

# Attachments in AWS Cloud WAN
Attachments

You can work with core network attachments using the Amazon VPC Console or the command line or API. 

Attachment states can be one of the following. Attachment states appear on the Attachments page of the AWS Cloud WAN console.
+ **Creating** — Creation of an attachment is in process.
+ **Deleting** — Deletion of an attachment is in process.
+ **Pending network update** — Waiting for the connection of attachments to the core network.
+ **Pending tag acceptance** — Waiting for the core network owner to review the tag change for an attachment.
+ **Pending attachment acceptance** — Waiting for the core network owner to accept or reject an attachment.
+ **Rejected** — The core network owner rejected the attachment.
+ **Available** — The attachment is fully functional.
+ **Failed** — The attachment failed to attach to the core network. For example, this might be due to an input error or a service linked role issue.

The following are the supported core network attachment types. 
+ Direct Connect
+ Connect

  You can also create a Connect peer through the Network Manager console. 
+ VPC
+ Transit gateway route table

You can create an attachment using either using the Network Manager console or by using the command line or API.

## Route evaluation


Cloud WAN evaluates routes at each core network edge in the following order:

1. The most specific route for the destination

1. For routes with the same destination IP address, but different targets, the following route priority is used:

   1. Static routes

   1. VPC-propagated routes in the same Region.

   1. For dynamic routes received at the core network with an *unequal* AS path length and/or MED BGP attributes, Cloud WAN evaluates them in the following order:

      1.  AS path length

      1.  MED

   1. For dynamic routes received at the core network with *equal* AS path length and MED BGP attributes, Cloud WAN evaluates them in the following order:

      1.  Direct Connect gateway-propagated routes.

      1. Cloud WAN Connect-propagates routes in the same Region.

      1.  Site-to-Site VPN-propagated routes in the same Region.

      1. Routes propagated from other sources, such as transit gateway peering and core network edges in other remote Regions over the AWS global infrastructure. If identical routes are received from two or more sources, a single attachment will be chosen in a deterministically random manner. 

**Topics**
+ [

## Route evaluation
](#cloudwan-route-evaluation)
+ [Connect attachments and Connect peers](cloudwan-connect-attachment.md)
+ [Direct Connect gateway attachments](cloudwan-dxattach-about.md)
+ [VPC attachments](cloudwan-vpc-attachment.md)
+ [Site-to-Site VPN attachments in Cloud WAN](cloudwan-s2s-vpn-attachment.md)
+ [Transit gateway route table attachments](cloudwan-tgw-attachment.md)
+ [Accept or reject a core network attachment](cloudwan-attachments-acceptance.md)
+ [Delete an attachment](cloudwan-attachments-deleting.md)

# Connect attachments and Connect peers in AWS Cloud WAN
Connect attachments and Connect peers

You can create a transit gateway Connect attachment to establish a connection between a core network edge and third-party virtual appliances (such as SD-WAN appliances) running in Amazon VPC. A Connect attachment supports both the Generic Routing Encapsulation (GRE) tunnel protocol and Tunnel-less connect protocol for high performance, and the Border Gateway Protocol (BGP) for dynamic routing. After you create a Connect attachment, you can create one or more GRE or Tunnel-less Connect tunnels (also referred to as Transit Gateway Connect peers) on the Connect attachment to connect the core network edge and the third-party appliance. You establish two BGP sessions over the tunnel to exchange routing information. The two BGP sessions are for redundancy. A Connect attachment uses an existing VPC attachment as the underlying transport mechanism. This is referred to as the transport attachment. 

The Core Network Edge identifies matched GRE packets from the third-party appliance as traffic from the Connect attachment. It treats any other packets, including GRE packets with incorrect source or destination information, as traffic from the transport attachment.

You can create a Connect attachment through either the AWS Network Manager console or using the CLI/SDK.

**Note**  
A Connect attachment must be created in the same AWS account that owns the core network.

## Tunnel-less Connect


 AWS Cloud WAN supports Tunnel-less Connect for VPC Connect attachments. Tunnel-less Connect provides a simpler way to build a global SD-WAN using AWS. Third-party SD-WAN appliances can peer with Cloud WAN using Border Gateway Protocol (BGP) without needing to deploy IPsec or GRE-based tunnels between the appliance and Cloud WAN. This allows you to deploy a Cloud WAN core network across multiple AWS Regions and to connect one or more of your third-party SD-WAN appliances to core network edges in each Region. Because Tunnel-less Connect has no tunneling overhead, it provides better performance and peak bandwidth on TLC attachments. IPSec provides 1.25G, allowing you to combine up to eight tunnels while providing up to the entire VPC attachment bandwidth. GRE supports only 5G, which means you'd need to deploy specialized techniques, such as ECMP (Equal Cost Multi-pathing), for scaling bandwidth across tunnels. 

You can use the console or API to specify the Tunnel-less Connect protocol. 

