# Flexible cost allocation
By default, transit gateway uses a sender-based cost allocation model where data processing charges are allocated to the account that owns the source attachment. You can create custom metering policies that define which accounts should be charged based on traffic flow properties such as attachment types, specific attachment IDs, or network addresses.
Metering policies consist of ordered rules that are evaluated from lowest to highest rule number. When traffic matches a rule, the specified account is charged according to the rule's configuration. You can specify the account owner for allocating costs from the following options:
+ **Source attachment owner** - Charges are allocated to the account that owns the source attachment (default behavior)
+ **Destination attachment owner** - Charges are allocated to the account that owns the destination attachment
+ **Transit Gateway owner** - Charges are allocated to the account that owns the transit gateway
Flexible Cost Allocation enables better cost management for organizations using centralized network architectures, allowing costs to be allocated to the appropriate business units or application owners regardless of network topology.
**Note**
Flexible Cost Allocation enables flexible allocation of metering usage and in turn costs to account owners of your choice. However, tax implications for AWS accounts can vary significantly based on geographic location, usage patterns and other factors. Please review the billing, tax and cost management implications for accounts in your AWS Organization prior to enabling this feature. Reference: [What is AWS Billing and Cost Management?](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html)
## Metering policies
Metering policies allow you to configure cost allocation rules for your transit gateway to control which accounts are charged for data processing and transfer costs based on traffic flow properties. This feature enables better cost management and chargeback capabilities for organizations using centralized network architectures.
A metering policy is composed of the following:
+ **Metering policy** - The overall configuration container that contains the Metering Policy Rules. When created, it contains a single default metering policy entry that is configured to charge all traffic to the source attachment owner. Each transit gateway can have only one metering policy.
+ **Metering policy entry** - Individual rules within a metering policy that define specific matching criteria and the account to meter usage. Each entry includes a rule number for evaluation order, traffic matching conditions (such as source and destination attachment types, attachment IDs, CIDR blocks, ports, and protocols), and which account owner to charge for matching traffic. A policy can contain up to 50 entries, evaluated in order from lowest to highest rule number.
You can allocate metering usage to any of the following:
+ **Source attachment owner**: Allocates metering usage to the account that owns the attachment where traffic originates (default behavior)
+ **Destination attachment owner**: Allocates metering usage to the account that owns the attachment where traffic terminates, and
+ **transit gateway owner**: Allocates metering usage to the account that owns the transit gateway.
+ **Middlebox attachments** - (Optional) Designated transit gateway attachments that route traffic through network appliances for security inspection, load balancing, or other network functions. Data usage for the traffic traversing middlebox attachments is metered to the account owner specified in the metering policy. You can specify a maximum of 10 middlebox attachments. Supported middlebox attachment types are Network Function (AWS Network Firewall), VPC and VPN attachments.
### How metering policies work
By default, transit gateway uses a sender-based cost allocation model where data processing charges are metered to the account that owns the source attachment. With metering policies, you can create custom rules to flexibly meter usage based on the following traffic flow properties:
+ Source and destination attachment types (VPC, VPN, Direct Connect Gateway, Peering, Network Function and VPN Concentrator)
+ Source and destination attachment IDs
+ Source and destination IP addresses, Port ranges and protocols
Metering policies consist of ordered rules that are evaluated from lowest to highest rule number. When traffic matches a rule, the specified account is charged according to the rule's metered account setting. Metering policies address several common organizational scenarios:
+ **Hybrid environment cost allocation**: Allocate costs for data entering AWS from on-premises through Direct Connect Gateway to the destination VPC account owner rather than the central IT admin account owner.
+ **Centralized inspection architecture**: Allocate costs to individual application or VPC account owners rather than the central security team for traffic traversing via inspection VPCs.
+ **Application-based chargeback**: Allocate all data usage costs for a workload to the VPC owner regardless of traffic direction.
+ **Client cost allocation**: Allocate data costs to client accounts when they create attachments to your transit gateway.
