# Connect attachments and Connect peers in AWS Cloud WAN
<a name="cloudwan-connect-attachment"></a>

You can create a transit gateway Connect attachment to establish a connection between a core network edge and third-party virtual appliances (such as SD-WAN appliances) running in Amazon VPC. A Connect attachment supports both the Generic Routing Encapsulation (GRE) tunnel protocol and Tunnel-less connect protocol for high performance, and the Border Gateway Protocol (BGP) for dynamic routing. After you create a Connect attachment, you can create one or more GRE or Tunnel-less Connect tunnels (also referred to as Transit Gateway Connect peers) on the Connect attachment to connect the core network edge and the third-party appliance. You establish two BGP sessions over the tunnel to exchange routing information. The two BGP sessions are for redundancy. A Connect attachment uses an existing VPC attachment as the underlying transport mechanism. This is referred to as the transport attachment. 

The Core Network Edge identifies matched GRE packets from the third-party appliance as traffic from the Connect attachment. It treats any other packets, including GRE packets with incorrect source or destination information, as traffic from the transport attachment.

You can create a Connect attachment through either the AWS Network Manager console or using the CLI/SDK.

**Note**  
A Connect attachment must be created in the same AWS account that owns the core network.

## Tunnel-less Connect
<a name="cloudwan-connect-tlc"></a>

 AWS Cloud WAN supports Tunnel-less Connect for VPC Connect attachments. Tunnel-less Connect provides a simpler way to build a global SD-WAN using AWS. Third-party SD-WAN appliances can peer with Cloud WAN using Border Gateway Protocol (BGP) without needing to deploy IPsec or GRE-based tunnels between the appliance and Cloud WAN. This allows you to deploy a Cloud WAN core network across multiple AWS Regions and to connect one or more of your third-party SD-WAN appliances to core network edges in each Region. Because Tunnel-less Connect has no tunneling overhead, it provides better performance and peak bandwidth on TLC attachments. IPSec provides 1.25G, allowing you to combine up to eight tunnels while providing up to the entire VPC attachment bandwidth. GRE supports only 5G, which means you'd need to deploy specialized techniques, such as ECMP (Equal Cost Multi-pathing), for scaling bandwidth across tunnels. 

You can use the console or API to specify the Tunnel-less Connect protocol. 

In order to use Tunnel-less Connect, note the following:
+ Your SD-WAN appliance must support BGP. The appliance must be deployed in a VPC and use a Connect attachment enabled for the tunnel-less operation in order to connect your SD-WAN appliance to a core network edge.
+ Attachment policy tags or resource names are used to associate the Tunnel-less Connect attachment to the SD-WAN segment.
+ Both Connect (GRE) and Connect (Tunnel-less) attachments can co-exist in the same VPC. There is a maximum of single Connect (Tunnel-less) attachment per VPC. 
+ Tunnel-less Connect and any underlying transport VPC attachments must be associated to the same core network segment.
+ Inside CIDR blocks is not an input when creating a Tunnel-less Connect peer, but is instead taken from the connecting core network edge

## Routing
<a name="cloudwan-tlc-routing"></a>

Tunnel-less Connect uses BGP for dynamic routing. Therefore, any third-party SD-WAN appliance you want to use for Tunnel-less Connect must support BGP. SD-WAN appliances peer with a core network using the Connect attachment functioning in a tunnel-less manner. It uses native BGP to dynamically exchange routing and reachability information between SD-WAN appliance in the VPC and the core network edge. We recommend using a different autonomous number (ASN) on your SD-WAN appliance from the one configured on the core network edge.

Tunnel-less Connect also supports Multiprotocol extension for BGP (MP- BGP) in order to support both IPv4/IPv6 address families.

You'll need to configure the following in the VPC route table used for Tunnel-less Connect:
+  The core network edge BGP IP address. This is necessary to bring up the BGP session between the core network edge and the SD-WAN appliance.
+ If your third-party appliance is in a different subnet from the VPC attachment, you'll need to add all destination prefixes.

For more information about route tables, see [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*.

## Third-party appliance limitations
<a name="cloudwan-tlc-appliance"></a>

An AWS Cloud WAN tunnel-less attachment peer (third-party appliance) can be located in the same subnet as the VPC attachment (transport attachment) subnet or a different subnet. The following limitations apply if your third-party appliance is located either in the same subnet as the Cloud WAN VPC attachment or in different subnets. 

