# VPN Concentrator attachments in AWS Transit Gateway VPN Concentrator attachments AWS Site-to-Site VPN Concentrator is a new feature that simplifies multi-site connectivity for distributed enterprises. VPN Concentrator is suitable for customers who need to connect 25\$1 remote sites to AWS, with each site needing low bandwidth (under 100 Mbps). ## How VPN Concentrator works A VPN Concentrator appears as a single attachment on your transit gateway, but can host multiple Site-to-Site VPN connections. Traffic from all VPN connections on the Concentrator is routed through the same transit gateway attachment, allowing you to apply consistent routing policies and security rules across all connected sites. The Concentrator integrates seamlessly with transit gateway route tables, enabling you to control traffic flow between your remote sites and other attachments such as VPCs, other VPN connections, and peering connections. ## Benefits of VPN Concentrator + **Cost optimization**: Reduce costs by consolidating multiple low-bandwidth VPN connections onto a single transit gateway attachment, especially beneficial when individual sites don't require full VPN attachment capacity. + **Simplified management**: Manage multiple remote site connections through a unified attachment while maintaining individual VPN connection control and monitoring. + **Consistent routing**: Apply unified routing policies across all connected sites through a single transit gateway route table association. + **Scalable architecture**: Connect up to 100 remote sites using a single Concentrator, with support for up to 5 Concentrators per transit gateway. + **Standard VPN features**: Each VPN connection supports the same security, monitoring, and routing capabilities as standard Site-to-Site VPN connections. **Requirements and limitations** + **BGP routing only**: VPN Concentrator supports BGP (dynamic) routing only. Static routing is not supported at launch. + **Customer gateway requirements**: Each remote site requires a customer gateway that supports BGP routing. Before creating VPN connections on a Concentrator, review the customer gateway requirements in [Requirements for your Site-to-Site VPN customer gateway device](https://docs.aws.amazon.com/vpn/latest/s2svpn/CGRequirements.html) in the *AWS Site-to-Site VPN User Guide*. + **Performance considerations**: Each VPN connection on a Concentrator is designed for a maximum of 100 Mbps bandwidth. For higher bandwidth requirements, consider using standard transit gateway VPN attachments. You can create, view, or delete a VPN Concentrator attachment using either the AWS VPC console or the AWS CLI. Individual VPN connections on the Concentrator are managed through the standard VPN connection APIs and console interfaces. **Topics** + [ ## How VPN Concentrator works ](#vpn-concentrator-how-it-works) + [ ## Benefits of VPN Concentrator ](#vpn-concentrator-benefits) + [Create a VPN Concentrator attachment](create-vpn-concentrator-attachment.md) + [View a VPN Concentrator attachment](view-vpn-concentrator-attachment.md) + [Delete a VPN Concentrator attachment](delete-vpn-concentrator-attachment.md) # Create a VPN Concentrator attachment in AWS Transit Gateway Create a VPN Concentrator attachment **Prerequisites** + You must have an existing transit gateway in your account. **To create a VPN Concentrator attachment using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Site-to-Site VPN Concentrators**. 1. Choose **Create Site-to-Site VPN Concentrator**. 1. (Optional) For **Name tag**, enter a name for your Site-to-Site VPN Concentrator. 1. For **Transit gateway**, select an existing transit gateway. 1. (Optional) To add additional tags, choose **Add new tag** and specify the key and value for each tag. 1. Choose **Create Site-to-Site VPN Concentrator**. After you create the VPN Concentrator attachment, it appears in the list of attachments with a resource type of **VPN Concentrator** and an initial state of **Pending**. When the attachment is ready, the state changes to **Available**. You can then create Site-to-Site VPN connections on this Concentrator. **To create a VPN Concentrator attachment using the AWS CLI** Use the [create-vpn-concentrator](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-concentrator.html) command. **To create a VPN connection on a VPN Concentrator using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Site-to-Site VPN Connections**. 1. Choose **Create VPN connection**. 1. For **Target Gateway Type**, choose **Site-to-Site VPN Concentrator**. 1. For **Site-to-Site VPN Concentrator**, choose the VPN Concentrator where you want to create the VPN connection. 1. For **Customer Gateway**, do one of the following: + To use an existing customer gateway, choose **Existing**, and then select the gateway to use. Ensure that the customer gateway supports BGP routing. + To create a customer gateway, choose **New**. For **IP Address**, enter the static public IP address for your customer gateway device. For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500. 