# Create an AWS Site-to-Site VPN connection
<a name="create-vpn-connection"></a>

You can create Site-to-Site VPN connections that attach to transit gateways or Cloud WAN global networks. Both attachment types support IPv4 and IPv6 protocols and can optionally use Site-to-Site VPN Concentrators for connecting multiple remote sites cost-effectively.

## Create a VPN connection using the console
<a name="create-vpn-connection-console"></a>

**To create a VPN connection using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN connections**.

1. Choose **Create VPN connection**.

1. (Optional) For **Name tag**, enter a name for the connection. Doing so creates a tag with a key of `Name` and the value that you specify.

1. For **Target gateway type**, choose one of the following:
   + **Virtual private gateway** - Create a new virtual private gateway VPN connection by choosing an existing **Virtual private gateway**.
   + **Transit gateway** - Create a new transit gateway VPN connection by choosing an existing **Transit gateway**. For more information about creating a transit gateway, see [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in *Amazon VPC Transit Gateways*.
   + **Site-to-Site VPN Concentrator** - Create a new Site-to-Site VPN Concentrator connection by using an existing Site-to-Site VPN Concentrator or creating a new one. Choose one of the following:
     + **Existing** - Create a new Site-to-Site VPN Concentrator VPN connection using an existing Concentrator. 
     + **New** - Enter an optional name for the Site-to-Site VPN Concentrator and then choose the transit gateway to associate with it.
   + **Not associated** - Create an unattached VPN connection that can later be associated with Cloud WAN through the Network Manager console or API. For more information about VPN attachments and Cloud WAN, see [Site-to-site VPN attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the *AWS Cloud WAN User Guide*.

1. For **Customer gateway**, do one of the following:
   +  To use an existing customer gateway, choose **Existing**, and then choose the **Customer gateway ID**.
   +  To create a new customer gateway, choose **New**, and then do the following:
     +  For the **IP address **, enter a static **IPv4** or **IPv6** address.
     + (Optional) For **Certificate ARN**, choose the ARN of your private certificate (if using certificate-based authentication). 
     + For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For more information, see [Customer gateway options](cgw-options.md).

1. For **Routing options**, choose **Dynamic (requires BGP)** or **Static**.
**Note**  
Cloud WAN VPN connections and VPN connections using Concentrators only support BGP routing. Static routing is not supported for these connection types.

1. For **Pre-shared key storage** choose either **Standard** or **Secrets Manager**. The default selection is **Standard**. For more information about using AWS Secrets Manager, see [Security](security.md).

1. For **Tunnel inside IP version**, choose **IPv4** or **IPv6**.

1.  (Optional) For **Enable acceleration**, choose the check box to enable acceleration. For more information, see [Accelerated VPN connections](accelerated-vpn.md).

   If you enable acceleration, we create two accelerators that are used by your VPN connection. Additional charges apply.

1. (Optional) Depending on which tunnel inside IP version you've chosen, do one of the following:
   + IPv4 — For **Local IPv4 network CIDR**, specify the IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv4 network CIDR**, choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `0.0.0.0/0`. 
   + IPv6 — For **Local IPv6 network CIDR**, specify the IPv6 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv6 network CIDR**, choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `::/0`

1. For **Outside IP address type**, choose one of the following options:
   + **Public IPv4** - (Default) Use IPv4 addresses for the outer tunnel IPs.
   + **Private IPv4** - Use a private IPv4 address for use within private networks.
   + **IPv6** - Use IPv6 addresses for the outer tunnel IPs. This option requires that your customer gateway device supports IPv6 addressing.
**Note**  
If you select **IPv6** for the outside IP address type, you must create a customer gateway with an IPv6 address

1. (Optional) For **Tunnel 1 options**, you can specify the following information for each tunnel:
   + A size /30 IPv4 CIDR block from the `169.254.0.0/16` range for the inside tunnel IPv4 addresses.
   + If you specified **IPv6** for **Tunnel inside IP version**, a /126 IPv6 CIDR block from the `fd00::/8` range for the inside tunnel IPv6 addresses.
   + The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
   + To edit the advanced options for your tunnel, choose **Edit tunnel options**. For more information, see [VPN tunnel options](VPNTunnels.md).
   + (Optional) Choose **Enable** for the **Tunnel activity log** to capture log messages for IPsec activity and DPD protocol messages.
   + (Optional) Choose **Turn on** for **Tunnel endpoint lifecycle** to control the schedule for endpoint replacements. For more information about tunnel endpoint lifecycle, see [Tunnel endpoint lifecycle](tunnel-endpoint-lifecycle.md).

