AWS Security ChangesHomeSearch

AWS directconnect documentation change

Service: directconnect · 2025-05-16 · Documentation low

File: directconnect/latest/UserGuide/routing-and-bgp.md

Summary

Added documentation on ASN usage considerations for public vs private ASNs, including ownership verification and ASN prepending behavior

Security assessment

The changes clarify security-related aspects of ASN ownership verification and explain that ASN prepending with private ASNs is ineffective, which helps users configure their networks correctly. However, there's no evidence of addressing a specific security vulnerability.

Diff

diff --git a/directconnect/latest/UserGuide/routing-and-bgp.md b/directconnect/latest/UserGuide/routing-and-bgp.md
index 43c888141..a3e4e39fb 100644
--- a//directconnect/latest/UserGuide/routing-and-bgp.md
+++ b//directconnect/latest/UserGuide/routing-and-bgp.md
@@ -57,0 +58,12 @@ For more information about the ip-ranges.json file, see [AWS IP address ranges ]
+  * When using a public interface, you can use either a public or private ASN. However, there are important considerations:
+
+    * Public ASNs: You must own the ASN and have the right to announce it. AWS will verify your ownership of the ASN.
+
+    * Private ASNs: You can use private ASNs (64512-65534, 4200000000-4294967294). However, AWS Direct Connect will replace the private ASN with the AWS ASN (7224) when advertising your prefixes to other AWS customers or the internet.
+
+    * ASN prepending:
+
+      * With a public ASN, prepending will work as expected, and your prepended ASN will be visible to other networks.
+
+      * With a private ASN, any prepending you do will be stripped when AWS replaces your private ASN with 7224. This means ASN prepending is not effective for influencing routing decisions outside of AWS when using a private ASN on a public virtual interface.
+