VPC attachment lifecycle Create a transit gateway attachment to a VPC Modify your VPC attachment Modify your VPC attachment tags View your VPC attachments Delete a VPC attachment Troubleshoot VPC attachments

Transit gateway attachments to a VPC

When you attach a VPC to a transit gateway, you must specify one subnet from each Availability Zone to be used by the transit gateway to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.

Limits

When you attach a VPC to a transit gateway, any resources in Availability Zones where there is no transit gateway attachment cannot reach the transit gateway. If there is a route to the transit gateway in a subnet route table, traffic is forwarded to the transit gateway only when the transit gateway has an attachment in a subnet in the same Availability Zone.
The resources in a VPC attached to a transit gateway cannot access the security groups of a different VPC that is also attached to the same transit gateway.
A transit gateway does not support DNS resolution for custom DNS names of attached VPCs set up using private hosted zones in Amazon Route 53. To configure name resolution for private hosted zones for all VPCs attached to a transit gateway, see Centralized DNS management of hybrid cloud with Amazon Route 53 and AWS Transit Gateway.
A transit gateway doesn't support routing between VPCs with identical CIDRs. If you attach a VPC to a transit gateway and its CIDR is identical to the CIDR of another VPC that's already attached to the transit gateway, the routes for the newly attached VPC aren't propagated to the transit gateway route table.
You can't create an attachment for a VPC subnet that resides in a Local Zone. However, you can configure your network so that subnets in the Local Zone can connect to a transit gateway through the parent Availability Zone. For more information, see Connect Local Zone subnets to a transit gateway.
You can't create a transit gateway attachment using IPv6-only subnets. Transit gateway attachment subnets must also support IPv4 addresses.
A transit gateway must have at least one VPC attachment before that transit gateway can be added to a route table.

VPC attachment lifecycle
Create a transit gateway attachment to a VPC
Modify your VPC attachment
Modify your VPC attachment tags
View your VPC attachments
Delete a VPC attachment
Troubleshoot VPC attachment creation

VPC attachment lifecycle

A VPC attachment goes through various stages, starting when the request is initiated. At each stage, there may be actions that you can take, and at the end of its lifecycle, the VPC attachment remains visible in the Amazon Virtual Private Cloud Console and in API or command line output, for a period of time.

The following diagram shows the states an attachment can go through in a single account configuration, or a cross-account configuration that has Auto accept shared attachments turned on.

Pending: A request for a VPC attachment has been initiated and is in the provisioning process. At this stage, the attachment can fail, or can go to available.
Failing: A request for a VPC attachment is failing. At this stage, the VPC attachment goes to failed.
Failed: The request for the VPC attachment has failed. While in this state, it cannot be deleted. The failed VPC attachment remains visible for 2 hours, and then is no longer visible.
Available: The VPC attachment is available, and traffic can flow between the VPC and the transit gateway. At this stage, the attachment can go to modifying, or go to deleting.
Deleting: A VPC attachment that is in the process of being deleted. At this stage, the attachment can go to deleted.
Deleted: An available VPC attachment has been deleted. While in this state, the VPC attachment cannot be modified. The VPC attachment remains visible for 2 hours, and then is no longer visible.
Modifying: A request has been made to modify the properties of the VPC attachment. At this stage, the attachment can go to available, or go to rolling back.
Rolling back: The VPC attachment modification request cannot be completed, and the system is undoing any changes that were made. At this stage, the attachment can go to available.

The following diagram shows the states an attachment can go through in a cross-account configuration that has Auto accept shared attachments turned off.

Cross-account VPC attachment lifecycle that has Auto accept
shared attachments turned off