In order to use Tunnel-less Connect, note the following:
+ Your SD-WAN appliance must support BGP. The appliance must be deployed in a VPC and use a Connect attachment enabled for the tunnel-less operation in order to connect your SD-WAN appliance to a core network edge.
+ Attachment policy tags or resource names are used to associate the Tunnel-less Connect attachment to the SD-WAN segment.
+ Both Connect (GRE) and Connect (Tunnel-less) attachments can co-exist in the same VPC. There is a maximum of single Connect (Tunnel-less) attachment per VPC. 
+ Tunnel-less Connect and any underlying transport VPC attachments must be associated to the same core network segment.
+ Inside CIDR blocks is not an input when creating a Tunnel-less Connect peer, but is instead taken from the connecting core network edge

## Routing


Tunnel-less Connect uses BGP for dynamic routing. Therefore, any third-party SD-WAN appliance you want to use for Tunnel-less Connect must support BGP. SD-WAN appliances peer with a core network using the Connect attachment functioning in a tunnel-less manner. It uses native BGP to dynamically exchange routing and reachability information between SD-WAN appliance in the VPC and the core network edge. We recommend using a different autonomous number (ASN) on your SD-WAN appliance from the one configured on the core network edge.

Tunnel-less Connect also supports Multiprotocol extension for BGP (MP- BGP) in order to support both IPv4/IPv6 address families.

You'll need to configure the following in the VPC route table used for Tunnel-less Connect:
+  The core network edge BGP IP address. This is necessary to bring up the BGP session between the core network edge and the SD-WAN appliance.
+ If your third-party appliance is in a different subnet from the VPC attachment, you'll need to add all destination prefixes.

For more information about route tables, see [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*.

## Third-party appliance limitations


An AWS Cloud WAN tunnel-less attachment peer (third-party appliance) can be located in the same subnet as the VPC attachment (transport attachment) subnet or a different subnet. The following limitations apply if your third-party appliance is located either in the same subnet as the Cloud WAN VPC attachment or in different subnets. 

**For third-party appliances in the same subnet as the Cloud WAN VPC attachment:**
+ When the third-party appliance is in the same subnet as the VPC attachment, routes are dynamically exchanged using BGP with the core network edge. For the dataplane to function correctly, no VPC route table modifications are required except for adding the core network BGP addresses to establish BGP peering.
+ The BGP IPv4 prefixes advertised by the core network edge to your third-party appliance will have the core network attachment's Elastic Network Interface's (ENI) IPv4 address as the next-hop address, which differs from the core network BGP address peering.
+ The BGP IPv6 prefixes advertised by the core network edge to your third-party appliance will use the EUI-64 Address of the core network attachment's ENI as the next-hop.

**For third-party appliances in a different subnets from the Cloud WAN VPC attachment:**
+ If the third-party appliance is in a different subnet from the VPC attachment, you can still establish dynamic route exchange the core network edge using BGP. However, in addition to adding the core network BGP addresses for peering, you must modify the VPC route table for the dataplane to function correctly. This includes adding the prefixes received from the core network edge BGP peer into the route table. You can create a summary route that encompasses the longest prefixes advertised by the core network edge.
+ The BGP IPv4 prefixes advertised by the core network edge to your third-party appliance will have the core network BGP address as the next-hop.
+ The BGP IPv6 prefixes advertised by the core network edge to your third-party appliance will use IPv4-mapped IPv6 addresses of the core network BGP address as the next-hop.

It's recommended that you place your third-party appliance in the same subnet as the Cloud WAN VPC attachment for more seamless integration with Tunnel-less connect.

**Topics**
+ [

## Tunnel-less Connect
](#cloudwan-connect-tlc)
+ [

## Routing
](#cloudwan-tlc-routing)
+ [

## Third-party appliance limitations
](#cloudwan-tlc-appliance)
+ [Create a Connect attachment](cloudwan-connect-attachment-add.md)
+ [View or edit a Connect attachment](cloudwan-attachments-viewing-editing-connect.md)
+ [Add a Connect peer](cloudwan-connect-peer-attachment.md)

# Create a Connect attachment for an AWS Cloud WAN core network
Create a Connect attachment

You can create a Connect attachment using either the Network Manager console or using the AWS CLI. Once you create a Connect attachment to your core network you can create a Connect peer. For the steps to create a Connect peer after creating the Connect attachment, see [Create an AWS Cloud WAN Connect peer for a core network](cloudwan-connect-peer-attachment.md).

**Topics**
+ [

## Create a Connect attachment using the console
](#cloudwan-connect-attachment-console)
+ [

## Create a Connect attachment or Connect peer using the command line or API
](#cloudwan-connect-attachment-cli)

## Create a Connect attachment using the console


The following steps create a Connect attachment for a core network using the console. 

**To create a Connect attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **Connect**.

1. From the **Connect attachment** section, choose the Connect protocol. This will be either:
   + **GRE**
   + **Tunnel-less (No encapsulation)**

1. Choose the **Transport Attachment ID** that will be used for the Connect attachment.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** tags to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a Connect attachment or Connect peer using the command line or API


Use the command line or API to create an AWS Cloud WAN Connect attachment. When using the `CreateConnectAttachment` API pass the following:`"Protocol" : "NO_ENCAP"`.

