Create a transit gateway VPN attachment

To create a VPN attachment on a transit gateway, you must specify the transit gateway and the customer gateway. The transit gateway will need to be created before following this procedure. For more information about creating a transit gateway, see Transit gateways in Amazon VPC Transit Gateways.

To create a VPN attachment on a transit gateway using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Site-to-Site VPN connections.
Choose Create VPN connection.
(Optional) For Name tag, enter a name for the connection. Doing so creates a tag with a key of Name and the value that you specify.
For Target gateway type, choose Transit gateway, and then choose the transit gateway.
For Customer gateway, do one of the following:
- To use an existing customer gateway, choose Existing, and then choose the customer gateway.
  
  If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
- To create a customer gateway, choose New. For IP Address, enter a static public IP address. For Certificate ARN, choose the ARN of your private certificate (if using certificate-based authentication). For BGP ASN, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For more information, see Customer gateway options.
For Routing options, choose Dynamic or Static.
For Tunnel inside IP version, specify whether the VPN tunnels support IPv4 or IPv6 traffic. IPv6 traffic is only supported for VPN connections on a transit gateway.
(Optional) For Enable acceleration, select the check box to enable acceleration. For more information, see Accelerated VPN connections.

If you enable acceleration, we create two accelerators that are used by your VPN connection. Additional charges apply.
(Optional) For Local IPv4 network CIDR, specify the IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.

For Remote IPv4 network CIDR, specify the IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.

If you specified IPv6 for Tunnel inside IP version, then specify the IPv6 CIDR ranges on the customer gateway side and AWS side that are allowed to communicate over the VPN tunnels. The default for both ranges is ::/0.
(Optional) For Tunnel options, you can specify the following information for each tunnel:
- A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.
- If you specified IPv6 for Tunnel inside IP version, a /126 IPv6 CIDR block from the fd00::/8 range for the inside tunnel IPv6 addresses.
- The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
- To edit the advanced options for your tunnel, choose Edit tunnel options. For more information, see VPN tunnel options.
Choose Create VPN connection.

To create a VPN attachment using the AWS CLI

Use the create-vpn-connection command and specify the transit gateway ID for the --transit-gateway-id option.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create a VPN attachment for AWS Cloud WAN

Test a VPN connection