### Middlebox attachments
Transit gateway metering policies support Middlebox attachments allowing you to flexibly allocate data processing charges for network traffic routed via middlebox appliances such as network firewalls and load balancers. Examples of middlebox attachments are Network Function attachment to AWS Network Firewall or VPC attachments that route traffic to third-party security appliances in a VPC. Traffic between source and destination transit gateway attachments traverses via these middlebox attachments for typical security inspection use-cases. You can define metering policies to flexibly allocated data processing usage on middlebox attachments to the original source attachment, final destination attachment or transit gateway account owner. For Network Function attachments, the AWS Network Firewall data processing charges are also allocated to the metered account.
### Flexible Cost Allocation - Metering usage types
Flexible cost allocation via metering policies applies to following data usage types:
+ Transit gateway Data Processing Usage on VPC, VPN, VPN Concentrator and Direct Connect attachments
+ Site-to-site VPN Data Transfer Out usage on VPN attachments
+ Direct Connect Data Transfer Out usage on Direct Connect attachments.
+ Data transfer usage on TGW peering attachments
+ Transit gateway Data processing usage on Network Function attachments
+ AWS network firewall (NFW) data processing usage on Network Function attachments.
Flexible cost allocation does not apply to attachments hourly usage and multicast data processing usage. For Transit Gateway Connect attachments, metering policy can be defined for the underlying transport VPC or Direct Connect attachment. For Private IP VPN attachments, metering policy can be defined for the underlying transport Direct Connect attachment.
### Considerations and limitations
Consider the following when implementing metering policies for your transit gateway.
#### Permissions
+ Only the transit gateway owner can create, modify, or delete metering policies.
+ Cost allocation settings apply at the transit gateway level.
+ Attachment owners cannot override cost allocation settings configured by the transit gateway owner.
#### Transit Gateway peering
When traffic traverses transit gateway peering connections:
+ Each transit gateway applies its own metering policy independently.
+ Data charges are allocated separately by each transit gateway based on its local policy.
+ Traffic can be thought of as two separate flows: source attachment to peering, and peering to destination attachment.
#### Cloud WAN integration
When a transit gateway is attached to a Cloud WAN core network:
+ Transit gateway data transfer charges on peering connections are allocated according to the transit gateway metering policy.
+ Metering policies are not supported on Cloud WAN core networks.
#### Performance impact
+ Metering policies do not introduce any additional data-path latency.
+ Metering policies have no impact on maximum bandwidth per attachment.
+ There are no changes to transit gateway resource sharing capabilities.
#### Billing integration
+ Cost allocation tags continue to work with metering policies for organizing costs by business unit.
+ Metering policies define which accounts incur costs, while cost allocation tags help categorize those costs.
+ Changes to metering policies take effect at the end of the next billing hour.
#### IPv6 support
Metering policies are supported for both IPv4 and IPv6 traffic. CIDR block matching in policy entries works with both address families.
#### Middlebox attachment support
+ Middlebox metering policy assumes traffic between the original source and destination attachment is hair-pinned via the specified middle-box attachment (example east-west inspection for VPC-to-VPC traffic). Hence the network 5-tuple (source/destination IPs, source/destination ports and protocol) for flows ingressing and egressing out of middle-box attachments must match. Flows with 5-tuple mis-matches on middle-box attachments (e.g. NAT transformation in inspection VPC) are treated as regular source-destination attachment flows (as opposed to middle-box attachment flows).
+ All egress-only flows on the middlebox attachment (for example north-south traffic to internet via IGW in an inspection VPC) are treated as regular source-destination flows (as opposed to middle-box attachment flows).
+ For Network Function attachments when AWS Network firewall drops packets, all data processing usage is charged back to the sender account regardless of metering policy configuration.
# Create an AWS Transit Gateway metering policy
To enable metering policies, you must create a metering policy for your transit gateway and configure policy entries that define how metering usage is allocated. The metering policy establishes the framework and default settings, while policy entries contain the specific rules that determine which accounts are metered based on traffic characteristics.