**To create a Connect attachment or Connect peer using the command line or API**
+ Use `create-connect-attachment`. See [create-connect-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-attachment.html).

If you're creating a Tunnel-less Connect attachment, you must then use the following command line or API to create the Connect peer:
+ `create-connect-peer`. See [create-connect-peer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-peer.html).

# View or edit an AWS Cloud WAN Connect attachment
View or edit a Connect attachment

You can view information about a Connect attachment. For an existing attachment you can create a GRE or Tunnel-less Connect peer, as well as edit the key-value tags associated with the attachment. If you want to add a new Connect attachment, see [Connect attachments and Connect peers in AWS Cloud WAN](cloudwan-connect-attachment.md).

## View and edit a Connect attachment


**To view and edit a Connect peer attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **Connect**. 

1. Details about the attachment are displayed, as well as any Connect peers and tags that are associated with the attachment. Here you can also add a new Connect peer, as well as add, edit, or remove tags.
   + To add a new GRE or Tunnel-less Connect peer attachment, choose the **Connect peers** tab and follow the steps here: [Create an AWS Cloud WAN Connect peer for a core network](cloudwan-connect-peer-attachment.md).
   + To add or edit attachment Tags, choose the **Tags** tab. The current list of tags associated with this attachment are displayed. Choose **Edit tags** to modify or delete current tags, and to add new tags. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a Connect routing policy label


You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a Connect or Connect peer attachment using the command line or API


Use the command line or API to view a Connect or Connect peer attachment.

**To view a Connect or Connect peer attachment using the command line or API**
+ For a Connect attachment, see [get-connect-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-connect-attachment.html).
+ For a Connect peer attachment, see [get-connect-peer](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-connect-peer.html).

# Create an AWS Cloud WAN Connect peer for a core network
Add a Connect peer

You can create a either a GRE Connect peer or a Tunnel-less Connect peer for an existing Connect attachment using either the AWS Cloud WAN console or the command line/API. 

**Topics**
+ [

## Add a GRE Connect peer using the console
](#cloudwan-connect-peer-console)
+ [

## Add a Tunnel-less Connect peer using the console
](#cloudwan-connect-peer-tlc-attachment)
+ [

## Add a Connect peer using the command line or API
](#cloudwan-connect-peer-cli)

## Add a GRE Connect peer using the console


The following steps add a GRE Connect peer using the console. 

**To add a Connect peer using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Choose an attachment with a resource type of **Connect**.

   The **Details** tab displays the **Connect protocol**. Make sure to choose a Connect attachment where the Connect protocol is **GRE**. 

1. Choose the **Connect peers** tab.

1. Choose **Create Connect peer**.

1. Enter a **Name** to identify the Connect peer.

1. (Optional) For the **Core network GRE address**, enter the GRE outer IP address for the core network edge. By default, the first available address from the Inside CIDR block is used.

1. For the **Peer GRE address**, enter the GRE outer IP address for the customer appliance. This is peer IP address (GRE outer IP address) on the appliance side of the Connect peer. 

   This can be any IP address. The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the transit gateway address.

1. For **BGP Inside CIDR blocks IPv4**, enter the range of inside IPv4 addresses used for BGP peering. Use a `/29` CIDR block from the `169.254.0.0/16` range.

1. (Optional) For **BGP Inside CIDR blocks IPv6**, enter the range of inside IPv6 addresses used for BGP peering. Use a `/125` CIDR block from the `fd00::/8` range.

1. For **Peer ASN**, specify the Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the appliance. You can use an existing ASN that's assigned to your network. If you do not have one, you can use any ASN in the ` 1-4294967294` range. 

    The default is the same ASN as the core network edge. If you configure the **Peer ASN** to be different than the core network edge ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of `2`. 

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create Connect peer**.

## Add a Tunnel-less Connect peer using the console


The following steps add a Tunnel-less Connect peer using the console. 

**To add a Tunnel-less Connect peer using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Choose an attachment with a resource type of **Connect**.

   The **Details** tab displays the **Connect protocol**. Make sure to choose a Connect attachment where the Connect protocol is **NO\$1ENCAP**. 

1. Choose the **Connect peers** tab.

1. Choose **Create Connect peer**.

1. Enter a **Name** to identify the Tunnel-less Connect peer.

1. For the **Peer BGP address**, enter the appliance's private IPv4 address.
**Note**  
BGP peering primarily uses IPv4 addresses, but it does support IPv6 address exchange through MP-BGP. To establsih BGP sessions for IPv6 Unicast, you must have IPv4 Unicast addressing.

1. For the **Peer ASN**, specify the BGP ASN for the appliance.

   You can use an existing ASN that's assigned to your network. If you do not have one, you can use any ASN in the `1-4294967294` range. The default is the same ASN as the core network edge. If you configure the **Peer ASN** to be different from the core network edge ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

1. For **Subnet**, choose the subnet of the appliance. 
**Note**  
We recommend you run your appliance in the same subnet as your transport VPC attachment.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create Connect peer**.

