Appliance mode Add a VPC attachment using the console Add a VPC attachment using the command line or API Shared subnets Troubleshoot VPC attachments

Add a VPC attachment

When you attach a VPC to a core network edge in AWS Cloud WAN, you must specify one subnet from each Availability Zone to be used by the core network edge to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone. For more information about limits to core network VPC attachments, see Transit Gateway attachment to a VPC in the Transit Gateway User Guide.

Important

You cannot select a subnet from a Local Zone while creating a Cloud WAN VPC attachment. Doing so will result in an error. For more information about Local Zones, see the AWS Local Zones User Guide.

Appliance mode

If you plan to configure a stateful network appliance in your VPC, you can enable appliance mode support for the VPC attachment in which the appliance is located when you create an attachment. This ensures that Cloud WAN uses the same Availability Zone for that VPC attachment for the lifetime of the flow of traffic between a source and destination. It also allows Cloud WAN to send traffic to any Availability Zone in the VPC as long as there is a subnet association in that zone. While appliance mode is only supported on VPC attachments, the network flow can enter the core network from any other Cloud WAN attachment type, including VPC, VPN, and Connect attachments. Cloud WAN appliance mode also works for network flows that have sources and destinations across different AWS Regions in your core network. Network flows can potentially be rebalanced across different Availability Zones if you don't initially enable appliance mode but later edit the attachment configuration to enable it.

You can enable or disable appliance mode using either the console or the command line/API.

Note

When you create a VPC attachment you can't create a core network VPC attachment that uses only IPv6 subnets. A core network VPC attachment must also support IPv4 addresses.
Appliance mode is only supported for VPC attachments.

Add a VPC attachment using the console

The following steps add a VPC attachment using the console.

To add a VPC attachment

Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
Under Connectivity, choose Global Networks.
On the Global networks page, choose the global network link for the core network you want to add an attachment to.
In the navigation pane under he name of the global network, choose Attachments.
Choose Create attachment.
Enter a Name identifying the attachment.
From the Edge location dropdown list, choose the location where the attachment is located.
Choose VPC.
In the VPC attachment section, choose Appliance mode support appliance mode is supported.
Choose IPv6 support if the attachment supports IPv6.
From the VPC IP dropdown list, choose the VPC ID to attach to the core network.
After choosing the VPC ID, you're prompted to choose the Availability Zone and Subnet Id in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that you chose when you created your core network. You must choose at least one Availability Zone and subnet ID.
(Optional) In the Tags section, add Key and Value pairs to further help identify this resource. You can add multiple tags by choosing Add tag, or remove any tag by choosing Remove tag.
Choose Create attachment.

Add a VPC attachment using the command line or API

Use the command line or API to create an AWS Cloud WAN VPC attachment

To create a VPC attachment using the command line or API

Use create-vpc-attachment. See create-vpc-attachment.

To enable appliance mode, add --options ApplianceModeSupport=true to the command.

Shared subnets

A VPC owner can create VPC attachments in a shared VPC subnet. Participants cannot. The Cloud WAN or core network owner must first share their core network with the VPC owner via AWS RAM for the VPC owner to be able to create VPC attachments.

For more information, see Share your VPC with other accounts in the Amazon VPC User Guide.

Troubleshoot VPC attachment creation

The following information might help you troubleshoot an issue where a VPC attachment shows a Failed state upon creation.

Problem

A VPC attachment shows a Failed state after creating the attachment.

Cause

One or more of the following issues might be the cause for the failed attachment.

One or both of the following required services-linked roles don't exist in your account:
- AWSServiceRoleForVPCTransitGateway
- AWSServiceRoleForNetworkManager
VPC or subnet IDs might not be valid or are not available.

Solution

Depending on the cause, try the following:

Add the missing service-linked roles:
- If the AWSServiceRoleForVPCTransitGateway service-linked role doesn't exist in your account, run the following to create it:
  
  aws iam create-service-linked-role --aws-service-name transitgateway.amazonaws.com
- If the AWSServiceRoleForNetworkManager service-linked role doesn't exist in your account, run the following to create it:
  
  aws iam create-service-linked-role --aws-service-name networkmanager.aws.internal
For more information about these service-linked roles, see AWS Cloud WAN service-linked roles.
Verify that any VPC or subnet IDs used for the attachment are valid and are available.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Add a transit gateway route table attachment

Add a Site-to-Site VPN attachment