Pending-acceptance: The VPC attachment request is awaiting acceptance. At this stage, the attachment can go to pending, to rejecting, or to deleting.
Rejecting: A VPC attachment that is in the process of being rejected. At this stage, the attachment can go to rejected.
Rejected: A pending acceptance VPC attachment has been rejected. While in this state, the VPC attachment cannot be modified. The VPC attachment remains visible for 2 hours, and then is no longer visible.
Pending: The VPC attachment has been accepted and is in the provisioning process. At this stage, the attachment can fail, or can go to available.
Failing: A request for a VPC attachment is failing. At this stage, the VPC attachment goes to failed.
Failed: The request for the VPC attachment has failed. While in this state, it cannot be deleted. The failed VPC attachment remains visible for 2 hours, and then is no longer visible.
Available: The VPC attachment is available, and traffic can flow between the VPC and the transit gateway. At this stage, the attachment can go to modifying, or go to deleting.
Deleting: A VPC attachment that is in the process of being deleted. At this stage, the attachment can go to deleted.
Deleted: An available or pending acceptance VPC attachment has been deleted. While in this state, the VPC attachment cannot be modified. The VPC attachment remains visible 2 hours, and then is no longer visible.
Modifying: A request has been made to modify the properties of the VPC attachment. At this stage, the attachment can go to available, or go to rolling back.
Rolling back: The VPC attachment modification request cannot be completed, and the system is undoing any changes that were made. At this stage, the attachment can go to available.

Create a transit gateway attachment to a VPC

To create a VPC attachment using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
On the navigation pane, choose Transit Gateway Attachments.
Choose Create transit gateway attachment.
For Name tag, optionally enter a name for the transit gateway attachment.
For Transit gateway ID, choose the transit gateway for the attachment. You can choose a transit gateway that you own or a transit gateway that was shared with you.
For Attachment type, choose VPC.
Choose whether to enable DNS Support, IPv6 Support and Appliance mode support.

If appliance mode is chosen, traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow.
For VPC ID, choose the VPC to attach to the transit gateway.

This VPC must have at least one subnet associated with it.
For Subnet IDs, select one subnet for each Availability Zone to be used by the transit gateway to route traffic. You must select at least one subnet. You can select only one subnet per Availability Zone.
Choose Create transit gateway attachment.

To create a VPC attachment using the AWS CLI

Use the create-transit-gateway-vpc-attachment command.

Modify your VPC attachment

To modify your VPC attachments using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
On the navigation pane, choose Transit Gateway Attachments.
Select the VPC attachment, and then choose Actions, Modify transit gateway attachment.
To enable DNS support, select DNS support.
To add a subnet to the attachment, next to the subnet, select the box.

Adding or modifying a VPC attachment subnet might impact data traffic while the attachment is in a modifying state.
Choose Modify transit gateway attachment.

To modify your VPC attachments using the AWS CLI

Use the modify-transit-gateway-vpc-attachment command.

Modify your VPC attachment tags

To modify your VPC attachment tags using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
On the navigation pane, choose Transit Gateway Attachments.
Select the VPC attachment, and then choose Actions, Manage tags.
[Add a tag] Choose Add new tag and do the following:
- For Key, enter the key name.
- For Value, enter the key value.
[Remove a tag] Next to the tag, choose Remove.
Choose Save.

VPC attachment tags can only be modified using the console.

View your VPC attachments

To view your VPC attachments using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
On the navigation pane, choose Transit Gateway Attachments.
In the Resource type column, look for VPC. These are the VPC attachments.
Choose an attachment to view its details.

To view your VPC attachments using the AWS CLI

Use the describe-transit-gateway-vpc-attachments command.

Delete a VPC attachment

To delete a VPC attachment using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
On the navigation pane, choose Transit Gateway Attachments.
Select the VPC attachment.
Choose Actions, Delete transit gateway attachment.
When prompted, enter delete and choose Delete.

To delete a VPC attachment using the AWS CLI

Use the delete-transit-gateway-vpc-attachment command.

Troubleshoot VPC attachment creation

The following topic can help you troubleshoot problems that you might have when you create a VPC attachment.

Problem

The VPC attachment failed.

Cause

The cause might be one of the following:

The user that is creating the VPC attachment does not have correct permissions to create service-linked role.
There is a throttling issue because of too many IAM requests, for example you are using AWS CloudFormation to create permissions and roles.
The account has the service-linked role, and the service-linked role has been modified.
The transit gateway is not in the available state.

Solution

Depending on the cause, try the following:

Verify that the user has the correct permissions to create service-linked roles. For more information, see Service-linked role permissions in the IAM User Guide. After the user has the permissions, create the VPC attachment.
Create the VPC attachment manually through the console or API. For more information, see Create a transit gateway attachment to a VPC.
Verify that the service-linked role has the correct permissions. For more information, see Transit gateway service-linked role.
Verify that the transit gateway is in the available state. For more information, see View your transit gateways.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Transit gateways

VPN attachments