## Add a Connect peer using the command line or API


Use the command line or API to create an AWS Cloud WAN Connect peer.

**To create a Connect peer using the command line or API**
+ Use `create-connect-peer`. See [create-connect-peer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-peer.html).

# Direct Connect gateway attachments in AWS Cloud WAN
Direct Connect gateway attachments

AWS Cloud WAN now supports native integration with Direct Connect, simplifying connectivity between your on-premises networks and the AWS cloud. The new capability enables you to directly attach your Direct Connect gateways to Cloud WAN without the need for an intermediate AWS Transit Gateway, allowing seamless connectivity between your data centers or offices with Amazon Virtual Private Cloud (VPCs) across AWS Regions globally.

Cloud WAN allows you to build, monitor, and manage a unified global network that interconnects your resources in the AWS cloud and your on-premises environments. Direct Connect allows you to create a dedicated network connection to AWS bypassing the public Internet and provides improved application performance, greater privacy and security. Previously, you needed to deploy an intermediate transit gateway to interconnect your Direct Connect-based networks with Cloud WAN. Now you can directly attach your Direct Connect gateway to a Cloud WAN core network, simplifying connectivity between your on-premises locations and VPCs. Cloud WAN Direct Connect gateway attachments add support for automatic route propagation between AWS and on-premises networks using BGP (Border Gateway Protocol). Direct Connect gateway attachments also support existing Cloud WAN features, such as central policy-based management, tag-based attachment automation and segmentation for advanced security. 

## Prerequisites
Prerequisites

The following are required before you can create a Direct Connect gateway attachment in a core network:
+ You must have a Direct Connect account and a valid Direct Connect gateway. A specific Direct Connect gateway can't be used for any other gateway types as long as it remains associated with a core network. This includes virtual gateways, transit gateways, and private virtual interfaces.
+ Only one core network can be associated with a Direct Connect gateway.

 For more information about Direct Connect, see the [https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html).

## Limitations
Limitations

The following limits apply to Direct Connect gateway attachments in a core network:
+ You can't configure static routes pointing to a Direct Connect gateway attachment as the next hop in a core network policy. Routes must be dynamically advertised from the on-premises network to core network.
+ Direct Connect Border Gateway Protocol (BGP) communities are not supported in a Cloud WAN network.
+ You can't configure a list of allowed prefixes to be advertised over the Direct Connect gateway attachment from Cloud WAN to an on-premises network.
+ The ASN of a Direct Connect gateway must be outside of the ASN range configured for the core network. For example, if you have an ASN range of 64512 - 65534 for the core network, the ASN of the Direct Connect gateway must use an ASN outside of that range.
+ Private IP VPN and Connect attachments are not supported when a Direct Connect gateway attachment is the transport type.

## Route propagation
Route propagation

A Direct Connect gateway attachments support BGP-based dynamic routing for both inbound and outbound directions. 

For inbound routes, 
+ Cloud WAN learns BGP routes advertised from your on-premises location via the Direct Connect gateway and the transit virtual interface. Routes are learnt in the segment route-tables of the associated core network edges for the attachment.
+ Routes learned in segment route table can be routed across all AWS Regions for that segment.
+ Cloud WAN follows the route evaluation order for the same prefixes learned over multiple attachments. See [Route evaluation](cloudwan-create-attachment.md#cloudwan-route-evaluation) for more information. 

For outbound routes,
+ Cloud WAN propagates routes from the segment route table to the Direct Connect gateway, which in turn advertises these routes over transit virtual interfaces to your on-premises locations via BGP.
+ Each core network edge associated with the Direct Connect gateway attachment advertises only its local routes towards the Direct Connect gateway.
+ The AS\$1PATH BGP attribute is retained in these route advertisements to your on-premises locations. For more information about AS\$1PATH and BGP, see [Private virtual interface and transit virtual interface routing policies](https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#private-routing-policies) in the *AWS Direct Connect User Guide*.

## Pricing
Pricing

As with other Cloud WAN attachments, there is a per-hour charge and per-gigabyte charge for using Direct Connect gateway attachments in a Cloud WAN core network. For more details about pricing, see [AWS Cloud WAN Pricing](https://aws.amazon.com/cloud-wan/pricing/).

**Topics**
+ [Prerequisites](#cloudwan-dxattach-prereqs)
+ [Limitations](#cloudwan-dxattach-limits)
+ [Route propagation](#cloudwan-dxattach-routes)
+ [Pricing](#cloudwan-dxattach-pricing)
+ [Create a Direct Connect gateway attachment](cloudwan-dxattachment-add.md)
+ [View or edit a Direct Connect gateway attachment](cloudwan-dxattachment-update.md)

# Create a Direct Connect gateway attachment for an AWS Cloud WAN core network
Create a Direct Connect gateway attachment

You can add a Direct Connect gateway attachment using either the Network Manager console or using the AWS CLI. The Direct Connect gateway must first be created using the Direct Connect console before it can be added as an attachment in Cloud WAN. For more information about Direct Connect gateway attachments and Cloud WAN, see [Direct Connect gateway attachments](cloudwan-dxattach-about.md).

