Associating a transit gateway across accounts - AWS Direct Connect
Allowed prefixesCreating a transit gateway association proposalAccepting or rejecting a transit gateway association proposalUpdating the allowed prefixes for a transit gateway associationDeleting a transit gateway association proposal

Associating a transit gateway across accounts

You can associate an existing Direct Connect gateway or a new Direct Connect gateway with a transit gateway that is owned by any AWS account. The owner of the transit gateway creates an association proposal and the owner of the Direct Connect gateway must accept the association proposal.

An association proposal can contain prefixes that will be allowed from the transit gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.

Allowed prefixes

For a transit gateway association, you provision the allowed prefixes list on the Direct Connect gateway. The list is used to route traffic from on-premises to AWS into the transit gateway even if the VPCs attached to the transit gateway do not have assigned CIDRs. Prefixes in the Direct Connect gateway allowed prefix list originate on the Direct Connect gateway and are advertised to the on-premises network. For more information on how allowed prefixes interact with transit gateways and virtual private gateways, see Allowed prefixes interactions.

Creating a transit gateway association proposal

If you own the transit gateway, you must create the association proposal. The transit gateway must be attached to a VPC or VPN in your AWS account. The owner of the Direct Connect gateway must share the ID of the Direct Connect gateway and the ID of its AWS account. After you create the proposal, the owner of the Direct Connect gateway must accept it in order for you to gain access to the on-premises network over AWS Direct Connect.

To create an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Transit gateways and then select the transit gateway.

  3. Choose View details.

  4. Choose Direct Connect gateway associations and then choose Associate Direct Connect gateway.

  5. Under Association account type, for Account owner, choose Another account.

  6. For Direct Connect gateway owner, enter the ID of the account that owns the Direct Connect gateway.

  7. Under Association settings, do the following:

    1. For Direct Connect gateway ID, enter the ID of the Direct Connect gateway.

    2. For Virtual interface owner, enter the ID of the account that owns the virtual interface for the association.

    3. (Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to Allowed prefixes, separating them using commas, or entering them on separate lines.

  8. Choose Associate Direct Connect gateway.

To create an association proposal using the command line or API

Accepting or rejecting a transit gateway association proposal

If you own the Direct Connect gateway, you must accept the association proposal in order to create the association. You also have the option of rejecting the association proposal.

To accept an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Direct Connect gateways.

  3. Select the Direct Connect gateway with pending proposals and then choose View details.

  4. On the Pending proposals tab, select the proposal and then choose Accept proposal.

  5. ((Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to Allowed prefixes, separating them using commas, or entering them on separate lines.

  6. Choose Accept proposal.

To reject an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Direct Connect gateways.

  3. Select the Direct Connect gateway with pending proposals and then choose View details.

  4. On the Pending proposals tab, select the transit gateway and then choose Reject proposal.

  5. In the Reject proposal dialog box, enter Delete and then choose Reject proposal.

To view association proposals using the command line or API
To accept an association proposal using the command line or API
To reject an association proposal using the command line or API

Updating the allowed prefixes for a transit gateway association

You can update the prefixes that are allowed from the transit gateway over the Direct Connect gateway.

If you're the owner of the transit gateway, create a new association proposal for the same Direct Connect gateway and virtual private gateway, specifying the prefixes to allow.

If you're the owner of the Direct Connect gateway, update the allowed prefixes when you accept the association proposal or update the allowed prefixes for an existing association as follows.

To update the allowed prefixes for an existing association using the command line or API

Deleting a transit gateway association proposal

The owner of the transit gateway can delete the Direct Connect gateway association proposal if it is still pending acceptance. After an association proposal is accepted, you can't delete it, but you can disassociate the transit gateway from the Direct Connect gateway. For more information, see Creating a transit gateway association proposal.

To delete an association proposal

  1. Open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/home.

  2. In the navigation pane, choose Transit gateways and then select the transit gateway.

  3. Choose View details.

  4. Choose Pending gateway associations, select the association and then choose Delete association.

  5. In the Delete association proposal dialog box, enter Delete and then choose Delete.

To delete a pending association proposal using the command line or API