1. For **Routing options**, **Dynamic (requires BGP)** is automatically selected. VPN Concentrator only supports dynamic routing with BGP. 1. For **Pre-shared key storage**, select either **Standard** or **Secrets Manager**. 1. For **Tunnel bandwidth**, **Standard** is automatically selected. VPN Concentrator only supports standard tunnel bandwidth. 1. For **Tunnel inside IP version**, select either **IPv4** or **IPv6**. 1. (Optional) Select **Enable acceleration** to improve performance of VPN tunnels. 1. (Optional) For **Local IPv4 network CIDR**, provide an IPv4 CIDR range. 1. (Optional) For **Remote IPv4 network CIDR**, provide an IPv4 CIDR range. 1. For **Outside IP Address Type**, you can select either **Public IPv4** or **IPv6** address. 1. (Optional) For **Tunnel Options**, you can configure tunnel settings such as inside tunnel IP addresses and pre-shared keys. For more information, see [Site-to-Site VPN architectures](https://docs.aws.amazon.com/vpn/latest/s2svpn/site-site-architectures.html) in the *AWS Site-to-Site VPN User Guide*. 1. (Optional) To add additional tags, choose **Add new tag** and specify the key and value for each tag. 1. Choose **Create VPN connection**. The VPN connection appears in the list of VPN connections with the VPN Concentrator ID in the **Transit Gateway ID** column and an initial state of **Pending**. When the VPN connection is ready, the state changes to **Available**. **To create a VPN connection on a VPN Concentrator using the AWS CLI** Use the [create-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-connection.html) command and specify the VPN Concentrator ID using the `--vpn-concentrator-id` parameter. # View a VPN Concentrator attachment in AWS Transit Gateway View a VPN Concentrator attachment **To view your VPN Concentrator attachments using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Attachments**. 1. In the **Resource type** column, look for **VPN Concentrator**. These are the VPN Concentrator attachments. 1. Choose an attachment to view its details. **To view VPN connections on a VPN Concentrator using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Site-to-Site VPN Connections**. 1. In the list of VPN connections, identify connections that show a VPN Concentrator ID in the **Transit Gateway ID** column. These are the VPN connections hosted on VPN Concentrators. 1. Choose a VPN connection to view its details. **To view your VPN Concentrator attachments using the AWS CLI** Use the [describe-vpn-concentrator](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpn-concentrator.html) command to view VPN Concentrator details, or use the [describe-transit-gateway-attachments](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-transit-gateway-attachments.html) command with a filter for resource type `vpn-concentrator`. **To view VPN connections on a VPN Concentrator using the AWS CLI** Use the [describe-vpn-connections](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpn-connections.html) command with a filter for `vpn-concentrator-id` to view VPN connections associated with a specific Concentrator. # Delete a VPN Concentrator attachment in AWS Transit Gateway Delete a VPN Concentrator attachment **Prerequisites** + All VPN connections on the VPN Concentrator must be deleted before you can delete the Concentrator attachment. + Ensure that you have updated your routing configurations to account for the removal of the VPN Concentrator and its associated VPN connections. **To delete VPN connections on a VPN Concentrator using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Site-to-Site VPN Connections**. 1. Identify the VPN connections associated with your VPN Concentrator by looking for the VPN Concentrator ID in the **Transit Gateway ID** column. 1. Select a VPN connection that you want to delete. 1. Choose **Actions**, **Delete**. 1. When prompted for confirmation, choose **Delete**. 1. Repeat steps 4-6 for each VPN connection associated with the VPN Concentrator. **To delete a VPN Concentrator attachment using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Attachments**. 1. Select the VPN Concentrator attachment that you want to delete. Verify that no VPN connections are associated with this Concentrator. 1. Choose **Actions**, **Delete attachment**. 1. When prompted for confirmation, choose **Delete**. The VPN Concentrator attachment enters the **Deleting** state and will be removed from your account. This process may take a few minutes to complete. **To delete VPN connections on a VPN Concentrator using the AWS CLI** Use the [delete-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-connection.html) command for each VPN connection associated with the VPN Concentrator. **To delete a VPN Concentrator attachment using the AWS CLI** Use the [delete-vpn-concentrator](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-concentrator.html) command after all VPN connections have been deleted.