**Topics**
+ [

## Create a Direct Connect gateway attachment using the console
](#cloudwan-dxattachment-console)
+ [

## Create a Direct Connect gateway attachment using the command line or API
](#cloudwan-dxattachment-cli)

## Create a Direct Connect gateway attachment using the console


The following steps create a Direct Connect gateway attachment for a core network using the console. 

**To create a Direct Connect gateway attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global Networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under he name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **Name** identifying the attachment.

1. From the **Attachment type** drop-down list choose **Direct Connect gateway**.

1. For the **Edge locations**, choose one of the following:
   + **All** — Choose this option if you want to associate all edge locations in your core network with the Direct Connect gateway. When choosing this option, any new edge locations deployed in a core network policy version are automatically added to the Direct Connect gateway attachment and updated with the Direct Connect gateway. This does not automatically update any edge locations you might remove from the core network policy.
   + **Specific** — Choose this option if you want to associate only a subset of edge locations from your core network policy with the Direct Connect gateway. When choosing this option, you must manually add new or remove edge locations to the Direct Connect gateway attachment after deploying a core network policy version. A Direct Connect attachment will be attached to the core network edge according to the core network policy edge locations but will associated to the segment based on the segment edge locations..

1. In the** Direct Connect gateway attachment **section, choose the Direct Connect gateway to use for connecting Direct Connect to the Cloud WAN core network.
**Note**  
A Direct Connect gateway can be used for only one core network, and can't be used for any other Direct Connect gateway type.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. Choose **Create attachment**.

## Create a Direct Connect gateway attachment using the command line or API


Use the command line or API to create a Direct Connect gateway attachment. 

**To create a Direct Connect gateway attachment using the command line or API**
+ Use `create-direct-connect-gateway-attachment`. See [create-direct-connect-gateway-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-direct-connect-gateway-attachment.html).

# View or edit an AWS Cloud WAN core network Direct Connect gateway attachment
View or edit a Direct Connect gateway attachment

You can update the edge locations for a Direct Connect gateway attachment using either the Network Manager console or using the AWS CLI. The Direct Connect gateway attachment must first be created using the Direct Connect console. For more information about Direct Connect gateway attachments and Cloud WAN, see [Direct Connect gateway attachments](cloudwan-dxattach-about.md).

 
**Topics**
+ [

## View or edit a Direct Connect gateway attachment using the console
](#cloudwan-dxattachment-update-console)
+ [

## Manage a Direct Connect gateway attachment routing policy label
](#cloudwan-labels-editing-dx)
+ [

## Update a Direct Connect gateway attachment using the command line or API
](#cloudwan-dxattachment-update-cli)

## View or edit a Direct Connect gateway attachment using the console


Use the following steps he following steps to update the edge locations for a Direct Connect gateway attachment. The updated edge locations are automatically associated with the Direct Connect gateway on Direct Connect console.

**To add a Direct Connect gateway attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global Networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under he name of the global network, choose **Attachments**.

1. Choose the Direct Connect gateway attachment you want to update, and then choose **Edit**.

1. In the **Direct Connect attachment** section, add or remove **Edge locations**, and then choose **Edit attachment**.

## Manage a Direct Connect gateway attachment routing policy label


You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## Update a Direct Connect gateway attachment using the command line or API


Use the command line or API to update a Direct Connect gateway attachment. 

**To create a Direct Connect gateway attachment using the command line or API**
+ Use `update-direct-connect-gateway-attachment`. See [update-direct-connect-gateway-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/update-direct-connect-gateway-attachment.html).

# VPC attachments in AWS Cloud WAN
VPC attachments

When you attach a VPC to a core network edge in AWS Cloud WAN, you must specify one subnet from each Availability Zone to be used by the core network edge to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone. For more information about limits to core network VPC attachments, see [Transit Gateway attachment to a VPC](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html) in the *Transit Gateway User Guide*. 

**Important**  
You cannot select a subnet from a Local Zone while creating a Cloud WAN VPC attachment. Doing so will result in an error. For more information about Local Zones, see the [https://docs.aws.amazon.com/local-zones/latest/ug/what-is-aws-local-zones.html](https://docs.aws.amazon.com/local-zones/latest/ug/what-is-aws-local-zones.html).

## Appliance mode


If you plan to configure a stateful network appliance in your VPC, you can enable appliance mode support for the VPC attachment in which the appliance is located when you create an attachment. This ensures that Cloud WAN uses the same Availability Zone for that VPC attachment for the lifetime of the flow of traffic between a source and destination. It also allows Cloud WAN to send traffic to any Availability Zone in the VPC as long as there is a subnet association in that zone. While appliance mode is only supported on VPC attachments, the network flow can enter the core network from any other Cloud WAN attachment type, including VPC, VPN, and Connect attachments. Cloud WAN appliance mode also works for network flows that have sources and destinations across different AWS Regions in your core network. Network flows can potentially be rebalanced across different Availability Zones if you don't initially enable appliance mode but later edit the attachment configuration to enable it. You can enable or disable appliance mode using either the console or the command line or API.

