# Site-to-Site VPN attachments in AWS Cloud WAN
<a name="cloudwan-s2s-vpn-attachment"></a>

Attaching a Site-to-Site VPN connection to your core network edge, first requires that you create a Site-to-Site VPN connection with **Target Gateway Type** set to **Not Associated**. See [Create an AWS Cloud WAN Site-to-Site VPN attachment](https://docs.aws.amazon.com/vpn/latest/s2svpn/create-cwan-vpn-attachment.html) in the *AWS Site-to-Site VPN User Guide*.

**Note**  
 Your Site-to-Site VPN must be attached to a core network before you can start configuring a customer gateway. AWS doesn't provision these endpoints until the Site-to-Site VPN is attached to the core network. 
A Site-to-Site VPN attachment must be created in the same AWS account that owns the core network. 

**Topics**
+ [Create a Site-to-Site VPN attachment](cloudwan-vpn-attachment-add.md)
+ [View or edit a Site-to-Site VPN attachment](cloudwan-attachments-viewing-editing-vpn.md)

# Create a Site-to-Site VPN attachment for an AWS Cloud WAN core network
<a name="cloudwan-vpn-attachment-add"></a>

You can create a Site-to-Site VPN attachment using either the Network Manager console or the AWS CLI.

**Topics**
+ [

## Create a Site-to-Site VPN attachment using the console
](#cloudwan-vpn-attachment-console)
+ [

## Create a Site-to-Site VPN attachment using the command line or API
](#cloudwan-vpn-attachment-cli)

## Create a Site-to-Site VPN attachment using the console
<a name="cloudwan-vpn-attachment-console"></a>

The following steps create a Site-to-Site VPN attachment for a core network using the console

**To create a Site-to-Site VPN attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **VPN**.

1. From the **VPN attachment** section, choose the VPN ID to be used for the VPN attachment.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a Site-to-Site VPN attachment using the command line or API
<a name="cloudwan-vpn-attachment-cli"></a>

Use the command line or API to create an AWS Cloud WAN Site-to-Site VPN attachment.

**To create a Site-to-Site VPN attachment using the command line or API**
+ Use `create-site-to-site-vpn-attachment`. See [create-site-to-site-vpn-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-site-to-site-vpn-attachment.html).

# View or edit an AWS Cloud WAN Site-to-Site VPN attachment
<a name="cloudwan-attachments-viewing-editing-vpn"></a>

You can view and edit configuration information for a VPN attachment, as well as adding a new attachment. If you want to add a new VPN attachment, see [Create a Site-to-Site VPN attachment for an AWS Cloud WAN core network](cloudwan-vpn-attachment-add.md).

## View and edit a VPN attachment
<a name="cloudwan-editing-vpn"></a>

**To view and edit a VPC attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **VPN**. Details about the attachment are displayed in the lower part of the page. In this section, you can also edit the attachment Tags by choosing the **Tags** tab.

1. Choose **Edit**.

1. On the **Edit attachment** page, do any of the following:
   + Enable or disable appliance mode support.
   + Enable or disable IPv6 support.
   + Add or remove subnets IDs.
   + Add or remove tags.

1. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a VPN attachment routing policy label
<a name="cloudwan-labels-editing-vpn"></a>

You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a Site-to-Site VPN attachment using the command line or API
<a name="edit-attachment-vpn-cli"></a>

Use the command line or API to viewt a Site-to-Site VPN attachment.

**To view a Site-to-Site VPN attachment using the command line or API**
+ See [get-site-to-site-vpn-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-site-to-site-vpn-attachment.html).