This repository contains BGP prefix lists for filtering S3 traffic over AWS Direct Connect Public VIF.
To use S3 with Direct Connect, customers often use a Public VIF. By filtering to only S3 prefixes for specific regions, you can limit the scope of routes received from AWS (AS16509). This allows you to route only S3 traffic over the Direct Connect connection while sending all other AWS traffic (EC2, etc.) over the Internet, reducing Direct Connect data transfer costs and bandwidth usage.
┌─────────────────┐ ┌─────────────────┐
│ │ │ │
│ Customer │ │ AWS │
│ Network │ │ │
│ ┌──────────┐ │ │ ┌──────────┐ │
│ │ Router │ │ Direct Connect Public VIF │ │ S3 │ │
│ │ (with │───┼───────────────────────────────────>│ │ (Region) │ │
│ │ filters) │ │ ✓ S3 prefixes only (filtered) │ └──────────┘ │
│ └────┬─────┘ │ │ │
│ │ │ │ ┌──────────┐ │
│ │ │ Internet │ │ EC2 │ │
│ └─────────┼───────────────────────────────────>│ │ Other │ │
│ │ ✓ All other AWS traffic │ │ Services │ │
│ │ │ └──────────┘ │
└─────────────────┘ └─────────────────┘
With BGP prefix filtering in place:
- Traffic to S3 in the specified region → Direct Connect Public VIF
- All other AWS traffic (EC2, other services) → Internet
Important: These prefix filters only control outbound traffic from your network to AWS. Return traffic from AWS to your network will use whichever path AWS chooses based on the prefixes you announce via BGP.
Last updated: 2026-04-14 00:57:19 UTC
| Region | Country | Region Name | Cisco IOS | Juniper |
|---|---|---|---|---|
| af-south-1 |  South Africa |
Africa (Cape Town) | Cisco Config | Juniper Config |
| ap-east-1 |  Hong Kong |
Asia Pacific (Hong Kong) | Cisco Config | Juniper Config |
| ap-east-2 |  Taiwan |
Asia Pacific (Taipei) | Cisco Config | Juniper Config |
| ap-northeast-1 |  Japan |
Asia Pacific (Tokyo) | Cisco Config | Juniper Config |
| ap-northeast-2 |  South Korea |
Asia Pacific (Seoul) | Cisco Config | Juniper Config |
| ap-northeast-3 | Japan |
Asia Pacific (Osaka) | Cisco Config | Juniper Config |
| ap-south-1 |  India |
Asia Pacific (Mumbai) | Cisco Config | Juniper Config |
| ap-south-2 | India |
Asia Pacific (Hyderabad) | Cisco Config | Juniper Config |
| ap-southeast-1 |  Singapore |
Asia Pacific (Singapore) | Cisco Config | Juniper Config |
| ap-southeast-2 |  Australia |
Asia Pacific (Sydney) | Cisco Config | Juniper Config |
| ap-southeast-3 |  Indonesia |
Asia Pacific (Jakarta) | Cisco Config | Juniper Config |
| ap-southeast-4 | Australia |
Asia Pacific (Melbourne) | Cisco Config | Juniper Config |
| ap-southeast-5 |  Malaysia |
Asia Pacific (Kuala Lumpur) | Cisco Config | Juniper Config |
| ap-southeast-6 |  New Zealand |
Asia Pacific (Auckland) | Cisco Config | Juniper Config |
| ap-southeast-7 |  Thailand |
Asia Pacific (Bangkok) | Cisco Config | Juniper Config |
| ca-central-1 |  Canada |
Canada (Central) | Cisco Config | Juniper Config |
| ca-west-1 | Canada |
Canada (West) | Cisco Config | Juniper Config |
| eu-central-1 |  Germany |
Europe (Frankfurt) | Cisco Config | Juniper Config |
| eu-central-2 |  Switzerland |
Europe (Zurich) | Cisco Config | Juniper Config |
| eu-north-1 |  Sweden |
Europe (Stockholm) | Cisco Config | Juniper Config |
| eu-south-1 |  Italy |
Europe (Milan) | Cisco Config | Juniper Config |
| eu-south-2 |  Spain |
Europe (Spain) | Cisco Config | Juniper Config |
| eu-west-1 |  Ireland |
Europe (Ireland) | Cisco Config | Juniper Config |
| eu-west-2 |  United Kingdom |
Europe (London) | Cisco Config | Juniper Config |
| eu-west-3 |  France |
Europe (Paris) | Cisco Config | Juniper Config |
| eusc-de-east-1 | Germany |
Europe Sovereign Cloud (Germany) | Cisco Config | Juniper Config |
| il-central-1 |  Israel |
Israel (Tel Aviv) | Cisco Config | Juniper Config |
| me-central-1 |  UAE |
Middle East (UAE) | Cisco Config | Juniper Config |
