# Direct Connect gateways and transit gateway associations
<a name="direct-connect-transit-gateways"></a>

You can use Direct Connect gateway to connect your Direct Connect connection over a transit virtual interface to the VPCs or VPNs that are attached to your transit gateway. You associate a Direct Connect gateway with the transit gateway. Then, create a transit virtual interface for your Direct Connect connection to the Direct Connect gateway. 

The following rules apply to transit gateway associations:
+ You cannot attach a Direct Connect gateway to a transit gateway when the Direct Connect gateway is already associated with a virtual private gateway or is attached to a private virtual interface.
+ There are limits for creating and using Direct Connect gateways. For more information, see [Direct Connect quotas](limits.md).
+ A Direct Connect gateway supports communication between attached transit virtual interfaces and associated transit gateways.
+ If you connect to multiple transit gateways that are in different Regions, use unique ASNs for each transit gateway.
+ Any point-to-point connectivity address using a `/30` range — for example, `192.168.0.0/30` — does not propagate to a transit gateway.

## Associating a transit gateway across accounts
<a name="multi-account-associate-tgw"></a>

You can associate an existing Direct Connect gateway or a new Direct Connect gateway with a transit gateway that is owned by any AWS account. The owner of the transit gateway creates an *association proposal* and the owner of the Direct Connect gateway must accept the association proposal.

An association proposal can contain prefixes that will be allowed from the transit gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.

### Allowed prefixes
<a name="allowed-prefixes-transit-gateway"></a>

For a transit gateway association, you provision the allowed prefixes list on the Direct Connect gateway. The list is used to route traffic from on-premises to AWS into the transit gateway even if the VPCs attached to the transit gateway do not have assigned CIDRs. Prefixes in the Direct Connect gateway allowed prefix list originate on the Direct Connect gateway and are advertised to the on-premises network. For more information on how allowed prefixes interact with transit gateway and virtual private gateways, see [Allowed prefixes interactions](allowed-to-prefixes.md).

**Topics**
+ [Associating a transit gateway across accounts](#multi-account-associate-tgw)
+ [Associate or disassociate a transit gateway with Direct Connect.](associate-tgw-with-direct-connect-gateway.md)
+ [Create a transit virtual interface to the Direct Connect gateway](create-transit-vif-for-gateway.md)
+ [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md)
+ [Accept or reject a transit gateway association proposal](multi-account-tgw-accept-reject-proposal.md)
+ [Update the allowed prefixes for a transit gateway association](multi-account-tgw-update-proposal-routes.md)
+ [Delete a transit gateway association proposal](multi-account-tgw-delete-proposal.md)

# Associate or disassociate Direct Connect with a transit gateway
<a name="associate-tgw-with-direct-connect-gateway"></a>

Associate or disassociate a transit gateway using either the Direct Connect console or using the command line or API.

**To associate a transit gateway**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Direct Connect Gateways** and then select the Direct Connect gateway.

1. Choose **View details**.

1. Choose **Gateway associations** and then choose **Associate gateway**.

1. For **Gateways**, choose the transit gateway to associate.

1. In **Allowed prefixes**, enter the prefixes (separated by a comma, or on a new line) which the Direct Connect gateway advertises to the on-premises data center. For more information on allowed prefixes, see [Allowed prefixes interactions](allowed-to-prefixes.md).

1. Choose **Associate gateway**

You can view all of the gateways that are associated with the Direct Connect gateway by choosing **Gateway associations**. 

**To disassociate a transit gateway**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Direct Connect gateways** and then select the Direct Connect gateway.

1. Choose **View details**.

1. Choose **Gateway associations** and then select the transit gateway.

1. Choose **Disassociate**.

**To update allowed prefixes for a transit gateway**

You can add or remove allowed prefixes to the transit gateway.

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Direct Connect gateways** and then choose the Direct Connect gateway you want to add or remove allowed prefixes for.