Appliance mode in Cloud WAN optimizes traffic routing by considering the source and destination Availability Zones when determining the path through an appliance mode VPC. This approach enhances efficiency and reduces latency. The following are example scenarios.

### Scenario 1: Intra-Availability Zone Traffic Routing via Appliance VPC


When traffic flows from source Availability Zone us-east-1a to destination Availability Zone us-east-1a, with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN selects a network interface from us-east-1a within the appliance VPC. This Availability Zone is maintained for the entire duration of the traffic flow between source and destination.

### Scenario 2: Inter-Availability Zone Traffic Routing via Appliance VPC


For traffic flowing from source Availability Zone us-east-1a to destination Availability Zone us-east-1b, with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN uses a flow hash algorithm to select either us-east-1a or us-east-1b in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.

### Scenario 3: Routing traffic through an appliance VPC without Availability Zone data


When traffic originates from source Availability Zone us-east-1a to a destination without Availability Zone information (e.g., internet-bound traffic), with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN selects a network interface from us-east-1a within the appliance VPC.

### Scenario 4: Routing traffic through an appliance VPC in an Availability Zone distinct from either the source or destination


When traffic flows from source Availability Zone us-east-1a to destination Availability Zone us-east-1b, with Appliance Mode VPC attachments in different Availability Zone example us-east-1c and us-east-1d, Cloud WAN uses a flow hash algorithm to select either us-east-1c or us-east-1d in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.

**Note**  
 When you create a VPC attachment you can't create a core network VPC attachment that uses only IPv6 subnets. A core network VPC attachment must also support IPv4 addresses. 
Appliance mode is only supported for VPC attachments.

## DNS support


DNS support in Cloud WAN enables the resolution of public DNS host names to private IP addresses when queried across VPCs attached to the same core network edge similar to the DNS resolution capability available for transit gateways. This feature is enabled by default in your core network and can be configured in your core network policy by setting the `dns-support` parameter to either `true` or `false`, with the setting applying to all core network edges in the core network. You can view your DNS support configuration through the console in the core network policy or by using the [https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-core-network.html](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-core-network.html) command. 

**Note**  
DNS support only works between VPCs attached to the same core network edge and does not function across different regions or between VPCs attached to different core network edges.

## Security group referencing


You can configure security groups by specifying a list of rules that allow network traffic based on criteria such as IP CIDRs, prefix lists, ports and security group referencing. Security group referencing allows you to specify other security groups as references, or matching criterion in inbound security rules to allow instance-to-instance traffic. With this capability, you do not need to reconfigure security rules as applications scale up or down or if their IP addresses change. Rules with security group references also provide higher scale as a single rule can cover thousands of instances and prevents you from over-running security group rule limits.

Security group referencing is a regional feature for Cloud WAN, meaning VPCs must be connected to the same core network edge for this feature to work. When you create a VPC attachment, Cloud WAN automatically enables security group referencing for VPCs attached to the same core network edge.

**Note**  
Security group referencing is enabled by default at the attachment level but disabled by default at the core network level.

With security group referencing support in Cloud WAN, you can:
+ Reference security groups across VPCs connected to the same core network edge
+ Simplify security group management for applications that span multiple VPCs
+ Maintain security group references even as instances scale up or down
+ Reduce the number of security group rules needed for cross-VPC communication

### Limitations


The following limitations apply to security group referencing in Cloud WAN:
+ Security group referencing only works between VPCs attached to the same core network edge. It does not work across different regions or between VPCs attached to different core network edges.
+ Security group referencing is not supported for VPC attachments in the use1-az3 Availability Zone . 
+ Security group referencing is not supported for AWS PrivateLink endpoints. We recommend using IP CIDR-based security rules as an alternative.
+ Security group referencing works for Elastic File System (EFS) as long as an allow all egress security group rule is configured for the EFS interfaces in the VPC.
+ Security group referencing support can be configured for both core network and VPC attachments and will only work if it has been enabled for both a core network and its VPC attachments.

**Topics**
+ [

## Appliance mode
](#cloudwan-appliancemode)
+ [

## DNS support
](#cloudwan-dns-support)
+ [

## Security group referencing
](#cloudwan-sg-referencing)
+ [Create a VPC attachment](cloudwan-vpc-attachment-add.md)
+ [View or edit a VPC attachment](cloudwan-attachments-viewing-editing-vpc.md)

# Create a VPC attachment for an AWS Cloud WAN core network
Create a VPC attachment

## Create a VPC attachment using the console


The following steps create a VPC attachment for a core network using the console. 

**To create a VPC attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **VPC**.

1. In the VPC attachment section, choose **Appliance mode support** if appliance mode is supported. For more information about appliance mode, see [Appliance mode](cloudwan-vpc-attachment.md#cloudwan-appliancemode).