| me-south-1 |  Bahrain |
Middle East (Bahrain) | Cisco Config | Juniper Config |
| me-west-1 | Israel |
Middle East (Tel Aviv) | Cisco Config | Juniper Config |
| mx-central-1 |  Mexico |
Mexico (Central) | Cisco Config | Juniper Config |
| sa-east-1 |  Brazil |
South America (São Paulo) | Cisco Config | Juniper Config |
| sa-west-1 |  Chile |
South America (Santiago) | Cisco Config | Juniper Config |
| us-east-1 |  USA |
US East (N. Virginia) | Cisco Config | Juniper Config |
| us-east-2 | USA |
US East (Ohio) | Cisco Config | Juniper Config |
| us-gov-east-1 | USA |
AWS GovCloud (US-East) | Cisco Config | Juniper Config |
| us-gov-west-1 | USA |
AWS GovCloud (US-West) | Cisco Config | Juniper Config |
| us-west-1 | USA |
US West (N. California) | Cisco Config | Juniper Config |
| us-west-2 | USA |
US West (Oregon) | Cisco Config | Juniper Config |
ip prefix-list aws-s3-<region> seq <N> permit <prefix> le 24
ipv6 prefix-list aws-s3-<region> seq <N> permit <prefix> le 48
For more information on configuring prefix lists in Cisco IOS, see:
policy-options {
prefix-list aws-s3-<region> {
<prefix> orlonger;
}
}
For more information on configuring prefix lists in Juniper, see:
This repository is automatically updated via GitHub Actions when AWS publishes changes to ip-ranges.json.
To automatically trigger updates when AWS publishes a new ip-ranges.json file:
-
Subscribe an AWS Lambda function to the SNS topic
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged -
Use the Lambda function code from
lambda-webhook-trigger.jsin this repository -
Configure the following environment variables in your Lambda function:
GITHUB_OWNER- Your GitHub username (e.g.,chriselsen)GITHUB_TOKEN- GitHub Personal Access Token withreposcopeGITHUB_REPOS- Comma-separated list of repositories (e.g.,s3-only-pubvif,AWS-Geofeed)
-
Create a GitHub Personal Access Token:
- Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic)
- Generate new token with
reposcope - Store securely in Lambda environment variables
To manually trigger the workflow for testing:
curl -X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer YOUR_GITHUB_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/s3-only-pubvif/dispatches \
-d '{"event_type":"webhook"}'Or use the GitHub UI:
- Go to the Actions tab in your repository
- Select the generate-s3-prefix-lists workflow
- Click Run workflow → Run workflow
Check the Actions tab to see the workflow run and verify it completes successfully.
To receive notifications when S3 prefix lists are updated:
- Watch this repository: Click "Watch" → "All Activity" at the top of the page
- Subscribe to releases: Click "Watch" → "Custom" → Check "Releases" (a release is created for each update)
- RSS feed: Subscribe to the commits feed:
https://github.com/OWNER/s3-only-pubvif/commits/main.atom
- Excludes China regions (cn-north-1, cn-northwest-1)
- IPv4 prefixes use 'le 24' to match more specific BGP announcements
- IPv6 prefixes use 'le 48' to match more specific BGP announcements
- Config files are only updated when actual IP ranges change
While the prefix filters above reduce the number of routes received from AWS, you should also consider limiting the prefixes announced from your network to AWS.
Currently, AWS does not support filtering return traffic to only S3. Any prefixes you announce via the Direct Connect Public VIF will be reachable from all AWS services, not just S3. This means that even if you only accept S3 routes from AWS, traffic from EC2 and other services can still reach your network via Direct Connect.
Recommended approach: Announce only a /32 IPv4 prefix (single IP address) to AWS and use NAT/PAT (Port Address Translation) on your router to access S3. This minimizes your exposure while still allowing S3 traffic over Direct Connect.