# Create an AWS Cloud WAN core network policy version using the console Create a policy version using the console Use the Network Manager console to create a core network policy version. The console provides separate tabs for you to configure a network policy version, including the new routing policy capabilities. The following steps describe the high-level process. 1. [Configure the core network settings in an AWS Cloud WAN policy version](cloudwan-core-network-config.md). You'll first set the network configuration parameters, including adding ASN ranges, CIDR blocks, and the edge locations to include in the policy. 1. [Add a segment to an AWS Cloud WAN core network policy version](cloudwan-policy-segments.md). After defining the network configuration parameters, you'll add network segments and define the behavior for those segments. For example, you might want to include a segment that requires attachment acceptance. 1. [Create a network function group in an AWS Cloud WAN policy version](cloudwan-policy-network-function-groups.md). The network function group provides an added level of security if you want to first steer specific segments to a third-party security device or an Inspection VPC. A network function group is the parent object for the segments you want to route to security appliances. 1. [Create an AWS Cloud WAN route policy and rule](cloudwan-route-policy.md). Create routing policies with rules that define how routes are filtered, summarized, or modified based on specific conditions and actions. 1. [Add segment actions in an AWS Cloud WAN core network policy version](cloudwan-policy-network-actions-routes.md). Define segment actions, such as sharing a segment, creating a segment route, edge location route policy associations, or creating a service insertion action for the network function group. 1. [Create an AWS Cloud WAN attachment routing policy](cloudwan-policy-attachment-routing.md). Create attachment routing policies with rules that define how attachments are associated to routing policies. 1. [Create an attachment policy in an AWS Cloud WAN core network policy version](cloudwan-policy-attachments.md). Finally, you'll create an attachment policy that defines the order when segments or network function groups should be run in the core network policy. **Topics** + [Configure the core network settings](cloudwan-core-network-config.md) + [Add a segment](cloudwan-policy-segments.md) + [Create a network function group](cloudwan-policy-network-function-groups.md) + [Add a segment action](cloudwan-policy-network-actions-routes.md) + [Create a core network attachment policy](cloudwan-policy-attachments.md) + [Create a route policy and rule](cloudwan-route-policy.md) + [Create an attachment routing policy](cloudwan-policy-attachment-routing.md) # Configure the core network settings in an AWS Cloud WAN policy version Configure the core network settings The following steps guide you through configuring a core network for a policy version using the **Policy versions** link on the AWS Network Manager console. For more information about a core network in a policy version, see [Network configuration](cloudwan-create-policy-version.md#cloudwan-policy-config). **To configure network for a policy version** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. In **Choose policy view mode**, choose **Visual editor**. 1. The **Network configuration** displays general settings for the policy. 1. In** General settings,** choose **Edit**. 1. The **Version** choose any of the following: + **2021.12** this version does not support routing policies or bgp community tag propagation through your core network + **2025.11** this version enables support for routing policies and bgp community tag propagation through your core network 1. Choose any of the following: + **VPN ECMP support** if the core network should forward traffic over multiple-cost routes using VPN. + **DNS support** if you want to use DNS resolution for the core network. + **Security Group Referencing support** if you want to enable security group referencing for VPC attachments in the core network. For more information about security group referencing, see [Security group referencing](cloudwan-vpc-attachment.md#cloudwan-sg-referencing). 1. Choose **Edit general settings**. 1. In the **ASN ranges** section, do the following: 1. Choose **Create**. 1. For **ASN range**, enter the ASN range for the policy version. For example, enter **64512-65334**. **Note** The **ASN range** is left-closed and right-open. This means that the leftmost number is included in the range but the rightmost number is not. For example, if you choose an ASN range of **64900-64903**, the actual available ASN range is **64900** through **64902**. **64903** is not included. 1. Choose **Create ASN range**. 1. In the **Inside CIDR blocks** section, do the following: 1. Choose **Create**. 1. For **CIDR**, enter the CIDR block that you want to use for BGP peering on Connect peers. 1. Choose **Create inside CIDR block**. 