1. Choose **IPv6 support** if the attachment supports IPv6. 

1. By default, **DNS support ** is enabled. This allows domain name system resolution for the attachment. Clear the check box if you don't want to enable DNS support. For more information, see [DNS support](cloudwan-vpc-attachment.md#cloudwan-dns-support).

1. By default **Security Group Referencing support** is enabled. When you create a VPC attachment, Cloud WAN automatically enables security group referencing for VPCs attached to the same core network edge. This allows you to reference security groups across VPCs in your security group rules. Clear the check box if you don't want to enable security group referencing. For more information, see [Security group referencing](cloudwan-vpc-attachment.md#cloudwan-sg-referencing).

1. From the **VPC IP** dropdown list, choose the VPC ID to attach to the core network.

1. After choosing the VPC ID, you're prompted to choose the **Availability Zone** and **Subnet Id** in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that you chose when you created your core network. You must choose at least one Availability Zone and subnet ID.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a VPC attachment using the command line or API


Use the command line or API to create an AWS Cloud WAN VPC attachment

**To create a VPC attachment using the command line or API**
+ Use `create-vpc-attachment`. See [create-vpc-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-vpc-attachment.html).

To enable appliance mode, add `--options ApplianceModeSupport=true` to the command. 

# View or edit an AWS Cloud WAN VPC attachment
View or edit a VPC attachment

You can view and edit configuration information for a VPC attachment . If you want to add a new VPC attachment, see [VPC attachments in AWS Cloud WAN](cloudwan-vpc-attachment.md).

## View and edit a VPC attachment


**To view and edit a VPC attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **VPC**. Details about the attachment are displayed in the lower part of the page.

1. (Optional) Choose **Edit** to modify any of the following options for the VPC attachment:
   + Enable or disable appliance mode support.
   + Enable or disable IPv6 support.
   + Enable or disable DNS support.
   + Enable or disable security group referencing support.
   + Add or remove subnet IDs.

1. After making any changes, choose **Edit attachment**.

1. To add, edit, or remove tags, choose the **Tags** tab. The current list of tags associated with this attachment are displayed. Choose **Edit tags** to modify or delete current tags, and to add new tags.

1. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a VPC attachment routing policy label


You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a VPC attachment using the command line or API


Use the command line or API to view a VPC attachment.

**To view a VPC attachment using the command line or API**
+ See [get-vpc-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-vpc-attachment.html).

# Site-to-Site VPN attachments in AWS Cloud WAN
Site-to-Site VPN attachments in Cloud WAN

Attaching a Site-to-Site VPN connection to your core network edge, first requires that you create a Site-to-Site VPN connection with **Target Gateway Type** set to **Not Associated**. See [Create an AWS Cloud WAN Site-to-Site VPN attachment](https://docs.aws.amazon.com/vpn/latest/s2svpn/create-cwan-vpn-attachment.html) in the *AWS Site-to-Site VPN User Guide*.

**Note**  
 Your Site-to-Site VPN must be attached to a core network before you can start configuring a customer gateway. AWS doesn't provision these endpoints until the Site-to-Site VPN is attached to the core network. 
A Site-to-Site VPN attachment must be created in the same AWS account that owns the core network. 

**Topics**
+ [Create a Site-to-Site VPN attachment](cloudwan-vpn-attachment-add.md)
+ [View or edit a Site-to-Site VPN attachment](cloudwan-attachments-viewing-editing-vpn.md)

# Create a Site-to-Site VPN attachment for an AWS Cloud WAN core network
Create a Site-to-Site VPN attachment

You can create a Site-to-Site VPN attachment using either the Network Manager console or the AWS CLI.

**Topics**
+ [

## Create a Site-to-Site VPN attachment using the console
](#cloudwan-vpn-attachment-console)
+ [

## Create a Site-to-Site VPN attachment using the command line or API
](#cloudwan-vpn-attachment-cli)

## Create a Site-to-Site VPN attachment using the console


The following steps create a Site-to-Site VPN attachment for a core network using the console

**To create a Site-to-Site VPN attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **VPN**.

1. From the **VPN attachment** section, choose the VPN ID to be used for the VPN attachment.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a Site-to-Site VPN attachment using the command line or API


Use the command line or API to create an AWS Cloud WAN Site-to-Site VPN attachment.

**To create a Site-to-Site VPN attachment using the command line or API**
+ Use `create-site-to-site-vpn-attachment`. See [create-site-to-site-vpn-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-site-to-site-vpn-attachment.html).

# View or edit an AWS Cloud WAN Site-to-Site VPN attachment
View or edit a Site-to-Site VPN attachment

You can view and edit configuration information for a VPN attachment, as well as adding a new attachment. If you want to add a new VPN attachment, see [Create a Site-to-Site VPN attachment for an AWS Cloud WAN core network](cloudwan-vpn-attachment-add.md).

## View and edit a VPN attachment


**To view and edit a VPC attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **VPN**. Details about the attachment are displayed in the lower part of the page. In this section, you can also edit the attachment Tags by choosing the **Tags** tab.