Metering policy entries function as ordered rules that are applied sequentially from lowest to highest rule number for traffic flowing through your transit gateway. Each entry defines matching criteria such as source and destination attachment types, CIDR blocks, protocols, and port ranges, along with the account that should be metered for matching traffic. When a traffic flow matches multiple entries, the entry with the lowest rule number takes precedence. If no entries match a particular flow, the default metered account specified in the policy is charged.
After creating a policy, you'll need to add policy entries to implement your cost allocation logic. For the steps to create a metering policy entry, see [Create a metering policy entry](create-metering-policy-entry.md).
## Create a metering policy using the console
Create a policy to define flexible cost allocation rules for transit gateway data usage. By default, all flows are metered to the source attachment owner. Create entries to bill specific network flows to different accounts.
**To create a metering policy**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Choose **Create metering policy**.
1. For **Transit gateway ID** choose the transit gateway you'd like to create metering policy for.
1. (Optional) For **Middlebox attachment IDs**, choose one or more middlebox attachment. By default, data usage is metered to the middlebox owner. Middlebox attachment support enables metering policy to be applied for traffic traversing middlebox attachments. Additional attachments can be added later.
1. (Optional) In the **Tags** section, add tags to help you identify and organize your metering policy:
1. Choose **Add new tag**.
1. Enter a tag **Key** and optionally a tag **Value**.
1. Choose **Add new tag** to add additional tags, or skip to the next step. You can add up to 50 tags.
1. Choose **Create transit gateway metering policy**.
**Note**
The default metered account is the source attachment owner, and after creating a metering policy, you can add entries that define which account gets charged based on traffic flow properties, noting that the default policy entry (which is the last entry) cannot be modified or deleted like other policy entries.
## Create a metering policy using the AWS CLI
A metering policy defines the default cost allocation behavior and global settings for your transit gateway. Use the [create-transit-gateway-metering-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-transit-gateway-metering-policy.html).
Required parameters:
+ `--transit-gateway-id` - The ID of the transit gateway to create the policy for
Optional parameters:
+ `--middle-box-attachment-ids` - Supported transit gateway attachment Ids to add to the policy as middlebox
+ `--tag-specifications` - tags for metering policy
**To create a metering policy using the AWS CLI**
1. Run the **create-transit-gateway-metering-policy** command to create a new metering policy with optional middlebox attachments.
```
aws ec2 create-transit-gateway-metering-policy \
--transit-gateway-id tgw-07a5946195a67dc47 \
--middle-box-attachment-ids \
tgw-attach-0123456789abcdef0 \
tgw-attach-0abc123def456789a \
--tag-specifications \
'[{ "ResourceType": "transit-gateway-metering-policy", \
"Tags": [ { "Key": "Env", "Value": "Prod" } ] }]'
```
This command creates a metering policy for the specified transit gateway with provided middlebox attachments and tags.
1. The command returns the following output when the policy is successfully created:
```
{
"TransitGatewayMeteringPolicy": {
"TransitGatewayMeteringPolicyId": "tgw-mp-042d444564d4b2da7",
"TransitGatewayId": "tgw-07a5946195a67dc47",
"MiddleboxAttachmentIds": ["tgw-attach-0123456789abcdef0",
"tgw-attach-0abc123def456789a"],
"State": "pending",
"UpdateEffectiveAt": "2025-11-05T21:00:00.000Z",
"Tags": [{"Key": "Env","Value": "Prod"}]
}
}
```
Note the metering policy ID returned in the response for use in subsequent commands. **describe-transit-gateway-metering-policies** command can be used to get metering policy associated with transit gateway.
# Manage AWS Transit Gateway metering policies
After creating a metering policy, you can manage it by viewing current settings, modifying configuration options, or deleting the policy when no longer needed. Management operations allow you to add or remove middlebox attachments as your network requirements change. You can only create or delete a policy entry. If you need to modify an existing rule, you can delete the entry and create a new one with the modified configuration. All management operations require transit gateway owner permissions and take effect after two billing hour.