1. In the **Edge locations** section, do the following: 1. Choose **Create**. 1. From the **Location** dropdown list, choose the **Region** where you want the Core Network Edge router to be created. You can choose only one Region. 1. For **ASN**, enter the ASN number for the Region. **Note** You can't change the ASN of a core network edge. Any transit gateway with the same ASN can't be peered to that core network edge. For example, if you have a core network edge with an ASN of `64512`, you can't peer any transit gateway that also has an ASN of `64512`. 1. For **Inside CIDR block**, enter the CIDR block that you want to use for BGP peering on Connect peers. You can enter multiple CIDR blocks by choosing **Add** for each block that you want to add. Choose **Remove** for any block that you don't want. **Note** You can't leave any blank destination CIDR blocks. Choose **Remove** to delete any empty blocks. 1. Choose **Create edge locations**. # Add a segment to an AWS Cloud WAN core network policy version Add a segment The following steps guide you through configuring a core network for a policy version using the **Policy versions** link on the AWS Network Manager console. Before adding a segment you must first have configured your [network settings](cloudwan-core-network-config.md). For more information, about network Segments, see [Segments](cloudwan-create-policy-version.md#cloudwan-policy-create-segment). **To configure a segment** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose **Segments**. 1. In the **Segments** section, Choose **Create**. 1. Enter the **Segment name** and **Segment description** to identify the segment. 1. From the **Edge locations** dropdown list, choose one or more segments to create. 1. Choose **Require acceptance** if you require approval for attachments to be mapped to this segment. 1. Choose **Isolated attachments** if you need this segment isolated. Attachments in isolated segments can't communicate with other segments, and attachments in other segments can't communicate with the isolated segment. **Important** ** Isolated attachments** is required if you're adding an intra-segment for use with service insertion. 1. For the **Segment filter**, choose if you want to **Allow all** shared routes from other segments, to **Allowed selected** segments, or to **Deny selected** segments. The default value is to **Allow all** segments. 1. (Optional) If you want to limit your edge locations for the segment, choose **Choose edge locations**, and then choose the edge locations you want to limit the segment to. 1. Choose **Create policy**. # Create a network function group in an AWS Cloud WAN policy version Create a network function group The following steps guide you through configuring a core network for a policy version using the **Policy versions** link on the AWS Network Manager console. There are no prerequisites for creating a network functions group. For more information, about network function groups, see [Network function groups](cloudwan-create-policy-version.md#cloudwan-core-network-function). **To route traffic using a network function group** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. In **Choose policy view mode**, choose **Visual editor**. 1. Choose **Network function groups**. 1. Choose **Create**. 1. Enter a **Name** identifying this function, and then provide an optional **Description**. 1. If the attachment association requires acceptance, choose **Require acceptance**. **Note** An attachment can be associated only with a segment or a network functions group, but not both. You can't associate an attachment to a network functions group if that attachment is already associated with a segment. 1. Once you've created the network function group, you can create a service insertion segment action that routes your network functions from source segments to destination segments using this network function group. For more information on creating a segment action, see "Service insertion" in [Add segment actions in an AWS Cloud WAN core network policy version](cloudwan-policy-network-actions-routes.md). # Add segment actions in an AWS Cloud WAN core network policy version Add a segment action The following steps guide you through optionally setting segment actions for a core network for a policy version using the **Policy versions** link on the AWS Network Manager console. Before setting segment actions you must first configure your [network settings](cloudwan-core-network-config.md) and [add one or more segments](cloudwan-policy-segments.md). For more information, about segment actions, see [Segment actions](cloudwan-create-policy-version.md#cloudwan-policy-create-action). **Topics** + [ ## Segment sharing ](#cloudwan-policy-network-actions-sharing) + [ ## Segment routes ](#cloudwan-policy-version-routes) + [ ## Edge location routing policy associations ](#cloudwan-policy-routing-associations-console) + [ ## Service insertion ](#cloudwan-policy-service-insertion) ## Segment sharing Create a shared segment between two segments. Segment