# AWS Site-to-Site VPN attachments in AWS Transit Gateway
<a name="tgw-vpn-attachments"></a>

You can connect a Site-to-Site VPN attachment to a transit gateway in AWS Transit Gateway, allowing you to connect your VPCs and on-premises networks. Both dynamic and static routes are supported, as well as IPv4 and IPv6. 

**Requirements**
+ Attaching a VPN connection to your transit gateway requires that you specify the VPN customer gateway, which have specific device requirements. Before creating a Site-to-Site VPN attachment, review the customer gateway requirements to ensure that your gateway is set up correctly. For more information about these requirements, including example gateway configuration files, see [Requirements for your Site-to-Site VPN customer gateway device](https://docs.aws.amazon.com/vpn/latest/s2svpn/CGRequirements.html) in the *AWS Site-to-Site VPN User Guide*.
+  For static VPNs, you'll also need to first add the static routes to the transit gateway route table. Static routes in a transit gateway route table that target a VPN attachment are not filtered by the Site-to-Site VPN as this might allow unintended outbound traffic flow when using a BGP-based VPN. For the steps to add a static route to a transit gateway route table, see [Create a static route](tgw-create-static-route.md). 

You can create, view, or delete a transit gateway Site-to-Site VPN attachment using either the Amazon VPC console or using the AWS CLI.

**Topics**
+ [Create a transit gateway attachment to a VPN](create-vpn-attachment.md)
+ [View a VPN attachment](view-vpn-attachment.md)
+ [Delete a VPN attachment](delete-vpn-attachment.md)

# Create a transit gateway attachment to a VPN in AWS Transit Gateway
<a name="create-vpn-attachment"></a>

**To create a VPN attachment using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. On the navigation pane, choose **Transit Gateway Attachments**.

1. Choose **Create transit gateway attachment**.

1. For **Transit gateway ID**, choose the transit gateway for the attachment. You can choose a transit gateway that you own.

1. For **Attachment type**, choose **VPN**.

1. For **Customer Gateway**, do one of the following:
   + To use an existing customer gateway, choose **Existing**, and then select the gateway to use.

     If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
   + To create a customer gateway, choose **New**, then for **IP Address**, type a static public IP address and **BGP ASN**.

     For **Routing options**, choose whether to use **Dynamic** or **Static**. For more information, see [Site-to-Site VPN Routing Options](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html) in the *AWS Site-to-Site VPN User Guide*.

1. For **Tunnel Options**, enter the CIDR ranges and pre-shared keys for your tunnel. For more information, see [Site-to-Site VPN architectures](https://docs.aws.amazon.com/vpn/latest/s2svpn/site-site-architectures.html).

1. Choose **Create transit gateway attachment**.

**To create a VPN attachment using the AWS CLI**  
Use the [create-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-connection.html) command.

# View a VPN attachment in AWS Transit Gateway
<a name="view-vpn-attachment"></a>

**To view your VPN attachments using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. On the navigation pane, choose **Transit Gateway Attachments**.

1. In the **Resource type** column, look for **VPN**. These are the VPN attachments. 

1. Choose an attachment to view its details or to add tags.

**To view your VPN attachments using the AWS CLI**  
Use the [describe-transit-gateway-attachments](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-transit-gateway-attachments.html) command.

# Delete a VPN attachment in AWS Transit Gateway
<a name="delete-vpn-attachment"></a>

**To delete a VPN attachment using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. On the navigation pane, choose **Transit Gateway Attachments**.

1. Select the VPN attachment.

1. Choose the resource ID of the VPN connection to navigate to the **VPN Connections** page.

1. Choose **Actions**, **Delete**.

1. When prompted for confirmation, choose **Delete**.

**To delete a VPN attachment using the AWS CLI**  
Use the [delete-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-connection.html) command.