Effective metering policy management is crucial for maintaining accurate cost allocation as your network architecture evolves. Organizations often need to adjust their policies when business units change, new applications are deployed, or network topologies are modified. For example middlebox metering support settings may require updates when firewall security architectures change or when new inspection services are introduced into the traffic path.
Policy modifications support various operational scenarios including seasonal traffic pattern changes, merger and acquisition activities, and compliance requirement updates. When managing policies, consider the impact on existing billing arrangements and communicate changes to affected stakeholders before implementation.
Regular policy reviews help ensure that cost allocation remains aligned with business objectives and organizational structures. Best practices include documenting policy changes, testing modifications in non-production environments when possible, and coordinating with finance teams to understand billing implications. Additionally, consider the timing of policy changes to minimize disruption to monthly billing cycles and financial reporting processes.
**Topics**
+ [Edit a metering policy](metering-policy-edit.md)
+ [Delete a metering policy](metering-policy-delete.md)
# Edit an AWS Transit Gateway metering policy
Edit existing metering policies to modify middlebox attachment configurations. Policy modifications take effect at the next billing hour and apply to all future traffic flows through your transit gateway.
## Edit a metering policy using the console
Use the console to modify existing metering policy settings for your transit gateway.
**To edit an existing metering policy using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Select the metering policy you want to modify by choosing its policy ID
1. Modify the available policy settings under **Actions**. Console only allow add and remove of Middle box attachments.
1. **Middlebox attachments** - Add or remove transit gateway attachments that should be treated as middleboxes for specialized billing.
## Edit a metering policy using the AWS CLI
Use the **modify-transit-gateway-metering-policy** command to view and modify metering policies.
Required parameters for modify operations:
+ `--transit-gateway-metering-policy-id` - The ID of the metering policy to modify
+ `--add-middle-box-attachment-ids` or `--remove-middle-box-attachment-ids` - Supported transit gateway attachment Ids to add or remove from the policy as middlebox
**To view and edit metering policies using the AWS CLI**
1. (Optional) View existing metering policies using the **describe-transit-gateway-metering-policies** command to see current configuration settings:
```
aws ec2 describe-transit-gateway-metering-policies
```
This command returns all metering policies in your account, showing their current state, and attachments enabled as middlebox for each of the metering policy.
1. Modify a metering policy using the **modify-transit-gateway-metering-policy** command to update configuration options:
```
aws ec2 modify-transit-gateway-metering-policy \
--transit-gateway-metering-policy-id tgw-mp-042d444564d4b2da7 \
--add-middle-box-attachment-ids tgw-attach-0123456789abcdef1 \
--remove-middle-box-attachment-ids tgw-attach-0abc123def456789a
```
This command modifies a metering policy by adding and/or removing middlebox attachments.
1. The command returns the following output when the policy is successfully modified:
```
{
"TransitGatewayMeteringPolicy": {
"TransitGatewayMeteringPolicyId": "tgw-mp-042d444564d4b2da7",
"TransitGatewayId": "tgw-07a5946195a67dc47",
"MiddleboxAttachmentIds": ["tgw-attach-0123456789abcdef0",
"tgw-attach-0123456789abcdef1"],
"State": "modifying",
"UpdateEffectiveAt": "2025-11-05T21:00:00.000Z"
}
}
```
The changes can take up to two billing hours to take effect.
# Delete an AWS Transit Gateway metering policy
Delete metering policies when they are no longer required for your transit gateway cost allocation strategy. Deleting a policy reverts cost allocation to the default sender-based model where data processing and data transfer charges are allocated to the account that owns the source attachment. All policy entries associated with the deleted metering policy are also removed.
## Delete a metering policy using the console
Use the console to remove metering policies that are no longer needed.
**To delete a metering policy using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Select the policy you want to delete by choosing its policy ID.
1. Choose **Actions**, and then **Delete**.
1. Confirm the deletion by typing **delete** in the confirmation dialog.
1. Choose **Delete**.
**Important**
Deleting a metering policy is irreversible. All policy entries and configuration settings will be permanently removed, and cost allocation will revert to the default sender-based model.