sharing is bidirectional by default. When you create a segment share between two segments, routes from both segments are automatically advertised to each other. For example, you might share a segment named `test` with another segment named `dev`. Routes from `test` are advertised to `dev`, and vice versa. To make routes in shared segments unidirectional, create a deny list filter to share routes from one segment to the other, but not vice versa. Using the previous example, you could make a deny list filter that prevents routes from `test` being advertised to `dev`. For more information on creating the deny list for a segment, see [Add a segment to an AWS Cloud WAN core network policy version](cloudwan-policy-segments.md). **Static route propagation in segment sharing** Static routes are not propagated between shared segments when using attachment-route mode. Only attachment routes (routes to directly connected attachments) are shared between segments. If there are static routes or routes shared from other segments, those will not be shared through the attachment-route mode. Static routes remain within their intended segment boundaries and must be explicitly created in each segment where they're needed using multiple create-route statements. **To create a shared segment** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose **Segment actions - optional**. 1. (Optional) In the **Sharing** section, choose **Create**, and then do the following: 1. From the **Segment from** dropdown list, choose the core network segment that you want to share. 1. For the **Segment to**, choose if you want to **Allow all** shared routes from other segments, to **Allowed selected** segments, or to **Deny selected** segments. The default value is to **Allow all** segments. 1. Do one of the following: + If you chose **Allow selected**, choose the segments to allow from the **Allow segment list**. + If you chose **Deny selected**, choose the segments to disallow from the **Deny segment list**. 1. (Optional) If you've created a routing policy, select the **Routing policy** to choose the routing policies to apply this segment sharing to. 1. Choose **Create sharing**. ## Segment routes Create a segment route for a policy version. **To create a segment route** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose **Segment actions - optional**. 1. (Optional) In the **Routes** section, choose **Create**, and then do the following: 1. From the **Segment** dropdown list, choose the core network segment that you want to share. 1. For **Destination CIDR Block**, enter a static route. You can enter multiple CIDR blocks by choosing **Add** for each block that you want to add. Choose **Remove** for any blocks that you don't want. **Note** You can't leave any blank destination CIDR blocks. Choose **Remove** to delete any empty blocks. 1. Choose **Blackhole** if you want to "black hole" the route. If you make this choice, you can't add any attachments to the route. 1. From the **Attachments** list, choose any attachments that you want to include in this route. 1. Choose **Create segment route**. 1. (Optional) Add **Attachment policies**. For more information, see [Create an attachment policy in an AWS Cloud WAN core network policy version](cloudwan-policy-attachments.md). 1. Choose **Create route**. ## Edge location routing policy associations Associating a routing policy to an edge location pair allows you to control how traffic flows between two specific geographic locations in your network, overriding default routing behavior. This provides control for performance optimization, cost management, failover scenarios, and compliance requirements between those specific locations. **To create routing policy associations** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose **Segment actions - optional**. 1. (Optional) In the **Edge location routing policy associations** section, choose **Associate**, and then do the following: 1. From the **Segment from** dropdown list, choose the segment for the routing policy association. 1. From the **Edge location** dropdown list, choose the source edge location. 1. From the **Peer edge location** dropdown list, choose the destination edge location. 1. From the **Routing policy name** dropdown list, choose the routing policy to associate with this segment and edge location pair. 1. Choose **Associate**. For more information on the parameters used in the JSON file, see [Core network policy version parameters in AWS Cloud WAN](cloudwan-policies-json.md). ``` { "segment-actions": [ { "action": "associate-routing-policy", "segment": "prod", "edge-location-association": { "edge-location": "us-east-1", "peer-edge-location": "us-west-2", "routing-policy-names": ["routingFilter"] } } ] } ``` ## Service insertion Create a segment route for a policy version. **To set up service insertion for a segment** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose ** Segment actions - optional**. **Note** You must first have created your segments and network functions group. 