# VPC attachments in AWS Cloud WAN
<a name="cloudwan-vpc-attachment"></a>

When you attach a VPC to a core network edge in AWS Cloud WAN, you must specify one subnet from each Availability Zone to be used by the core network edge to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone. For more information about limits to core network VPC attachments, see [Transit Gateway attachment to a VPC](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html) in the *Transit Gateway User Guide*. 

**Important**  
You cannot select a subnet from a Local Zone while creating a Cloud WAN VPC attachment. Doing so will result in an error. For more information about Local Zones, see the [https://docs.aws.amazon.com/local-zones/latest/ug/what-is-aws-local-zones.html](https://docs.aws.amazon.com/local-zones/latest/ug/what-is-aws-local-zones.html).

## Appliance mode
<a name="cloudwan-appliancemode"></a>

If you plan to configure a stateful network appliance in your VPC, you can enable appliance mode support for the VPC attachment in which the appliance is located when you create an attachment. This ensures that Cloud WAN uses the same Availability Zone for that VPC attachment for the lifetime of the flow of traffic between a source and destination. It also allows Cloud WAN to send traffic to any Availability Zone in the VPC as long as there is a subnet association in that zone. While appliance mode is only supported on VPC attachments, the network flow can enter the core network from any other Cloud WAN attachment type, including VPC, VPN, and Connect attachments. Cloud WAN appliance mode also works for network flows that have sources and destinations across different AWS Regions in your core network. Network flows can potentially be rebalanced across different Availability Zones if you don't initially enable appliance mode but later edit the attachment configuration to enable it. You can enable or disable appliance mode using either the console or the command line or API.

Appliance mode in Cloud WAN optimizes traffic routing by considering the source and destination Availability Zones when determining the path through an appliance mode VPC. This approach enhances efficiency and reduces latency. The following are example scenarios.

### Scenario 1: Intra-Availability Zone Traffic Routing via Appliance VPC
<a name="tgw-appliancemode-scenario-1"></a>

When traffic flows from source Availability Zone us-east-1a to destination Availability Zone us-east-1a, with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN selects a network interface from us-east-1a within the appliance VPC. This Availability Zone is maintained for the entire duration of the traffic flow between source and destination.

### Scenario 2: Inter-Availability Zone Traffic Routing via Appliance VPC
<a name="tgw-appliancemode-scenario-2"></a>

For traffic flowing from source Availability Zone us-east-1a to destination Availability Zone us-east-1b, with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN uses a flow hash algorithm to select either us-east-1a or us-east-1b in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.

### Scenario 3: Routing traffic through an appliance VPC without Availability Zone data
<a name="tgw-appliancemode-scenario-3"></a>

When traffic originates from source Availability Zone us-east-1a to a destination without Availability Zone information (e.g., internet-bound traffic), with Appliance Mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN selects a network interface from us-east-1a within the appliance VPC.

### Scenario 4: Routing traffic through an appliance VPC in an Availability Zone distinct from either the source or destination
<a name="tgw-appliancemode-scenario-4"></a>

When traffic flows from source Availability Zone us-east-1a to destination Availability Zone us-east-1b, with Appliance Mode VPC attachments in different Availability Zone example us-east-1c and us-east-1d, Cloud WAN uses a flow hash algorithm to select either us-east-1c or us-east-1d in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.

**Note**  
 When you create a VPC attachment you can't create a core network VPC attachment that uses only IPv6 subnets. A core network VPC attachment must also support IPv4 addresses. 
Appliance mode is only supported for VPC attachments.

## DNS support
<a name="cloudwan-dns-support"></a>

DNS support in Cloud WAN enables the resolution of public DNS host names to private IP addresses when queried across VPCs attached to the same core network edge similar to the DNS resolution capability available for transit gateways. This feature is enabled by default in your core network and can be configured in your core network policy by setting the `dns-support` parameter to either `true` or `false`, with the setting applying to all core network edges in the core network. You can view your DNS support configuration through the console in the core network policy or by using the [https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-core-network.html](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-core-network.html) command. 