**For third-party appliances in the same subnet as the Cloud WAN VPC attachment:**
+ When the third-party appliance is in the same subnet as the VPC attachment, routes are dynamically exchanged using BGP with the core network edge. For the dataplane to function correctly, no VPC route table modifications are required except for adding the core network BGP addresses to establish BGP peering.
+ The BGP IPv4 prefixes advertised by the core network edge to your third-party appliance will have the core network attachment's Elastic Network Interface's (ENI) IPv4 address as the next-hop address, which differs from the core network BGP address peering.
+ The BGP IPv6 prefixes advertised by the core network edge to your third-party appliance will use the EUI-64 Address of the core network attachment's ENI as the next-hop.

**For third-party appliances in a different subnets from the Cloud WAN VPC attachment:**
+ If the third-party appliance is in a different subnet from the VPC attachment, you can still establish dynamic route exchange the core network edge using BGP. However, in addition to adding the core network BGP addresses for peering, you must modify the VPC route table for the dataplane to function correctly. This includes adding the prefixes received from the core network edge BGP peer into the route table. You can create a summary route that encompasses the longest prefixes advertised by the core network edge.
+ The BGP IPv4 prefixes advertised by the core network edge to your third-party appliance will have the core network BGP address as the next-hop.
+ The BGP IPv6 prefixes advertised by the core network edge to your third-party appliance will use IPv4-mapped IPv6 addresses of the core network BGP address as the next-hop.

It's recommended that you place your third-party appliance in the same subnet as the Cloud WAN VPC attachment for more seamless integration with Tunnel-less connect.

**Topics**
+ [Tunnel-less Connect](#cloudwan-connect-tlc)
+ [Routing](#cloudwan-tlc-routing)
+ [Third-party appliance limitations](#cloudwan-tlc-appliance)
+ [Create a Connect attachment](cloudwan-connect-attachment-add.md)
+ [View or edit a Connect attachment](cloudwan-attachments-viewing-editing-connect.md)
+ [Add a Connect peer](cloudwan-connect-peer-attachment.md)

# Create a Connect attachment for an AWS Cloud WAN core network
<a name="cloudwan-connect-attachment-add"></a>

You can create a Connect attachment using either the Network Manager console or using the AWS CLI. Once you create a Connect attachment to your core network you can create a Connect peer. For the steps to create a Connect peer after creating the Connect attachment, see [Create an AWS Cloud WAN Connect peer for a core network](cloudwan-connect-peer-attachment.md).

**Topics**
+ [Create a Connect attachment using the console](#cloudwan-connect-attachment-console)
+ [Create a Connect attachment or Connect peer using the command line or API](#cloudwan-connect-attachment-cli)

## Create a Connect attachment using the console
<a name="cloudwan-connect-attachment-console"></a>

The following steps create a Connect attachment for a core network using the console. 

**To create a Connect attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **Connect**.

1. From the **Connect attachment** section, choose the Connect protocol. This will be either:
   + **GRE**
   + **Tunnel-less (No encapsulation)**

1. Choose the **Transport Attachment ID** that will be used for the Connect attachment.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** tags to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a Connect attachment or Connect peer using the command line or API
<a name="cloudwan-connect-attachment-cli"></a>

Use the command line or API to create an AWS Cloud WAN Connect attachment. When using the `CreateConnectAttachment` API pass the following:`"Protocol" : "NO_ENCAP"`.

**To create a Connect attachment or Connect peer using the command line or API**
+ Use `create-connect-attachment`. See [create-connect-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-attachment.html).

If you're creating a Tunnel-less Connect attachment, you must then use the following command line or API to create the Connect peer:
+ `create-connect-peer`. See [create-connect-peer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-peer.html).

# View or edit an AWS Cloud WAN Connect attachment
<a name="cloudwan-attachments-viewing-editing-connect"></a>

You can view information about a Connect attachment. For an existing attachment you can create a GRE or Tunnel-less Connect peer, as well as edit the key-value tags associated with the attachment. If you want to add a new Connect attachment, see [Connect attachments and Connect peers in AWS Cloud WAN](cloudwan-connect-attachment.md).