1. (Optional) Choose **Tunnel 2 options** and follow the previous steps to set up a second tunnel.

1. Choose **Create VPN connection**.

# Create an AWS Site-to-Site VPN transit gateway connection using the CLI or API
<a name="create-tgw-cli-api"></a>

## Create a VPN connection to Transit Gateway using the CLI
<a name="tgw-vpn-cli-examples"></a>

Use the [create-vpn-connection](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpn-connection.html) command and specify the transit gateway ID for the `--transit-gateway-id` option.

The following example demonstrates creating a VPN connection with IPv6 outer tunnel IPs and IPv6 inner tunnel IPs:

```
aws ec2 create-vpn-connection \
--type ipsec.1 \
--transit-gateway-id tgw-12312312312312312 \
--customer-gateway-id cgw-001122334455aabbc \
--options OutsideIPAddressType=Ipv6,TunnelInsideIpVersion=ipv6,TunnelOptions=[{StartupAction=start},{StartupAction=start}]
```

Example response:

```
{
    "VpnConnection": {
        "VpnConnectionId": "vpn-0abcdef1234567890",
        "State": "pending",
        "CustomerGatewayId": "cgw-001122334455aabbc",
        "Type": "ipsec.1",
        "TransitGatewayId": "tgw-12312312312312312",
        "Category": "VPN",
        "Routes": [],
        "Options": {
            "StaticRoutesOnly": false,
            "OutsideIPAddressType": "Ipv6",
            "TunnelInsideIpVersion": "ipv6"
        }
    }
}
```

## Create a VPN connection to Transit Gateway using the API
<a name="create-vpn-api"></a>

You can create a VPN connection using the Amazon EC2 API. This section provides example request and response messages for creating a transit gateway VPN connection using the API.

### Prerequisites
<a name="create-vpn-api-prerequisites"></a>

Before creating a VPN connection using the API, ensure you have:
+ A transit gateway created and available
+ A customer gateway configured with your on-premises device details<a name="create-vpn-api-example"></a>

The following example shows how to create a VPN connection using the `CreateVpnConnection` API action:

```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=CreateVpnConnection
&Type=ipsec.1
&TransitGatewayId=tgw-12345678901234567
&CustomerGatewayId=cgw-12345678901234567
&Options.StaticRoutesOnly=false
&Version=2016-11-15
```

This example creates a VPN connection with dynamic routing (BGP) between the specified transit gateway and customer gateway.

A successful API response returns the VPN connection details:

```
<?xml version="1.0" encoding="UTF-8"?>
<CreateVpnConnectionResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
    <vpnConnection>
        <vpnConnectionId>vpn-1a2b3c4d5e6f78901</vpnConnectionId>
        <state>pending</state>
        <customerGatewayId>cgw-12345678901234567</customerGatewayId>
        <type>ipsec.1</type>
        <transitGatewayId>tgw-12345678901234567</transitGatewayId>
        <category>VPN</category>
        <options>
            <staticRoutesOnly>false</staticRoutesOnly>
        </options>
    </vpnConnection>
</CreateVpnConnectionResponse>
```

The response includes the VPN connection ID, current state, and configuration details. The connection will initially be in a "pending" state while AWS provisions the VPN tunnels.

# Create an AWS Site-to-Site VPN Cloud WAN connection using the CLI or API
<a name="create-cwan-vpn-attachment"></a>

You can create an Site-to-Site VPN connections between your on-premises and AWS Cloud WAN following the procedure below. For more information, see [ Site-to-site VPN attachments in AWS Cloud WAN ](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the *AWS Cloud WAN User Guide*.