**Note**  
DNS support only works between VPCs attached to the same core network edge and does not function across different regions or between VPCs attached to different core network edges.

## Security group referencing
<a name="cloudwan-sg-referencing"></a>

You can configure security groups by specifying a list of rules that allow network traffic based on criteria such as IP CIDRs, prefix lists, ports and security group referencing. Security group referencing allows you to specify other security groups as references, or matching criterion in inbound security rules to allow instance-to-instance traffic. With this capability, you do not need to reconfigure security rules as applications scale up or down or if their IP addresses change. Rules with security group references also provide higher scale as a single rule can cover thousands of instances and prevents you from over-running security group rule limits.

Security group referencing is a regional feature for Cloud WAN, meaning VPCs must be connected to the same core network edge for this feature to work. When you create a VPC attachment, Cloud WAN automatically enables security group referencing for VPCs attached to the same core network edge.

**Note**  
Security group referencing is enabled by default at the attachment level but disabled by default at the core network level.

With security group referencing support in Cloud WAN, you can:
+ Reference security groups across VPCs connected to the same core network edge
+ Simplify security group management for applications that span multiple VPCs
+ Maintain security group references even as instances scale up or down
+ Reduce the number of security group rules needed for cross-VPC communication

### Limitations
<a name="cloudwan-sg-limtis"></a>

The following limitations apply to security group referencing in Cloud WAN:
+ Security group referencing only works between VPCs attached to the same core network edge. It does not work across different regions or between VPCs attached to different core network edges.
+ Security group referencing is not supported for VPC attachments in the use1-az3 Availability Zone . 
+ Security group referencing is not supported for AWS PrivateLink endpoints. We recommend using IP CIDR-based security rules as an alternative.
+ Security group referencing works for Elastic File System (EFS) as long as an allow all egress security group rule is configured for the EFS interfaces in the VPC.
+ Security group referencing support can be configured for both core network and VPC attachments and will only work if it has been enabled for both a core network and its VPC attachments.

**Topics**
+ [Appliance mode](#cloudwan-appliancemode)
+ [DNS support](#cloudwan-dns-support)
+ [Security group referencing](#cloudwan-sg-referencing)
+ [Create a VPC attachment](cloudwan-vpc-attachment-add.md)
+ [View or edit a VPC attachment](cloudwan-attachments-viewing-editing-vpc.md)

# Create a VPC attachment for an AWS Cloud WAN core network
<a name="cloudwan-vpc-attachment-add"></a>

## Create a VPC attachment using the console
<a name="cloudwan-vpc-attachment-console"></a>

The following steps create a VPC attachment for a core network using the console. 

**To create a VPC attachment using the console**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network you want to add an attachment to.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose **Create attachment**.

1. Enter a **name** identifying the attachment.

1. From the **Edge location** dropdown list, choose the location where the attachment is located.

1. Choose **VPC**.

1. In the VPC attachment section, choose **Appliance mode support** if appliance mode is supported. For more information about appliance mode, see [Appliance mode](cloudwan-vpc-attachment.md#cloudwan-appliancemode).

1. Choose **IPv6 support** if the attachment supports IPv6. 

1. By default, **DNS support ** is enabled. This allows domain name system resolution for the attachment. Clear the check box if you don't want to enable DNS support. For more information, see [DNS support](cloudwan-vpc-attachment.md#cloudwan-dns-support).

1. By default **Security Group Referencing support** is enabled. When you create a VPC attachment, Cloud WAN automatically enables security group referencing for VPCs attached to the same core network edge. This allows you to reference security groups across VPCs in your security group rules. Clear the check box if you don't want to enable security group referencing. For more information, see [Security group referencing](cloudwan-vpc-attachment.md#cloudwan-sg-referencing).

