Hosted Public VIFs and LOA for Public IP and ASN


Last Updated on May 10, 2021

Let’s say there are 2 companies. Each company has an AWS Account of their.

Company A account owns the Direct Connect connection. They then created a Hosted Public Virtual Interface (VIF) to Company B account.

Company B account will then accept the Hosted Public VIF from Company A account.

Company B owns the public IP prefix and public ASN that will be used for the Hosted Public VIF.

After 72 hours, the Hosted Public VIF is still in “Verifying” state.

Which account should the Letter of Authorization (LOA) for Company B’s Public IP prefix and public ASN be submitted? Should it be Company A’s account or Company B’s account?

To answer this question we need to know which account owns the Public VIF. The account that owns the Public VIF is the one required to submit the LOA for the Public IP prefixes and public ASN.

We already know that Company A account owns the Direct Connect connection. So if company A creates the Hosted Public VIF and Company B account accepts it, who then is the owner of the Public VIF?

In one AWS premium support blog about Hosted Public VIF, it says “the account that owns the VIF is different from the connection owner”. Therefore, we can conclude that Company B’s account owns the Hosted Public VIF, even though Company A’s account created it.

In the case of the Hosted Public VIF is stuck in the “Verifying” state for 72 hours, using their own AWS Account, Company B should submit a LOA that they are allowing their Public IP prefixes and Public ASNs to be used by the Hosted Public VIF.

You can get the LOA template here to submit to AWS support.


Tip on having your Public IP prefix and ASN approved without submitting a LOA

To have your Public Virtual Interface (VIF) status changed from “verifying” to “available” without submitting a Letter of Authorization (LOA) make sure that the root account email of your AWS Account has the same domain as the publicly accessible email of the Public IP and ASN owner.

Example

AWS account root emailawsadmin@companyb.com
Public IP prefix and ASN owner emailnetworkadmin@companyb.com

Since the domain is the same for both email addresses (companyb.com), the Public VIF will automatically be upgraded from “verifying” to “available”.

No need to submit a LOA.

You can check who the owner of the Public IP prefix and ASN is in arin.net.


Ironic experience with AWS Support on submitting the LOA

AWS requires to submit the LOA via AWS Support. If the Support Plan is only a Basic support, you cannot submit a Technical support.

In this blog by AWS premium support, it says that if the account only has Basic support, you should submit the LOA via Account and billing support.

We experienced submitting a LOA via the Account and billing support and their reply was that this was out of their scope.

They then provided the link to the same blog. #Ironic

In the end, we signed up for a Premium Support and the project lived happily ever after.


Leave a Reply

Your email address will not be published. Required fields are marked *