## Create a VPN connection to Cloud WAN using the CLI
<a name="cwan-vpn-cli-examples"></a>

Use the [create-vpn-connection](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpn-connection.html) command to create a VPN connection that will later be attached to a Cloud WAN global network. This creates an unattached VPN connection that can subsequently be associated with Cloud WAN through the Network Manager console or API.

**Prerequisites**

Before creating a Cloud WAN VPN connection, ensure you have the following:
+ `customer-gateway-id` - An existing customer gateway resource (`cgw-xxxxxxxxx`) that represents your on-premises VPN device.
+ **Cloud WAN Global Network** - A Cloud WAN global network must be created and configured with appropriate network segments.
+ **BGP Configuration** - Cloud WAN VPN connections require BGP routing; static routing is not supported. You must set `StaticRoutesOnly=false` in the options parameter

This command creates a VPN connection without specifying a target gateway. The connection will be in an unattached state and can later be associated with your Cloud WAN global network through the Network Manager console or API. The `StaticRoutesOnly=false` option enables BGP routing, which is mandatory for Cloud WAN VPN attachments as static routing is not supported.

The following example creates an unattached VPN connection for Cloud WAN:

```
aws ec2 create-vpn-connection \
            --type ipsec.1 \
            --customer-gateway-id cgw-0123456789abcdef0 \
            --options StaticRoutesOnly=false
```

The response returns the following:

```
{
            "VpnConnection": {
            "VpnConnectionId": "vpn-0abcdef1234567890",
            "State": "pending",
            "CustomerGatewayId": "cgw-0123456789abcdef0",
            "Type": "ipsec.1",
            "Category": "VPN",
            "Routes": [],
            "Options": {
            "StaticRoutesOnly": false
            }
            }
            }
```

After creating the VPN connection, you can attach it to your Cloud WAN global network using the Network Manager console or the `create-site-to-site-vpn-attachment` API call.

## Create a VPN Cloud WAN connection using the API
<a name="cwan-vpn-api-examples"></a>

You can use the EC2 API to create a VPN connection for Cloud WAN integration. This involves making a `CreateVpnConnection` API call that creates an unattached VPN connection, which can then be associated with your Cloud WAN global network.

The API request creates a VPN connection without specifying a target gateway, leaving it in an unattached state that's ready for Cloud WAN integration. The connection uses BGP routing, which is required for Cloud WAN VPN attachments.

The following example shows the HTTP request to create a Cloud WAN VPN connection:

```
POST / HTTP/1.1
            Host: ec2.us-east-1.amazonaws.com
            Content-Type: application/x-www-form-urlencoded
            Authorization: AWS4-HMAC-SHA256 Credential=...

            Action=CreateVpnConnection
            &Type=ipsec.1
            &CustomerGatewayId=cgw-0123456789abcdef0
            &Options.StaticRoutesOnly=false
            &Version=2016-11-15
```

The API returns a successful response containing the VPN connection details. The connection will be in a `pending` state initially while AWS provisions the VPN tunnels, at which time the status changes to `available`.

```
<?xml version="1.0" encoding="UTF-8"?>
            <CreateVpnConnectionResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
            <requestId>12345678-1234-1234-1234-123456789012</requestId>
            <vpnConnection>
            <vpnConnectionId>vpn-0abcdef1234567890</vpnConnectionId>
            <state>pending</state>
            <customerGatewayId>cgw-0123456789abcdef0</customerGatewayId>
            <type>ipsec.1</type>
            <category>VPN</category>
            <options>
            <staticRoutesOnly>false</staticRoutesOnly>
            </options>
            <vgwTelemetry/>
            <routes/>
            </vpnConnection>
            </CreateVpnConnectionResponse>
```

**Response Details**

The API response provides the following key information:
+ **vpnConnectionId** - The unique identifier for your VPN connection (e.g., `vpn-0abcdef1234567890`) that you'll use to attach it to Cloud WAN
+ **state** - Initially "pending" while AWS provisions the VPN tunnels, then transitions to "available" when ready for attachment
+ **category** - Shows "VPN" indicating this is an unattached VPN connection suitable for Cloud WAN integration
+ **staticRoutesOnly** - Set to "false" to enable BGP routing, which is required for Cloud WAN VPN attachments

Once the VPN connection reaches the "available" state, you can attach it to your Cloud WAN global network using the Network Manager `CreateSiteToSiteVpnAttachment` API or through the AWS console.

