Why public VIF must be used in AWS Direct Connect + VPN setup?

Question

I am unsure why public VIF must be used in AWS Direct Connect + VPN setup. Usually if you are connecting to Virtual Private Gateway you should use private VIF as shown in AWS Managed VPN. Why public VIF must be used in this case?

Diagram on AWS Direct Connect + VPN:

Diagram on AWS Managed VPN:

Edit 1:
Got a better understanding by watching AWS re:Invent 2018: AWS VPN Solutions (NET304). We need public VIF because AWS Site-to-Site VPN creates two public endpoints on a Virtual Private Gateway which are visible to public VIF only. Diagram from that talk:

Answer 1

The reason is that the AWS site-to-site service part of the solution does not reside within the VPC, it directly creates the relationship between the customer gateway and the virtual private gateway.

When you create this connection, within tunnel details you will find that you get 2 public IP addresses (to be clear a private VIF will only communicate with a single VPCs network range(s)).

The public VIF on the other hand will advertise all public IP address ranges found within Amazon. As the service resolves to a public IP address that falls in this range, the public VIF would advertise a more desirable route to use your new Direct Connect connection.

Answer 2

Public VIFs enable direct network access to services that are not reachable via a private IP address within our own VPC. like S3, Kinesis, etc.

We can only access resources with private ip in our VPC via Privates VIFs. like RDS, Ec2, etc.

Answer 3

since about 06-2022 AWS added support for VPN via private vif.

https://aws.amazon.com/de/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

Before that you have to get public IPs from AWS, also for your onPrem VPN gateways. Another option was to move from AWS products (vpn gateway or transit gateway) to virtual instances from other vendors or just linux with VPN sofware on it.