## Delete a metering policy using the AWS CLI
Use the **delete-transit-gateway-metering-policy** command to delete metering policies programmatically.
Requirements:
+ Transit gateway owner permissions
Required parameters:
+ `--transit-gateway-metering-policy-id` - The ID of the metering policy to delete
**To view and delete metering policies using the AWS CLI**
1. (Optional) View existing metering policies using the **describe-transit-gateway-metering-policies** command to see current configuration settings:
```
aws ec2 describe-transit-gateway-metering-policies
```
This command returns all metering policies in your account, showing their current state and configuration.
1. Delete a metering policy using the **delete-transit-gateway-metering-policy** command to permanently remove the policy:
```
aws ec2 delete-transit-gateway-metering-policy \
--transit-gateway-metering-policy-id tgw-mp-042d444564d4b2da7
```
This command permanently removes the specified metering policy and all associated entries. Cost allocation will revert to the default sender-based model for all future traffic flows. This change also takes 2 billing hours to take effect.
1. The command returns the following output when the policy is successfully deleted:
```
{
"TransitGatewayMeteringPolicy": {
"TransitGatewayMeteringPolicyId": "tgw-mp-042d444564d4b2da7",
"TransitGatewayId": "tgw-07a5946195a67dc47",
"MiddleboxAttachmentIds": ["tgw-attach-0123456789abcdef0",
"tgw-attach-0123456789abcdef1"],
"State": "deleting",
"UpdateEffectiveAt": "2025-11-05T21:00:00.000Z"
}
}
```
The response confirms the policy is being deleted with a `deleting` state while the removal is processed across the transit gateway infrastructure.
# Create an AWS Transit Gateway metering policy entry
By default, all flows are metered to the source attachment owner. To meter specific flows to different accounts, create individual policy entries that define which account gets charged based on traffic flow properties.
Metering policy entries function as conditional rules that are evaluated in sequential order based on their rule numbers when traffic flows through your transit gateway. Each entry acts as an "if-then" statement: if the traffic matches the specified criteria (such as source attachment type, destination CIDR block, or protocol), then charge the designated account. The system evaluates entries from lowest to highest rule number, and the first matching entry determines the billing account for that traffic flow.
Entries support a wide range of matching criteria including attachment types (VPC, VPN, Direct Connect Gateway), specific attachment IDs, source and destination CIDR blocks, protocol types, and port ranges. You can combine multiple criteria within a single entry to create precise targeting rules. For example, you might create an entry that matches all HTTPS traffic (port 443) from VPC attachments to a specific destination CIDR range and charges those flows to a security team's account. If no entries match a particular traffic flow, the default metered account specified in the parent metering policy is charged, ensuring all traffic is properly billed. Creating an entry takes 2 billing hours to take effect.
**Important**
Plan rule numbers carefully - Leave gaps (e.g., 10, 20, 30) to allow for future insertions
Test entries with less specific conditions first before adding more restrictive rules
Use specific matching conditions to avoid unintended billing
## Create a metering policy entry using the console
A metering policy defines the default cost allocation behavior and global settings for your transit gateway.
**To create a metering policy entry using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Select the metering policy ID link to view its details.
1. Choose the **Metering policy entries** tab.
1. Choose **Create metering policy entry**.
1. **Policy rule number** -This should be a unique number (1- 32,766) that determines evaluation order. Lower numbers have higher priority.
1. **Metered account** - Choose one of the following account types to be charged for matching traffic flows:
1. **Source Attachment Owner**
1. **Destination Attachment Owner**
1. **Transit Gateway Attachment Owner**
1. (Optional) Choose **Rule conditions** - These optional conditions define criteria to match specific traffic:
+ **Source attachment type or ID** - Filter by attachment type (VPC, VPN, Direct Connect Gateway, Peering) or ID.
+ **Destination attachment type or ID** - Filter by destination attachment type or ID
+ **Source CIDR block** - Match traffic from specific IP ranges
+ **Destination CIDR block** - Match traffic to specific IP ranges
+ **Source port range** - Match specific source ports
+ **Destination port range** - Match specific destination ports
+ **Protocol** - Filter by protocol for the rule (1, 6, 17, etc.)