## View and edit a Connect attachment
<a name="cloudwan-editing-connect"></a>

**To view and edit a Connect peer attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **Connect**. 

1. Details about the attachment are displayed, as well as any Connect peers and tags that are associated with the attachment. Here you can also add a new Connect peer, as well as add, edit, or remove tags.
   + To add a new GRE or Tunnel-less Connect peer attachment, choose the **Connect peers** tab and follow the steps here: [Create an AWS Cloud WAN Connect peer for a core network](cloudwan-connect-peer-attachment.md).
   + To add or edit attachment Tags, choose the **Tags** tab. The current list of tags associated with this attachment are displayed. Choose **Edit tags** to modify or delete current tags, and to add new tags. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a Connect routing policy label
<a name="cloudwan-labels-editing-connect"></a>

You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a Connect or Connect peer attachment using the command line or API
<a name="edit-attachment-connect-cli"></a>

Use the command line or API to view a Connect or Connect peer attachment.

**To view a Connect or Connect peer attachment using the command line or API**
+ For a Connect attachment, see [get-connect-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-connect-attachment.html).
+ For a Connect peer attachment, see [get-connect-peer](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-connect-peer.html).

# Create an AWS Cloud WAN Connect peer for a core network
<a name="cloudwan-connect-peer-attachment"></a>

You can create a either a GRE Connect peer or a Tunnel-less Connect peer for an existing Connect attachment using either the AWS Cloud WAN console or the command line/API. 

**Topics**
+ [Add a GRE Connect peer using the console](#cloudwan-connect-peer-console)
+ [Add a Tunnel-less Connect peer using the console](#cloudwan-connect-peer-tlc-attachment)
+ [Add a Connect peer using the command line or API](#cloudwan-connect-peer-cli)

## Add a GRE Connect peer using the console
<a name="cloudwan-connect-peer-console"></a>

The following steps add a GRE Connect peer using the console. 

**To add a Connect peer using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Choose an attachment with a resource type of **Connect**.

   The **Details** tab displays the **Connect protocol**. Make sure to choose a Connect attachment where the Connect protocol is **GRE**. 

1. Choose the **Connect peers** tab.

1. Choose **Create Connect peer**.

1. Enter a **Name** to identify the Connect peer.

1. (Optional) For the **Core network GRE address**, enter the GRE outer IP address for the core network edge. By default, the first available address from the Inside CIDR block is used.

1. For the **Peer GRE address**, enter the GRE outer IP address for the customer appliance. This is peer IP address (GRE outer IP address) on the appliance side of the Connect peer. 

   This can be any IP address. The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the transit gateway address.

1. For **BGP Inside CIDR blocks IPv4**, enter the range of inside IPv4 addresses used for BGP peering. Use a `/29` CIDR block from the `169.254.0.0/16` range.

1. (Optional) For **BGP Inside CIDR blocks IPv6**, enter the range of inside IPv6 addresses used for BGP peering. Use a `/125` CIDR block from the `fd00::/8` range.

1. For **Peer ASN**, specify the Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the appliance. You can use an existing ASN that's assigned to your network. If you do not have one, you can use any ASN in the ` 1-4294967294` range. 

    The default is the same ASN as the core network edge. If you configure the **Peer ASN** to be different than the core network edge ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of `2`. 

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create Connect peer**.

## Add a Tunnel-less Connect peer using the console
<a name="cloudwan-connect-peer-tlc-attachment"></a>

The following steps add a Tunnel-less Connect peer using the console. 

**To add a Tunnel-less Connect peer using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Choose an attachment with a resource type of **Connect**.

   The **Details** tab displays the **Connect protocol**. Make sure to choose a Connect attachment where the Connect protocol is **NO\$1ENCAP**. 

1. Choose the **Connect peers** tab.

1. Choose **Create Connect peer**.

1. Enter a **Name** to identify the Tunnel-less Connect peer.

1. For the **Peer BGP address**, enter the appliance's private IPv4 address.
**Note**  
BGP peering primarily uses IPv4 addresses, but it does support IPv6 address exchange through MP-BGP. To establsih BGP sessions for IPv6 Unicast, you must have IPv4 Unicast addressing.

1. For the **Peer ASN**, specify the BGP ASN for the appliance.

   You can use an existing ASN that's assigned to your network. If you do not have one, you can use any ASN in the `1-4294967294` range. The default is the same ASN as the core network edge. If you configure the **Peer ASN** to be different from the core network edge ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

1. For **Subnet**, choose the subnet of the appliance. 
**Note**  
We recommend you run your appliance in the same subnet as your transport VPC attachment.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create Connect peer**.

## Add a Connect peer using the command line or API
<a name="cloudwan-connect-peer-cli"></a>

Use the command line or API to create an AWS Cloud WAN Connect peer.

**To create a Connect peer using the command line or API**
+ Use `create-connect-peer`. See [create-connect-peer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-connect-peer.html).