# Create an AWS Site-to-Site VPN Concentrator connection using the CLI or API
<a name="create-vpn-concentrator-cli-api"></a>

## Create a Site-to-Site VPN Concentrator connection using the CLI
<a name="create-vpn-concentrator-connection"></a>

After creating a Site-to-Site VPN Concentrator, you need to establish individual VPN connections from your remote sites to the Site-to-Site VPN Concentrator. Each remote site requires its own VPN connection that references the Site-to-Site VPN Concentrator ID. This allows multiple remote sites to share the same Site-to-Site VPN Concentrator infrastructure while maintaining separate, secure tunnels for each site.

To establish a VPN connection using a Site-to-Site VPN Concentrator, specify the Site-to-Site VPN Concentrator instead of the transit gateway when creating the VPN connection. The following example creates a VPN connection using a Site-to-Site VPN Concentrator:

```
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-123456789 \
--vpn-concentrator-id vcn-0123456789abcdef0
```

A successful response returns the following:

```
{
    "VpnConnection": {
        "VpnConnectionId": "vpn-0abcdef1234567890",
        "State": "pending",
        "CustomerGatewayId": "cgw-123456789",
        "Type": "ipsec.1",
        "VpnConcentratorId": "vcn-0123456789abcdef0",
        "Category": "VPN",
        "Routes": [],
        "Options": {
            "StaticRoutesOnly": false
        }
    }
}
```

## Create a Site-to-Site VPN Concentrator connection using the API
<a name="create-vpn-concentrator-api"></a>

You can create a VPN connection that uses a Site-to-Site VPN Concentrator using the Amazon EC2 API. This section provides example request and response messages for creating a VPN connection with a Site-to-Site VPN Concentrator.

Before creating a VPN connection with a Site-to-Site VPN Concentrator using the API, ensure you have:
+ A Site-to-Site VPN Concentrator created and available
+ A customer gateway configured for your remote site
+ Network configuration allowing IPsec traffic between your site and AWS<a name="create-vpn-concentrator-api-example"></a>

The following example shows how to create a VPN connection using a Site-to-Site VPN Concentrator with the `CreateVpnConnection` API action:

```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=CreateVpnConnection
&Type=ipsec.1
&VpnConcentratorId=vcn-0123456789abcdef0
&CustomerGatewayId=cgw-12345678901234567
&Options.StaticRoutesOnly=false
&Version=2016-11-15
```

This example creates a VPN connection between the specified Site-to-Site VPN Concentrator and customer gateway. The Site-to-Site VPN Concentrator acts as the AWS side endpoint, allowing multiple remote sites to connect through a centralized hub.<a name="create-vpn-concentrator-api-response"></a>

A successful API response returns the VPN connection details with Site-to-Site VPN Concentrator information:

```
<?xml version="1.0" encoding="UTF-8"?>
<CreateVpnConnectionResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>8b73d60f-458f-5gc5-a442-7f9fEXAMPLE</requestId>
    <vpnConnection>
        <vpnConnectionId>vpn-9z8y7x6w5v4u32109</vpnConnectionId>
        <state>pending</state>
        <customerGatewayId>cgw-12345678901234567</customerGatewayId>
        <type>ipsec.1</type>
        <vpnConcentratorId>vcn-0123456789abcdef0</vpnConcentratorId>
        <category>VPN</category>
        <options>
            <staticRoutesOnly>false</staticRoutesOnly>
        </options>
    </vpnConnection>
</CreateVpnConnectionResponse>
```

The response includes the VPN connection ID and references the Site-to-Site VPN Concentrator ID instead of a transit gateway ID. This connection allows your remote site to communicate with other sites connected to the same Site-to-Site VPN Concentrator, enabling hub-and-spoke network topologies.

# View AWS Site-to-Site VPN connections
<a name="viewing-vpn-connections"></a>

## View VPN connections using the console
<a name="viewing-vpn-connections-console"></a>

You can view your VPN connections and their details using the AWS Management Console. This provides a visual interface to monitor connection status, tunnel health, and configuration details.

