Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Associating a virtual private gateway across accounts

You can associate a Direct Connect gateway with a virtual private gateway that is owned by any Amazon account. The Direct Connect gateway can be an existing gateway, or you can create a new gateway. The owner of the virtual private gateway creates an association proposal and the owner of the Direct Connect gateway must accept the association proposal.

An association proposal can contain prefixes that will be allowed from the virtual private gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.

Allowed prefixes

When you associate a virtual private gateway with a Direct Connect gateway, you specify a list of Amazon VPC prefixes to advertise to the Direct Connect gateway. The prefix list acts as a filter that allows the same CIDRs, or smaller CIDRs to be advertised to the Direct Connect gateway. You must set the Allowed prefixes to a range that is the same or wider than the VPC CIDR because we provision entire VPC CIDR on the virtual private gateway.

Consider the case where the VPC CIDR is 10.0.0.0/16. You can set the Allowed prefixes to 10.0.0.0/16 (the VPC CIDR value), or 10.0.0.0/15 ( a value that is wider than the VPC CIDR).

Any virtual interface inside network prefixes advertised over Direct Connect are only propagated to transit gateways across Regions, not within the same Region. For more information on how allowed prefixes interact with virtual private gateways and transit gateways, see Allowed prefixes interactions.

Creating an association proposal

If you own the virtual private gateway, you must create an association proposal. The virtual private gateway must be attached to a VPC in your Amazon account. The owner of the Direct Connect gateway must share the ID of the Direct Connect gateway and the ID of its Amazon account. After you create the proposal, the owner of the Direct Connect gateway must accept it in order for you to gain access to the on-premises network over Amazon Direct Connect.

Accepting or rejecting an association proposal

If you own the Direct Connect gateway, you must accept the association proposal in order to create the association. Otherwise, you can reject the association proposal.

Updating the allowed prefixes for an association

You can update the prefixes that are allowed from the virtual private gateway over the Direct Connect gateway.

If you're the owner of the virtual private gateway, create a new association proposal for the same Direct Connect gateway and virtual private gateway, specifying the prefixes to allow.

If you're the owner of the Direct Connect gateway, update the allowed prefixes when you accept the association proposal or update the allowed prefixes for an existing association as follows.

Deleting an association proposal

The owner of the virtual private gateway can delete the Direct Connect gateway association proposal if it is still pending acceptance. After an association proposal is accepted, you can't delete it, but you can disassociate the virtual private gateway from the Direct Connect gateway. For more information, see Associating and disassociating virtual private gateways.