1. If you want to create a service insertion action associated with a network functions group in the **Service insertion** section, choose **Create**, and then choose an **Action**. If you're not creating a service insertion action, this is an optional section. ------ #### [ Send via ] This **Action** uses an east-west traffic pattern from attachment to attachment. For example, you might create a policy that directs all traffic between a segment named *Production* and all other segments via inspection VPC attachments. 1. For the **Mode**, choose one of the following: + **Single hop** — This option steers traffic through a single intermediate attachment. + **Dual hop** — Traffic traverses the inserted attachments in both the source and destination core network edges. 1. For **Segment from**, choose the source segment. 1. For **Segment to**, choose the destination segments. 1. For **Send traffic via**, choose the network functions group that you want to use for the service insertion. 1. (Optional) In **Edge overrides**, choose **Add**. + From the **Edge 1** and **Edge 2** drop-down lists, choose the edge locations for the overrides. the service the priority order for the edge locations to route traffic. + Choose the **Preferred edge** drop-down list to choose which edge location you prefer to use. + Choose **Add** to include additional edge overrides. ------ #### [ Send to ] This **Action** uses north-south traffic, sending traffic to the security appliance, such as an Inspection VPC or firewall, and then out to the Internet or an on-premises location. 1. For **Segment from**, choose the segment coming into the security appliance. For example, you might have a segment named *production* that you want to first go to a security appliance. 1. For **Send traffic via**, choose the network functions group that you want to use for the service insertion. 1. Optional) In **Edge overrides**, choose **Add**. + From the **Edge 1** and **Edge 2** drop-down lists, choose the edge locations for the overrides. the service the priority order for the edge locations to route traffic. + Choose the **Preferred edge** drop-down list to choose which edge location you prefer to use. + + Choose **Add** to include additional edge overrides. ------ 1. Choose **Create service insertion**. 1. (Optional) Add **Attachment policies**. For more information, see [Create an attachment policy in an AWS Cloud WAN core network policy version](cloudwan-policy-attachments.md). # Create an attachment policy in an AWS Cloud WAN core network policy version Create a core network attachment policy The following steps guide you through configuring a core network for a policy version using the **Policy versions** link on the AWS Network Manager console. For more information about attachment policies, see [Attachment policies](cloudwan-create-policy-version.md#cloudwan-policy-create-attachment). An attachment policy requires the following: + The core network configured. See [Configure the core network settings in an AWS Cloud WAN policy version](cloudwan-core-network-config.md). + One or more segments. See [Segments](cloudwan-create-policy-version.md#cloudwan-policy-create-segment). + If you are optionally creating a service insertion action, you'll first need the following: + A network functions group. See [Network function groups](cloudwan-create-policy-version.md#cloudwan-core-network-function). + At least one attachment. Supported attachment types are Connect, Direct Connect gateway, transit gateway route table, VPC, and Site-to-Site VPN. For more information about attachments, see [Attachments in AWS Cloud WAN](cloudwan-create-attachment.md). **Important** An attachment is required when creating a policy that includes a service insertion action. If there is no associated attachment in the policy, traffic will be dropped instead of being redirected to a specified network function group. **To create an attachment policy** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. Choose **Attachment policies**. 1. Choose **Create**. 1. For the **Rule number**, enter the rule number to apply to this attachment. Rule numbers determine the order in which rules are run. 1. Enter an optional **Description** to identify the attachment policy. 1. In the **Action** section, choose how you want to associate the attachment to the segment. Choose one of the following: + **Segment name** — associates the attachment by the segment name. After choosing this option, the segment to attach to from the **Attach to segment** dropdown list. + **Attachment tag value** — associates the attachment by the tag's value in a key-value pair. Enter the tag value in the **Attachment tag** value field. + **Network function group **— creates an attachment policy rule for service insertion. Choose a network functions group for the service insertion policy. This option requires that you choose **Condition logic **and then the **AND** operator. For the **Type** you can choose the **Tag name **, **Tag value**, or both. 1. Choose one of the following: + **Inherit segments acceptance value** if the attachment inherits the acceptance setting from a segment when a segment was created. This can't be changed. + **Requires attachment acceptance** if you require approval for attachments to be mapped to this segment. + If no acceptance option is chosen, attachments are automatically mapped to the segment. **Note** If `require-attachment-acceptance` is `false` for a segment, it's still possible for attachments to be added to or removed from a segment automatically when their tags change. If this behavior is not desired, set `require-attachment-acceptance` to `true`. 