Groups, or vice versa?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 1

ClassicLink does not allow EC2-Classic Security Group rules to reference VPC Security Groups, or vice versa.

Question 2

What is this feature?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 2

For any new VGWs, configurable Private Autonomous System Number(ASN) allows customers to set the ASN on the Amazon side of the BGP session for VPNs and AWS Direct Connect private VIFs .

Question 3

What is the cost of using this feature?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 3

There is no additional charge for this feature.

Question 4

How can I configure/assign my ASN to be advertised as Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 4

You can configure/assign an ASN to be advertised as the Amazon side ASN during creation of the new Virtual Private Gateway (VGW). You can create a VGW using the VPC console or a EC2/CreateVpnGateway API call.

Question 5

What ASN did Amazon assign prior to this feature?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 5

Amazon assigned the following ASNs: EU West (Dublin) 9059; Asia Pacific (Singapore) 17493 and Asia Pacific (Tokyo) 10124. All other regions were assigned an ASN of 7224; these ASNs are referred as “legacy public ASN” of the region.

Question 6

Can I use any ASN – public and private?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 6

You can assign any private ASN to the Amazon side. You can assign the “legacy public ASN” of the region until June 30th 2018, you cannot assign any other public ASN. After June 30th 2018, Amazon will provide an ASN of 64512.

Question 7

Why can’t I assign a public ASN for the Amazon half of the BGP session?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 7

Amazon is not validating ownership of the ASNs, therefore, we’re limiting the Amazon-side ASN to private ASNs. We want to protect customers from BGP spoofing.

Question 8

What ASN can I choose?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 8

You can choose any private ASN. Ranges for 16-bit private ASNs include 64512 to 65534. You can also provide 32-bit ASNs between 4200000000 and 4294967294.

Amazon will provide a default ASN for the VGW if you don’t choose one. Until June 30th 2018, Amazon will continue to provide the “legacy public ASN” of the region. After June 30th 2018, Amazon will provide an ASN of 64512.

Question 9

What will happen if I try to assign a public ASN to the Amazon half of the BGP session?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 9

We will ask you to re-enter a private ASN once you attempt to create the VGW, unless it is the “legacy public ASN” of the region.

Question 10

If I don’t provide an ASN for the Amazon half of the BGP session, what ASN can I expect Amazon to assign to me?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 10

Amazon will provide an ASN for the VGW if you don’t choose one. Until June 30th 2018, Amazon will continue to provide the “legacy public ASN” of the region. After June 30th 2018, Amazon will provide an ASN of 64512.

Question 11

Where can I view the Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 11

You can view the Amazon side ASN in the VGW page of VPC console and in the response of EC2/DescribeVpnGateways API.

Question 12

If I have a public ASN, will it work with a private ASN on the AWS side?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 12

Yes, you can configure the Amazon side of the BGP session with a private ASN and your side with a public ASN.

Question 13

I have private VIFs already configured and want to set a different Amazon side ASN for the BGP session on an existing VIF. How can I make this change?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 13

You will need to create a new VGW with desired ASN, and create a new VIF with the newly created VGW. Your device configuration also needs to change appropriately.

Question 14

I have VPN connections already configured and want to modify the Amazon side ASN for the BGP session of these VPNs. How can I make this change?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 14

You will need to create a new VGW with the desired ASN, and recreate your VPN connections between your Customer Gateways and the newly created VGW.

Question 15

I already have a VGW and a private VIF/VPN connection configured using an Amazon assigned public ASN of 7224. If Amazon automatically generates the ASN for the new private VGW, what Amazon side ASN will I be assigned?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 15

Amazon will assign 64512 to the Amazon side ASN for the new VGW.

Question 16

I have a VGW and a private VIF/VPN connection configured using an Amazon assigned public ASN. I want to use the same Amazon assigned public ASN for the new private VIF/VPN connection I’m creating. How do I do this?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 16

You can configure/assign an ASN to be advertised as the Amazon side ASN during creation of the new Virtual Private Gateway (VGW). You can create VGW using console or EC2/CreateVpnGateway API call. As noted earlier, we will allow the use of the “legacy public ASN” for your newly created VGW.

Question 17

I have a VGW and a private VIF/VPN connection configured using an Amazon assigned public ASN of 7224. If Amazon auto generates the ASN for the new private VIF/VPN connection using the same VGW, what Amazon side ASN will I be assigned?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 17

Amazon will assign 7224 to the Amazon side ASN for the new VIF/VPN connection. The Amazon side ASN for your new private VIF/VPN connection is inherited from your existing VGW and defaults to that ASN.

Question 18

I’m attaching multiple private VIFs to a single VGW. Can each VIF have a separate Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 18

No, you can assign/configure separate Amazon side ASN for each VGW, not each VIF. Amazon side ASN for VIF is inherited from the Amazon side ASN of the attached VGW.

Question 19

I’m creating multiple VPN connections to a single VGW. Can each VPN connection have a separate Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 19

No, you can assign/configure separate Amazon side ASN for each VGW, not each VPN connection. Amazon side ASN for VPN connection is inherited from the Amazon side ASN of the VGW.

Question 20

Where can I select my own ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 20

When creating a VGW in the VPC console, uncheck the box asking if you want an auto-generated Amazon BGP ASN and provide your own private ASN for the Amazon half of the BGP session. Once VGW is configured with Amazon side ASN, the private VIFs or VPN connections created using the VGW will use your Amazon side ASN.

Question 21

I use CloudHub today. Will I have to adjust my configurations in the future?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 21

You will not have to make any changes.

Question 22

I want to select a 32-bit ASN. What is the range of 32-bit private ASNs?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 22

We will support 32-bit ASNs from 4200000000 to 4294967294.

Question 23

Once the VGW is created, can I change or modify the Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 23

No, you cannot modify the Amazon side ASN after creation. You can delete the VGW and recreate a new VGW with the desired ASN.

Question 24

Is there a new API to configure/assign the Amazon side ASN?

Virtual Private Gateway - Bring your own Autonomous System Number

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 24

No. You can do this with the same API as before (EC2/CreateVpnGateway). We just added a new parameter (amazonSideAsn) to this API.