1. Choose **Create metering policy entry** to save the configuration.
## Create a metering policy entry using the AWS CLI
Policy entries define specific rules for cost allocation based on traffic characteristics. Rules are evaluated in order from lowest to highest rule number.
Required parameters:
+ `--transit-gateway-metering-policy-id` - The ID of the metering policy to add the entry to
+ `--policy-rule-number` - A unique number (1-32,766) that determines evaluation order
+ `--metered-account` - payer type (source-attachment-owner/ destination-attachment-owner / transit-gateway-owner)
Optional parameters:
These optional parameters that define criteria to match specific traffic:
+ `--source-transit-gateway-attachment-id` - The ID of the source transit gateway attachment.
+ `--source-transit-gateway-attachment-type` - The type of the source transit gateway attachment.
+ `--source-cidr-block` - The source CIDR block for the rule.
+ `--source-port-range` - The source port range for the rule.
+ `--destination-transit-gateway-attachment-id` - The ID of the destination transit gateway attachment.
+ `--destination-transit-gateway-attachment-type` - The type of the destination transit gateway attachment.
+ `--destination-cidr-block` - The destination CIDR block for the rule.
+ `--destination-port-range` - The destination port range for the rule.
+ `--protocol` - The protocol number for the rule
**To create a metering policy entry using the AWS CLI**
1. Use the **create-transit-gateway-metering-policy-entry** command to create a new policy entry that routes VPC traffic to a specific metered account:
```
aws ec2 create-transit-gateway-metering-policy-entry \
--transit-gateway-metering-policy-id tgw-mp-042d444564d4b2da7 \
--policy-rule-number 100 \
--destination-transit-gateway-attachment-type vpc \
--metered-account destination-attachment-owner
```
This command creates a policy entry with rule number 100 that matches traffic destined for VPC attachments and charges the destination attachment owner for those flows.
1. The command returns the following output when the entry is successfully created:
```
{
"TransitGatewayMeteringPolicyEntry": {
"MeteredAccount": "destination-attachment-owner",
"MeteringPolicyRule": {
"DestinationTransitGatewayAttachmentType": "vpc"
},
"PolicyRuleNumber": 100,
"State": "available",
"UpdateEffectiveAt": "2025-11-06T02:00:00.000Z"
}
}
```
The response confirms the entry was created with a "available" state while it's being activated across the transit gateway infrastructure.
# Delete an AWS Transit Gateway metering policy entry
Delete metering policy entries when specific cost allocation rules are no longer required for your network traffic flows. Entry deletion helps simplify policy management by removing outdated or unnecessary rules while maintaining the overall policy structure. When you delete an entry, traffic that previously matched the deleted rule will be evaluated against remaining entries in rule number order, or fall back to the default policy behavior if no other entries match.
Before deleting entries, consider the impact on current billing arrangements and traffic flows. Once deleted, the change takes upto 2 billing hours to get effective and cannot be undone, so coordinate changes with affected account owners and finance teams. Review remaining entries to ensure proper traffic coverage and billing allocation after the deletion. The rule evaluation order for remaining entries stays unchanged, maintaining predictable cost allocation behavior for continuing traffic flows.
**Important**
Deletion is irreversible
Traffic previously matching this entry will be re-evaluated against remaining entries
Review remaining entries to ensure proper traffic coverage
## Delete a metering policy entry using the console
Use the console to remove policy entries through an intuitive interface that provides confirmation dialogs to prevent accidental deletions.
**To delete a policy entry using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Select the metering policy containing the entry you want to delete.
1. Select the entry you want to remove and choose **Delete**.
1. In the confirmation dialog, review the entry details and type **delete** to confirm the removal.
1. Choose **Delete** to permanently remove the entry.
## Delete a metering policy entry using the AWS CLI
Use the **delete-transit-gateway-metering-policy-entry** command to remove policy entries programmatically.
