# AWS Transit Gateway network function attachments
<a name="tgw-nf-fw"></a>

You can create a network function attachment to connect your transit gateway directly to AWS Network Firewall. This eliminates the need to create and manage inspection VPCs.

With a firewall attachment, AWS automatically provisions and manages all the necessary resources behind the scenes. You'll see a new transit gateway attachment rather than individual firewall endpoints. This simplifies the process of implementing centralized network traffic inspection.

Before you can use a firewall attachment, you must first create the attachment in AWS Network Firewall. For the steps to create the attachment, see [Getting Started with AWS Network Firewall Management](https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html) in the *AWS Network Firewall Developer Guide* After the firewall is created, you can view the attachment in Transit Gateway console under the **Attachments** section. The attachment will be listed with a type of **Network function**. 

**Topics**
+ [Accept or reject a transit gateway network function attachment](accept-reject-firewall-attachment.md)
+ [View network function attachments](view-nf-attachment-nm.md)
+ [Route traffic through a transit gateway network function attachment](route-traffic-nf-attachment.md)

# Accept or reject an AWS Transit Gateway network function attachment
<a name="accept-reject-firewall-attachment"></a>

You can use either the Amazon VPC console or the AWS Network Firewall CLI or API to accept or reject a transit gateway network function attachment, including Network Firewall attachments. If you are the owner of a transit gateway and someone has created a firewall attachment to your transit gateway from another account, you need to accept or reject the attachment request. 

To accept or reject a network function attachment using the Network Firewall CLI, see the `AcceptNetworkFirewallTransitGatewayAttachment` or `RejectNetworkFirewallTransitGatewayAttachment` APIs in the [https://docs.aws.amazon.com/network-firewall/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/Welcome.html).

## Accept or reject a network function attachment using the console
<a name="create-firewall-attachment-console"></a>

Use the Amazon VPC console to accept or reject a transit gateway network function attachment.

**To accept or reject a network function attachment using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Transit Gateways**.

1. Choose **Transit gateway attachments**.

1. Select the attachment with a state of **Pending acceptance** and a type of **Network function**.

1. Choose **Actions**, and then choose either **Accept attachment** or **Reject attachment**.

1. In the confirmation dialog box, choose **Accept** or **Reject**.

If you accept the attachment, it becomes active and the firewall can inspect traffic. If you reject the attachment, it enters a rejected state and will eventually be deleted.

# View AWS Transit Gateway network function attachments
<a name="view-nf-attachment-nm"></a>

You can view your network function attachments, including your AWS Network Firewall attachments, using either Amazon VPC Console or the Network Manager console to get a visual representation of your network topology. 

## View a network function attachment using the Network Manager console
<a name="view-nf-attachment-console"></a>

You can view a network function attachments using the Network Manager console.

**To view firewall attachments in Network Manager**

1. Open the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home).

1. Create a global network in Network Manager if you don't already have one.

1. Register your transit gateway with Network Manager.

1. Under **Global Networks**, choose the global network where the attachment is located.

1. In the navigation pane, choose **Transit gateways.** 

1. Choose the transit gateway that you want to view attachments for.

1. Choose **Topology tree** view. Network Firewall attachments appear with a network function icon.

1. To view details about a specific firewall attachment, select the transit gateway in the topology view, then select the **Network function** tab.

The Network Manager console provides detailed information about your firewall attachments, including their status, associated transit gateway, and Availability Zones.

## View a network function attachment using the Amazon VPC Console console
<a name="view-nf-attachment-vpc"></a>

Use the VPC console to see a list of your transit gateway attachment types.

**To view transit gateway attachment types using the VPC console**
+ See [View a VPC attachment](view-vpc-attachment.md). 

# Route traffic through an AWS Transit Gateway network function attachment
<a name="route-traffic-nf-attachment"></a>

After creating a network function attachment, you need to update your transit gateway route tables to send traffic through the firewall for inspection using either the Amazon VPC Console or by using the CLI. For the steps to update a transit gateway route table association, see [Associate a transit gateway route table](associate-tgw-route-table.md).

## Route traffic through a firewall attachment using the console
<a name="route-nf-attachment-console"></a>

Use the Amazon VPC Console console to route traffic through a transit gateway network function attachment.

**To route traffic through a network function attachment using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Transit Gateways**.

1. Choose **Transit gateway route tables**.

1. Select the route table you want to modify.

1. Choose **Actions**, and then choose **Create static route**.

1. For **CIDR**, enter the destination CIDR block for the route.

1. For **Attachment**, select the network function attachment. For example, this might be an AWS Network Firewall attachment.

1. Choose **Create static route**.
**Note**  
Only static routes are supported.

Traffic matching the CIDR block in your route table will now be sent to the firewall attachment for inspection before being forwarded to its final destination.

## Route traffic through a network function attachment using the CLI or API
<a name="route-nf-attachment-cli-steps"></a>

Use the command line or API to route a transit gateway network function attachment.

**To route traffic through a network function attachment using the command line or API**
+ Use [https://docs.aws.amazon.com/cli/latest/reference/create-transit-gateway-route/create-transit-gateway-route.html](https://docs.aws.amazon.com/cli/latest/reference/create-transit-gateway-route/create-transit-gateway-route.html).

  For example, the request might be to route a network firewall attachment:

  ```
  aws ec2 create-transit-gateway-route \
    --transit-gateway-route-table-id tgw-rtb-0123456789abcdef0 \
    --destination-cidr-block 0.0.0.0/0 \
    --transit-gateway-attachment-id tgw-attach-0123456789abcdef0
  ```

  The output then returns:

  ```
  {
    "Route": {
      "DestinationCidrBlock": "0.0.0.0/0",
      "TransitGatewayAttachments": [
        {
          "ResourceId": "network-firewall",
          "TransitGatewayAttachmentId": "tgw-attach-0123456789abcdef0",
          "ResourceType": "network-function"
        }
      ],
      "Type": "static",
      "State": "active"
    }
  }
  ```

Traffic matching the CIDR block in your route table will now be sent to the firewall attachment for inspection before being forwarded to its final destination.