1. (Optional) For **Condition logic**, further refine how the attachment is associated with the segment. **Important** **Condition logic** is required using **AND** for a network functions group attachment policy rule. The **AND** condition must use a **Tag name** or **Tag value** associated with the attachment. + Choose **OR** — if you want to associate the attachment with the segment by either the **Segment name**/**Attachment tag value**, *or* by the chosen conditions. + Choose **AND** — if you want to associate the attachment with the segment by either the **Segment name**/**Attachment tag value** *and* by the chosen conditions. If no acceptance option is chosen, attachments are automatically mapped to the segment. 1. In **Conditions**, set the condition logic by doing the following: 1. From the **Type** dropdown list, choose one of the following condition types: + **Resource Id ** — Set an **OR** or **AND** condition that uses a Resource ID. + **Attachment type** — Set an **OR** or **AND** condition that matches a specific attachment type. + **Account** — Set an **OR** or **AND** condition that matches an account. + **Tag name** — Set an **OR** or **AND** condition that matches a specific tag name. + **Tag value** — Set an **OR** or **AND** condition that matches a specific tag value. **Important** **Tag name** and **Tag value** are the only supported and available **Conditions** for a **Network function group** attachment policy. 1. From the **Operator** dropdown list, choose one of the following operators. The operator determines the relationship of the Type. **Note** Operators are not supported when for a network function group attachment policy when the **Type** is **Tag name**. The full tag name must be used. + **Equals** — Filters results that match the passed **Condition value**. + **Not equals** — Filters results that do not match the passed **Condition value**. This option is not used for **Attachment type**. + **Begins with** — Filters results that start with the passed **Condition value**. This option is not used for **Attachment type**. + **Contains** — Filters results that match a substring within a string. This option is not used for **Attachment type**. + **Any** — Filters results that match any field. This option is not used for **Attachment type**. 1. In the **Condition values** field, enter the value that corresponds to the **Type** and **Operator**. This option is not used for **Attachment type**. If you're creating a network function group attachment policy, the full tag name or value are required. Partial C 1. Choose **Add** to include additional conditions or choose **Remove** to delete any conditions. 1. Choose **Create attachment policy**. 1. Choose **Create policy**. ## Example condition logic for a network function group attachment policy Sample condition logic The following shows a partial JSON example using the OR operator for a network function group attachment policy. + There are two segments, `production` and `development`. + Rule numbers are manually assigned to each attachment policy for rule processing. Rules are then processed in numerical order according to the number assigned to them. In this example, the rule number is assigned `600` . + Using the OR Condition logic, the network function group attachment policy looks for any segment with the value `production` or `development`. For more information on the parameters used in the JSON file, see [Core network policy version parameters in AWS Cloud WAN](cloudwan-policies-json.md). ``` { "rule-number": 600, "condition-logic": "or", "conditions": [ { "type": "tag-value", "operator": "equals", "key": "segment", "value": "production" }, { "type": "tag-value", "operator": "equals", "key": "stage", "value": "development" } ], "action": { "add-to-network-function-group": "networkfunctiongroupone" } } ``` ## Example attachment policy The following shows a JSON containing three attachment policies for a core network. + There are three segments, `DevelopmentSegment`, `TestingSegment`, and `ProductionSegment`, which were first created on the **Segments** tab of the **Create policy** page. When these segments were created, `DevelopmentSegment` was set to automatically accept attachments, while `TestingSegment` and `ProductionSegment` were required to accept attachments. `ProductionSegment` was also limited to `us-east-1` only and only `TestingSegment` is allowed to advertise