Requirements:
+ Transit gateway owner permissions
+ Valid metering policy ID and entry rule number
Required parameters:
+ `--transit-gateway-metering-policy-id` - The ID of the metering policy
+ `--policy-rule-number` - The rule number of the entry to delete
**To view and delete policy entries using the AWS CLI**
1. (Optional) View existing policy entries using the **get-transit-gateway-metering-policy-entries** command to see current configuration settings:
```
aws ec2 get-transit-gateway-metering-policy-entries \
--transit-gateway-metering-policy-id tgw-mp-0123456789abcdefg
```
This command returns all entries for the specified policy, showing their rule numbers, matching criteria, and metered accounts.
1. Delete a policy entry using the **delete-transit-gateway-metering-policy-entry** command to permanently remove the entry:
```
aws ec2 delete-transit-gateway-metering-policy-entry \
--transit-gateway-metering-policy-id tgw-mp-0123456789abcdefg \
--policy-rule-number 100
```
This command permanently removes the specified entry from the policy. Traffic that previously matched this entry will be immediately re-evaluated against remaining entries or fall back to the default policy behavior.
1. The command returns the following output when the entry is successfully deleted:
```
{
"TransitGatewayMeteringPolicyEntry": [
{
"PolicyRuleNumber": 100,
"MeteredAccount": "destination-attachment-owner",
"UpdateEffectiveAt": "2024-01-01T01:00:00+00:00",
"state": "deleted",
"MeteringPolicyRule": {
"DestinationTransitGatewayAttachmentType": "vpc"
}
}
}
```
The response confirms the entry is being deleted with a "deleted" state while the removal is processed across the transit gateway infrastructure.
# Manage AWS Transit Gateway metering policy middlebox attachments
transit gateway metering policies support Middlebox attachments allowing you to flexibly allocate data processing charges for network traffic routed via middlebox appliances such as network firewalls and load balancers. Examples of middlebox attachments are Network Function attachment to AWS Network Firewall or VPC attachments that route traffic to third-party security appliances in a VPC. Traffic between source and destination transit gateway attachments traverses via these middlebox attachments for typical security inspection use-cases. You can define metering policies to flexibly allocated data processing usage on middlebox attachments to the original source attachment, final destination attachment or transit gateway account owner. For Network Function attachments, the AWS Network Firewall data processing charges are also allocated to the metered account.
Designated transit gateway attachments that route traffic through network appliances for security inspection, load balancing, or other network functions. Data usage for the traffic traversing middlebox attachments is metered to the account owner specified in the metering policy. You can specify a maximum of 10 middlebox attachments. Supported middlebox attachment types are Network Function (AWS Network Firewall), VPC and VPN attachments.
**Topics**
+ [Add middlebox attachments](create-middlebox-attachment.md)
+ [Remove middlebox attachments](edit-middlebox-attachment.md)
# Add AWS Transit Gateway metering policy middlebox attachments
You can add middlebox attachments to integrate network appliances into your Transit Gateway metering policy. This allows you to route specific traffic through security appliances, load balancers, or other network functions while maintaining granular cost allocation control.
**Important**
Ensure middlebox appliances are properly configured and accessible
Test traffic routing before applying to production workloads
Monitor middlebox performance to avoid introducing latency
Configure appropriate failover behavior for high availability
## Add middlebox attachments using the console
**To add a middlebox attachment entry**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Metering policies**.
1. Select the metering policy ID link to view its details.
1. Choose the **Middlebox attachments** tab.
1. Choose **Add**.
1. When prompted, Select the middlebox attachment IDs that should be treated as middleboxes for specialized billing. You can select up to 10 middlebox attachments.
1. Choose **Add middlebox attachments** to save the configuration.
## Add middlebox attachments using the AWS CLI
Use the **modify-transit-gateway-metering-policy** command to add attachments.