1. Choose **Edit**.

1. On the **Edit attachment** page, do any of the following:
   + Enable or disable appliance mode support.
   + Enable or disable IPv6 support.
   + Add or remove subnets IDs.
   + Add or remove tags.

1. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a VPN attachment routing policy label


You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a Site-to-Site VPN attachment using the command line or API


Use the command line or API to viewt a Site-to-Site VPN attachment.

**To view a Site-to-Site VPN attachment using the command line or API**
+ See [get-site-to-site-vpn-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-site-to-site-vpn-attachment.html).

# Transit gateway route table attachments in AWS Cloud WAN
Transit gateway route table attachments

Transit gateway route tables contain the rules that determine how your network traffic is routed between your VPCs and VPNs. A transit gateway route table can be added as an attachment type in your AWS Cloud WAN core network. You can create a transit gateway route table attachment through either the console or by using the command line or API. 

Before creating the attachment you must first have created your transit gateway route table. 
+  For more information about transit gateway route tables, see [Routing](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html#tgw-routing-overview) in the *AWS Transit Gateway User Guide*.
+ For the steps to create a transit gateway route table, see [Transit gateway route tables](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html) in the *AWS Transit Gateway User Guide*.

**Topics**
+ [Create a transit gateway route table attachment](cloudwan-tgw-attachment-add.md)
+ [View or edit a transit gateway route table attachment](cloudwan-attachments-viewing-editing-rtb.md)

# Create a transit gateway route table attachment for an AWS Cloud WAN core network
Create a transit gateway route table attachment

Add a transit gateway route table attachment to your AWS Cloud WAN core network. 

## Create a transit gateway route table attachment using the console


The following steps create a transit gateway route table attachment for a core network using the console.

**To create a transit gateway route table attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. From the **Attachment type** dropdown list, choose **Transit gateway route table**.

1. In the **Transit gateway route table attachment** section, choose the **Transit gateway peering** that will be used for the route table attachment. For information on creating a peering, see [Create a peering in an AWS Cloud WAN core network](cloudwan-peerings-create.md).

1. From the **Transit gateway route table** list, choose the route table to be used for the peering. For information about creating a transit gateway route table, see [Transit gateway route tables](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html) in the *AWS Transit Gateway Guide*.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** tags to help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a transit gateway route table attachment using the command line or API


Use the command line or API to create an AWS Cloud WAN transit gateway route table attachment.

**To create a transit gateway route table attachment using the command line or API**
+ Use `create-transit-gateway-route-table-attachment`. See [create-transit-gateway-route-table-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-transit-gateway-route-table-attachment.html).

# View or edit an AWS Cloud WAN transit gateway route table attachment
View or edit a transit gateway route table attachment

You can view and edit the key-value tags associated with a transit gateway route table attachment, as well as adding a new attachment or for managing route labels For the steps to add a new transit gateway route table attachment, see[Transit gateway route table attachments in AWS Cloud WAN](cloudwan-tgw-attachment.md).

## View and edit a route table attachment


**To view and edit a route table attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **Transit gateway route table**. 

1. To add, edit, or remove tags, choose the **Tags** tab. The current list of tags associated with this attachment are displayed. Choose **Edit tags** to modify or delete current tags, and to add new tags.

## Manage a route table attachment routing policy label


You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a transit gateway route table attachment using the command line or API


Use the command line or API to view a transit gateway route table attachment.

**To view a transit gateway route table attachment using the command line or API**
+ See [get-transit-gateway-route-table-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-transit-gateway-route-table-attachment.html).

# Accept or reject an AWS Cloud WAN core network attachment
Accept or reject a core network attachment

When you create an attachment and associate it to a segment that requires an acceptance from the core network owner, the newly created attachment goes into a **Pending attachment acceptance** state. The core network owner has to review the attachment and choose to accept or reject the request.

**To accept or reject an attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for the specific attachment that is in the **Pending attachment acceptance** state. Details about the attachment are displayed in the lower part of the page.

1. Choose **Accept** or **Reject**.

1. If you chose **Accept**, the attachment goes into a **Creating (Accept)** state. If you chose **Reject**, the attachment goes into a **Rejected (Reject)** state. 

# Delete an AWS Cloud WAN core network attachment
Delete an attachment

You can delete any attachment from your core network. Deleted attachments can't be recovered. This section including the steps to delete an attachment using the AWS Cloud WAN console or by using the command line or API.

**To delete an attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for the attachment that you want to delete.

1. Choose **Delete**.

1. Confirm that you want to delete the attachment by choosing **Delete** again. 

   The attachment is removed from the **Attachments** page.

Use the command line or API to delete any of your core network attachments.

**To delete an attachment using the command line or API**
+ For a Connect, transit gateway route table, VPC, or Site-to-Site VPN attachment, see [delete-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/delete-attachment.html).
+ For a Connect peer attachment, see [delete-transit-gateway-connect-peer](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-transit-gateway-connect-peer.html).