1. Choose the **Gateway associations** tab.

1. Choose the gateway you want to modify allowed prefixes for, and then choose **Edit**.

1. In **Allowed prefixes**, enter the prefixes which the Direct Connect gateway advertises to the on-premises data center. For multiple prefixes, separate each prefix by a comma or put each prefix on a new line. The prefixes you add should match the Amazon VPC CIDRs for all virtual private gateways. For more information on allowed prefixes, see [Allowed prefixes interactions](allowed-to-prefixes.md).

1. Choose **Edit association**. 

   In the **Gateway association** section the **State** displays **updating**. When complete, the **State** changes to **associated**. This might take several minutes or longer to complete.

**To associate a transit gateway using the command line or API**
+ [create-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway-association.html) (AWS CLI)
+ [CreateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGatewayAssociation.html) (Direct Connect API)

**To view the transit gateways associated with a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-associations](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-associations.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAssociations](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociations.html) (Direct Connect API)

**To disassociate a transit gateway using the command line or API**
+ [delete-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociation.html) (Direct Connect API)

**To update allowed prefixes for a transit gateway using the command line or API**
+ [update-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-direct-connect-gateway-association.html) (AWS CLI)
+ [UpdateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateDirectConnectGatewayAssociation.html) (Direct Connect API)

# Create a transit virtual interface to the Direct Connect gateway
<a name="create-transit-vif-for-gateway"></a>

To connect your Direct Connect connection to the transit gateway, you must create a transit interface for your connection. Specify the Direct Connect gateway to which to connect. You can use either the Direct Connect console or use the command line or API.

**Important**  
If you associate your transit gateway with one or more Direct Connect gateways, the Autonomous System Number (ASN) used by the transit gateway and the Direct Connect gateway must be different. For example, if you use the default ASN 64512 for both the transit gateway and the Direct Connect gateway, the association request fails.

**To provision a transit virtual interface to a Direct Connect gateway**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Virtual Interfaces**.

1. Choose **Create virtual interface**.

1. Under **Virtual interface type**, for **Type**, choose **Transit**.

1. Under **Transit virtual interface settings**, do the following:

   1. For **Virtual interface name**, enter a name for the virtual interface.

   1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.

   1. For **Virtual interface owner**, choose **My AWS account** if the virtual interface is for your AWS account.

   1.  For **Direct Connect gateway**, select the Direct Connect gateway.

   1. For **VLAN**, enter the ID number for your virtual local area network (VLAN). 

   1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.

      The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md). 

1. Under **Additional Settings**, do the following:

   1. To configure an IPv4 BGP or an IPv6 peer, do the following:

      [IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
      + To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic. 
      + For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**  
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.  
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).

      [IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.

   1. To change the maximum transmission unit (MTU) from 1500 (default) to 8500 (jumbo frames), select **Jumbo MTU (MTU size 8500)**.

   1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.

   1. (Optional) Add or remove a tag.

      [Add a tag] Choose **Add tag** and do the following:
      + For **Key**, enter the key name.
      + For **Value**, enter the key value.

      [Remove a tag] Next to the tag, choose **Remove tag**.

1. Choose **Create virtual interface**.

After you've created the virtual interface, you can download the router configuration for your device. For more information, see [Download the router configuration file](vif-router-config.md).

**To create a transit virtual interface using the command line or API**
+ [create-transit-virtual-interface](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-transit-virtual-interface.html) (AWS CLI)
+ [CreateTransitVirtualInterface](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateTransitVirtualInterface.html) (Direct Connect API)

**To view the virtual interfaces that are attached to a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-attachments](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-attachments.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAttachments](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAttachments.html) (Direct Connect API)

# Create a transit gateway and Direct Connect association proposal
<a name="multi-account-tgw-create-proposal"></a>

If you own the transit gateway, you must create the association proposal. The transit gateway must be attached to a VPC or VPN in your AWS account. The owner of the Direct Connect gateway must share the ID of the Direct Connect gateway and the ID of its AWS account. After you create the proposal, the owner of the Direct Connect gateway must accept it in order for you to gain access to the on-premises network over Direct Connect. You can create an association proposal using either the Direct Connect console or using the command line or API.

**To create an association proposal**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Transit gateways** and then select the transit gateway.