Before you begin, ensure you have the following required parameters:
+ `--transit-gateway-metering-policy-id` - The ID of the existing metering policy
+ `--add-middle-box-attachment-ids` - One or more attachment IDs to add to the policy (for adding attachments)
**To add middlebox attachments to an existing policy using the AWS CLI**
1. In the following example, **modify-transit-gateway-metering-policy** is used to add four middlebox attachments to an existing metering policy. The command adds the specified attachment IDs to the existing list without removing current attachments:
```
aws ec2 modify-transit-gateway-metering-policy \
--transit-gateway-metering-policy-id tgw-mp-0123456789abcdefg \
--add-middle-box-attachment-ids tgw-attach-0bdc681c211bf71f3 tgw-attach-0987654321fedcba0 tgw-attach-0456789012345abcd tgw-attach-0fedcba0987654321
```
1. In the following example response, the JSON output shows the updated policy configuration with all four middlebox attachments now included:
```
{
"TransitGatewayMeteringPolicy": {
"TransitGatewayMeteringPolicyId": "tgw-mp-0123456789abcdefg",
"TransitGatewayId": "tgw-0ecec6433f4bfe55a",
"MiddleBoxAttachmentIds": [
"tgw-attach-0bdc681c211bf71f3",
"tgw-attach-0987654321fedcba0",
"tgw-attach-0456789012345abcd",
"tgw-attach-0fedcba0987654321"
],
"State": "available",
"UpdateEffectiveAt": "2024-09-05T16:00:00.000Z"
}
}
```
# Remove AWS Transit Gateway metering policy middlebox attachments
By default, metering costs are attributed to the middlebox attachment owner. However, you can modify these assignments to ensure costs are properly allocated to the actual source or destination of the traffic. You can add or remove up to 10 total middlebox attachment for a metering policy.
## Remove middlebox attachments using the console
Use the Amazon VPC console to remove middlebox attachments from your metering policy configuration.
**To remove middlebox attachments**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Transit gateways**, **Metering policies**.
1. Select the metering policy that you want to modify.
1. Choose the **Middlebox attachments** tab.
1. Select up to 10 middlebox attachments to remove from the metering policy.
1. Choose **Remove**.
1. When prompted, you can update your chosen middlebox attachments to remove. Traffic through removed attachments will be metered to the middlebox attachment owner.
1. Choose **Remove middlebox attachments**.
## Remove middlebox attachments using the AWS CLI
Use the **modify-transit-gateway-metering-policy** command to remove attachments.
Before you begin, ensure you have the following required parameters:
+ `--transit-gateway-metering-policy-id` - The ID of the existing metering policy
+ `--remove-middle-box-attachment-ids` - One or more attachment IDs to remove from the policy (for removing attachments)
**To remove middlebox attachments from an existing policy using the AWS CLI**
1. In the following example, **modify-transit-gateway-metering-policy** is used to remove two specific middlebox attachments from an existing metering policy. The command removes only the specified attachment IDs while preserving the remaining attachments:
```
aws ec2 modify-transit-gateway-metering-policy \
--transit-gateway-metering-policy-id tgw-mp-0123456789abcdefg \
--remove-middle-box-attachment-ids tgw-attach-0456789012345abcd tgw-attach-0fedcba0987654321
```
1. In the following example response, the JSON output shows the updated policy configuration with the specified attachments removed and the remaining attachments still active:
```
{
"TransitGatewayMeteringPolicy": {
"TransitGatewayMeteringPolicyId": "tgw-mp-0123456789abcdefg",
"TransitGatewayId": "tgw-0ecec6433f4bfe55a",
"MiddleBoxAttachmentIds": [
"tgw-attach-0bdc681c211bf71f3",
"tgw-attach-0987654321fedcba0"
],
"State": "available",
"UpdateEffectiveAt": "2024-09-05T16:00:00.000Z"
}
}
```
**Topics**
+ [Metering policies](#metering-policies-main)
+ [Create a metering policy](metering-policy-create-policy.md)
+ [Manage metering policies](metering-policy-manage-policy.md)
+ [Create a metering policy entry](create-metering-policy-entry.md)
+ [Delete a metering policy entry](metering-policy-entry-delete.md)
+ [Manage metering policy middlebox attachments](metering-policy-middlebox.md)