1. From the **VPC IP** dropdown list, choose the VPC ID to attach to the core network.

1. After choosing the VPC ID, you're prompted to choose the **Availability Zone** and **Subnet Id** in which to create the core network VPC attachment. The Availability Zones that are listed are those edge locations that you chose when you created your core network. You must choose at least one Availability Zone and subnet ID.

1. (Optional) For **Routing policy label**, provide a label that will be used to map this policy to attachments. The policy will automatically be applied to any attachment tagged with the same label.

1. (Optional) In the **Tags** section, add **Key** and **Value** pairs to further help identify this resource. You can add multiple tags by choosing **Add tag**, or remove any tag by choosing **Remove tag**.

1. Choose **Create attachment**.

## Create a VPC attachment using the command line or API
<a name="cloudwan-vpc-attachment-cli"></a>

Use the command line or API to create an AWS Cloud WAN VPC attachment

**To create a VPC attachment using the command line or API**
+ Use `create-vpc-attachment`. See [create-vpc-attachment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/networkmanager/create-vpc-attachment.html).

To enable appliance mode, add `--options ApplianceModeSupport=true` to the command. 

# View or edit an AWS Cloud WAN VPC attachment
<a name="cloudwan-attachments-viewing-editing-vpc"></a>

You can view and edit configuration information for a VPC attachment . If you want to add a new VPC attachment, see [VPC attachments in AWS Cloud WAN](cloudwan-vpc-attachment.md).

## View and edit a VPC attachment
<a name="cloudwan-editing-vpc"></a>

**To view and edit a VPC attachment**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network ID.

1. Under **Core network** in the navigation pane, choose **Attachments**.

1. Select the check box for an attachment where the **Resource Type** is **VPC**. Details about the attachment are displayed in the lower part of the page.

1. (Optional) Choose **Edit** to modify any of the following options for the VPC attachment:
   + Enable or disable appliance mode support.
   + Enable or disable IPv6 support.
   + Enable or disable DNS support.
   + Enable or disable security group referencing support.
   + Add or remove subnet IDs.

1. After making any changes, choose **Edit attachment**.

1. To add, edit, or remove tags, choose the **Tags** tab. The current list of tags associated with this attachment are displayed. Choose **Edit tags** to modify or delete current tags, and to add new tags.

1. If you made any changes, choose **Edit attachment** to save the changes. The **Attachments** page displays along with a confirmation that the attachment was modified successfully.

## Manage a VPC attachment routing policy label
<a name="cloudwan-labels-editing-vpc"></a>

You can create, modify, or delete routing policy labels for an attachment. Once you add or modify a routing policy label, you'll need to map or remap it to an attachment routing policy. Deleting a routing policy label removes any association with an attachment routing policy.

**To manage attachment routing policy labels**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Edit**.

1. Choose **Create** to create a new routing policy label, or choose **Edit** modify the **Routing policy label** as needed.

1. After creating or modifying a routing policy label, you can then associate that label with an attachment routing policy.

1. In the **Attachment routing policy association** section choose the attachment routing policy association you want to map to the routing policy label.

You can delete a routing policy labels for an attachment. Once you delete an attachment, the association from an attachment routing policy is removed permanently.

**To delete an attachment routing policy label**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Under **Connectivity**, choose **Global networks**.

1. On the **Global networks** page, choose the global network link for the core network with the attachment.

1. In the navigation pane under the name of the global network, choose **Attachments**.

1. Choose the attachment.

1. In the section showing details about the attachment, choose the **Routing policy** tab, choose **Delete**.

1. Choose **Delete** again to confirm the removal. If the routing policy label was mapped to an attachment routing policy, the **Attachment routing policy association** section updates and removes the policy from the list. 

## View a VPC attachment using the command line or API
<a name="edit-attachments-cli"></a>

Use the command line or API to view a VPC attachment.

**To view a VPC attachment using the command line or API**
+ See [get-vpc-attachment](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-vpc-attachment.html).