amazon-web-servicesaws-direct-connectaws-vpn

Why public VIF must be used in AWS Direct Connect + VPN setup?


I am unsure why public VIF must be used in AWS Direct Connect + VPN setup. Usually if you are connecting to Virtual Private Gateway you should use private VIF as shown in AWS Managed VPN. Why public VIF must be used in this case?

Diagram on AWS Direct Connect + VPN:

AWS Direct Connect + VPN

Diagram on AWS Managed VPN:

AWS Managed VPN

Edit 1:
Got a better understanding by watching AWS re:Invent 2018: AWS VPN Solutions (NET304). We need public VIF because AWS Site-to-Site VPN creates two public endpoints on a Virtual Private Gateway which are visible to public VIF only. Diagram from that talk: VPN over DX


Solution

  • The reason is that the AWS site-to-site service part of the solution does not reside within the VPC, it directly creates the relationship between the customer gateway and the virtual private gateway.

    When you create this connection, within tunnel details you will find that you get 2 public IP addresses (to be clear a private VIF will only communicate with a single VPCs network range(s)).

    The public VIF on the other hand will advertise all public IP address ranges found within Amazon. As the service resolves to a public IP address that falls in this range, the public VIF would advertise a more desirable route to use your new Direct Connect connection.