to this segment. + Rule numbers are manually assigned to each attachment policy for rule processing. Rules are then processed in numerical order according to the number assigned to them. In this example, the following rule numbers are used: `100` for `DevelopmentSegment`, `200` for `TestingSegment`, and `300` for `ProductionSegment`. This indicates that rule `100` will be run first, followed by rule `200` and then rule `300`. Once an attachment matches a rule, no further rules are processed for that attachment. Rule `300` for `ProductionSegment` additionally indicates that the policy will only accept `vpc` attachments and only if the request comes from `us-east-2`. For more information on the parameters used in the JSON file, see [Core network policy version parameters in AWS Cloud WAN](cloudwan-policies-json.md). ``` { "version": "2021.12", "core-network-configuration": { "vpn-ecmp-support": true }, "segments": [ { "name": "DevelopmentSegment", "require-attachment-acceptance": false }, { "name": "TestingSegment", "require-attachment-acceptance": true }, { "name": "ProductionSegment", "edge-locations": [ "us-east-1" ], "require-attachment-acceptance": true, "isolate-attachments": true, "allow-filter": [ "TestingSegment" ] } ], "attachment-policies": [ { "rule-number": 100, "condition-logic": "or", "conditions": [], "action": { "association-method": "constant", "segment": "DevelopmentSegment" } }, { "rule-number": 200, "condition-logic": "or", "conditions": [], "action": { "association-method": "constant", "segment": "TestingSegment", "require-acceptance": true } }, { "rule-number": 300, "condition-logic": "and", "conditions": [ { "type": "region", "operator": "equals", "value": "us-east-2" }, { "type": "attachment-type", "operator": "equals", "value": "vpc" } ], "action": { "association-method": "constant", "segment": "ProductionSegment", "require-acceptance": true } } ] } ``` Using the **Visual editor**, the same policies display as follows: ![\[Cloud WAN attachment policy using the Visaul editor.\]](http://docs.aws.amazon.com/network-manager/latest/cloudwan/images/cloudwan-attachment-policy.png) Note that if an attachment policy uses the **and** condition, each condition appears on a separate row of the editor. In this example, since rule number 300 uses **region** and **attachment-type** conditions, each of those conditions appear on separate rows. # Create an AWS Cloud WAN route policy and rule Create a route policy and rule A routing policy is a set of rules that gives you precise control over route propagations in your core network allowing you better routes management, optimized performance and greater security. A routing policy rule consists of a match condition and an action used to control route propagations. The match condition determines which route propagations the rule applies to, while the action specifies how to process the route propagations in the core network. This granular control enables you to implement complex routing scenarios, such as blocking specific routes, adding BGP community tags, modifying AS paths, or setting route preferences to influence path selection across your network infrastructure. You can associate these routing policies to a) routes propagated on Cloud WAN attachments b) routes propagated across segments or c) routes propagated across core network edges (CNE) or regions (CNE-to-CNE). ## Create a routing policy Provide policy details to control traffic flow and optimize your network routing. Before you can create a routing policy you must first have completed the following: + Set up the Network configuration. See [Configure the core network settings](cloudwan-core-network-config.md). + Defined one or more segments. See [Add a segment](cloudwan-policy-segments.md) **To create a routing policy** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. In **Choose policy view mode**, choose **Visual editor**. 1. Choose **Routing policies**. 1. Choose **Create**. 1. For **Routing policy number**, enter a priority number. Lower numbers take priority over higher numbers when processing the policy. 1. (Optional) Add a **Description** identifying this policy. The description can be no longer than 256 characters, using a-z, A-Z, 0-9, and hyphens (-). White spaces are not allowed. 1. For the** Routing policy direction** choose one of the following: + **Inbound** - An inbound routing policy contains rules that control routes propagated inbound on an attachment (e.g. from an external network to Cloud WAN) into the CNE + **Outbound** - An outbound policy contains rules that control routes advertised from a CNE outbound over an attachment (e.g. from Cloud WAN to an external network). 1. Choose **Create routing policy**. Once you've created one or more route policies, you can create route rules to further control route propagation. ## Create a routing policy rule A routing policy rule consists of a match condition and an action used to control route propagations. **To create a routing policy rule** 1. Open the at [https://console.aws.amazon.com/networkmanager/](https://console.aws.amazon.com/networkmanager/). 