1. Choose **View details**.

1. Choose **Direct Connect gateway associations** and then choose **Associate Direct Connect gateway**.

1. Under **Association account type**, for **Account owner**, choose **Another account**.

1. For **Direct Connect gateway owner**, enter the ID of the account that owns the Direct Connect gateway.

1. Under **Association settings**, do the following:

   1. For **Direct Connect gateway ID**, enter the ID of the Direct Connect gateway.

   1. For **Virtual interface owner**, enter the ID of the account that owns the virtual interface for the association.

   1. (Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to **Allowed prefixes**, separating them using commas, or entering them on separate lines.

1. Choose **Associate Direct Connect gateway**.

**To create an association proposal using the command line or API**
+ [create-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [CreateDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGatewayAssociationProposal.html) (Direct Connect API)

# Accept or reject a transit gateway and Direct Connect association proposal
<a name="multi-account-tgw-accept-reject-proposal"></a>

If you own the Direct Connect gateway, you must accept the association proposal in order to create the association. You also have the option of rejecting the association proposal. You can accept or reject the association proposal using either the Direct Connect console or using the command line or API.

**To accept an association proposal**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Direct Connect gateways**.

1. Select the Direct Connect gateway with pending proposals and then choose **View details**.

1. On the **Pending proposals** tab, select the proposal and then choose **Accept proposal**.

1. ((Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to **Allowed prefixes**, separating them using commas, or entering them on separate lines.

1. Choose **Accept proposal**.

**To reject an association proposal**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Direct Connect gateways**.

1. Select the Direct Connect gateway with pending proposals and then choose **View details**.

1. On the **Pending proposals** tab, select the transit gateway and then choose **Reject proposal**.

1. In the **Reject proposal** dialog box, enter Delete and then choose **Reject proposal**.

**To view association proposals using the command line or API**
+ [describe-direct-connect-gateway-association-proposals](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-association-proposals.htm) (AWS CLI)
+ [DescribeDirectConnectGatewayAssociationProposals](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociationProposals.html) (Direct Connect API)

**To accept an association proposal using the command line or API**
+ [accept-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/accept-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [AcceptDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_AcceptDirectConnectGatewayAssociationProposal.html) (Direct Connect API)

**To reject an association proposal using the command line or API**
+ [delete-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociationProposal.html) (Direct Connect API)

# Update the allowed prefixes for a transit gateway and Direct Connect association
<a name="multi-account-tgw-update-proposal-routes"></a>

You can update the prefixes that are allowed from the transit gateway over the Direct Connect gateway using either the Direct Connect console or using the command line or API. To update the allowed prefixes for a transit gateway and Direct Connect association using the Direct Connect console, 
+  If you're the owner of the transit gateway. you'll need to create a new association proposal for that Direct Connect gateway, specifying the prefixes to allow. For the steps to create a new association proposal, see [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md).
+  If you're the owner of the Direct Connect gateway you can update the allowed prefixes when you accept the association proposal, or if you update the allowed prefixes for an existing association. For the steps to update the allowed prefixes when you accept the association, see [Accept or reject a transit gateway association proposal](multi-account-tgw-accept-reject-proposal.md).

**To update the allowed prefixes for an existing association using the command line or API**
+ [update-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-direct-connect-gateway-association.html) (AWS CLI)
+ [UpdateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateDirectConnectGatewayAssociation.html) (Direct Connect API)

# Delete a transit gateway and Direct Connect association proposal
<a name="multi-account-tgw-delete-proposal"></a>

The owner of the transit gateway can delete the Direct Connect gateway association proposal if it is still pending acceptance. After an association proposal is accepted, you can't delete it, but you can disassociate the transit gateway from the Direct Connect gateway. For more information, see [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md).

You can delete a transit gateway and Direct Connect association proposal using either the Direct Connect console or using the command line or API.

**To delete an association proposal**

1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).

1. In the navigation pane, choose **Transit gateways** and then select the transit gateway.

1. Choose **View details**.

1. Choose **Pending gateway associations**, select the association and then choose **Delete association**.

1. In the **Delete association proposal** dialog box, enter **Delete** and then choose **Delete**.

**To delete a pending association proposal using the command line or API**
+ [delete-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociationProposal.html) (Direct Connect API)