**To view VPN connections using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Connections**.

1. Select your VPN connection to view detailed information including:
   + Connection state and status
   + Tunnel details and health status
   + Route information
   + Configuration parameters

The console displays real-time status information and allows you to monitor tunnel connectivity, view routing tables, and access configuration details for troubleshooting.

## View VPN connections using the CLI
<a name="viewing-vpn-connections-cli"></a>

Use the AWS CLI to query and retrieve detailed information about your VPN connections programmatically. This method enables automation, scripting, and integration with monitoring tools.

To query all VPN connections in your current AWS account and region, execute the `describe-vpn-connections` command without parameters. However, if you want to view the details about a particular VPN connection you'll need to know the VPN connection Id.

To retrieve detailed information for a specific VPN connection, specify the connection ID as a parameter. The following example shows a request to view details about a specific VPN connection.

```
aws ec2 describe-vpn-connections --vpn-connection-ids vpn-1234567890abcdef0
```

The response includes comprehensive information about the VPN connection, including tunnel options, routing details, and current status. 
+ `State` - The current state of the VPN connection
+ `TunnelOptions` - Configuration and status for each tunnel
+ `OutsideIpAddress` - The public IP addresses of the VPN tunnels
+ `Routes` - Routing information for the connection

Example response excerpt showing key connection details:

```
{
    "VpnConnections": [
        {
            "VpnConnectionId": "vpn-1234567890abcdef0",
            "State": "available",
            "CustomerGatewayId": "cgw-1234567890abcdef0",
            "Type": "ipsec.1",
            "Options": {
                "StaticRoutesOnly": false,
                "TunnelOptions": [
                    {
                        "OutsideIpAddress": "203.0.113.12",
                        "TunnelInsideCidr": "169.254.10.0/30",
                        "PreSharedKey": "example_key_1234567890abcdef0",
                        "Phase1LifetimeSeconds": 28800,
                        "Phase2LifetimeSeconds": 3600
                    },
                    {
                        "OutsideIpAddress": "203.0.113.34",
                        "TunnelInsideCidr": "169.254.11.0/30",
                        "PreSharedKey": "example_key_0987654321fedcba0",
                        "Phase1LifetimeSeconds": 28800,
                        "Phase2LifetimeSeconds": 3600
                    }
                ]
            }
        }
    ]
}
```

## View VPN connections using the API
<a name="viewing-vpn-connections-api"></a>

Make direct API calls to the Amazon EC2 service to retrieve VPN connection information. This approach provides maximum flexibility for custom applications and programmatic integrations.

The `DescribeVpnConnections` API action queries and returns detailed information about one or more VPN connections. You can apply filters by connection ID, state, or other attributes to narrow your results.

The following shows an example request to provide details about a single VPN connection.

```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/ec2/aws4_request, SignedHeaders=host;x-amz-date, Signature=example_signature

Action=DescribeVpnConnections
&VpnConnectionId.1=vpn-1234567890abcdef0
&Version=2016-11-15
```

The response returns details about that VPN connection.

```
<?xml version="1.0" encoding="UTF-8"?>
<DescribeVpnConnectionsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>12345678-1234-1234-1234-123456789012</requestId>
    <vpnConnectionSet>
        <item>
            <vpnConnectionId>vpn-1234567890abcdef0</vpnConnectionId>
            <state>available</state>
            <customerGatewayId>cgw-1234567890abcdef0</customerGatewayId>
            <type>ipsec.1</type>
            <options>
                <staticRoutesOnly>false</staticRoutesOnly>
                <tunnelOptionSet>
                    <item>
                        <outsideIpAddress>203.0.113.12</outsideIpAddress>
                        <tunnelInsideCidr>169.254.10.0/30</tunnelInsideCidr>
                        <preSharedKey>example_key_1234567890abcdef0</preSharedKey>
                    </item>
                    <item>
                        <outsideIpAddress>203.0.113.34</outsideIpAddress>
                        <tunnelInsideCidr>169.254.11.0/30</tunnelInsideCidr>
                        <preSharedKey>example_key_0987654321fedcba0</preSharedKey>
                    </item>
                </tunnelOptionSet>
            </options>
        </item>
    </vpnConnectionSet>
</DescribeVpnConnectionsResponse>
```