1. In the navigation pane, choose **Cloud WAN**. 1. Choose the global network ID. 1. In the navigation pane, choose **Routing policies**. 1. Choose the routing policy where you want to add a rule. 1. Choose **Create rule**. 1. For **Routing policy rule number**, enter a priority number. Lower numbers take priority over higher numbers when processing the policy. 1. Set the **Action** for the rule. Available actions include: + **Drop** - Block specified routes + **Allow** - Allow specified routes that would otherwise be dropped by a drop rule. Allow rules should have a lower rule number than drop rules. + **Prepend ASN list** - Add ASNs to make this path less preferred + **Remove ASN list** - Remove ASNs to make this path more preferred + **Replace ASN list** - Replace AS-PATH with a new ASN list + **Add community** - Add a BGP community to routes + **Remove community** - Remove a BGP community from routes + **Summarize** - Advertise a summary route + **Set local preference** - Set priority for route selection (higher value = more preferred path) 1. If adding multiple conditions, choose the logical operator: + **AND** - All conditions must be met for the rule to apply + **OR** - Any condition can be met for the rule to apply 1. Configure the match conditions for the rule. You can add multiple conditions and specify whether they should be evaluated with AND or OR logic: + **Prefix equals** - Matches routes with an exact network prefix specification. + **Prefix in CIDR** - Match propagated routes that fall within a specified CIDR range. + **Prefix in prefix list** - Matches routes whose prefixes are contained in a predefined prefix list. + **ASN in as path** - Matches routes that contain a specific Autonomous System Number in their AS path. + **Community in list** - Matches routes that have BGP community attributes present in a specified community list. + **MED equals** - Matches routes with a Multi-Exit Discriminator (MED) value equal to the specified number. 1. Choose **Add rule**. # Create an AWS Cloud WAN attachment routing policy Create an attachment routing policy Attachment routing policies are used to associate one or more route policies to attachments. Attachment route policy consists of a list of match-action rules that map one or more route policies to a route policy label which is a string identifier (max 256 characters). You will need to associate this route policy label with an attachment via the create-attachment-routing-policy-label API. **To create an attachment routing policy** 1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home). 1. Under **Connectivity** choose **Cloud WAN**. 1. On the **Global networks** page, choose the global network ID that for the core network you want to create a policy version for, and then choose **Core network**. 1. In the navigation pane, choose **Policy versions**. 1. Choose **Create policy version**. 1. In **Choose policy view mode**, choose **Visual editor**. 1. Choose the **Attachment policies** tab. 1. In the **Attachment routing policies rules** section, choose **Create**. 1. For **Rule number**, enter a unique number from 1 to 9,999. Rules are processed in numerical order. 1. (Optional) Enter a **Rule description**. The description can be no longer than 256 characters, using a-z, A-Z, 0-9, and hyphens (-). White spaces are not allowed. 1. (Optional) Choose the **Edge locations** that this attachment routing rule is applicable to. You can only choose those edge locations that you set up in your network configuration. You can configure this option for Direct Connect attachments that can associate with multiple CNEs. This option allows you to associate the routing policy to a select CNE. By default routing policy applies to all CNEs associated with the Direct Connect attachment. 1. For **Condition - Routing policy label**, enter the label for the routing policy you want to use for attachment association. All attachments with the same routing label will be automatically associated with this attachment routing policy. You can add a label to attachment when you create that attachment, or you can modify an existing attachment to add a routing label. For more information about adding labels to an attachment, see the applicable steps for the type of attachment you're creating in [Attachments](cloudwan-create-attachment.md). 1. For **Action - Associate with these routing policies**, choose the Cloud WAN routing policies you want to associate with label defined in the previous step. For more information on the parameters used in the JSON file, see [Core network policy version parameters in AWS Cloud WAN](cloudwan-policies-json.md). ``` { "attachment-routing-policy-rules": [ { "rule-number": 500, "description": "Attachment Route Filters", "edge-locations": ["us-west-1", "us-east-1"], "conditions":[ { "type": "routing-policy-label", "value": "attachmentRoutingFilter" } ], "action": { "associate-routing-policies": ["routingFilter"] } } ] } ```