# Create and manage AWS Site-to-Site VPN Concentrators
<a name="create-manage-vpn-concentrators"></a>

 Site-to-Site VPN Concentrators allow you to aggregate and manage multiple VPN connections from remote sites, providing centralized management.

After creating your Site-to-Site VPN Concentrators, you can view and manage them from the Site-to-Site VPN Concentrators main page in the Amazon VPC Console. This dashboard displays all active VPN Concentrators managing secure connections between AWS and your remote sites.

**Topics**
+ [Create a VPN Concentrator](create-vpn-concentrator.md)
+ [Manage VPN Concentrator tags](manage-vpn-concentrator-tags.md)
+ [Delete a VPN Concentrator](delete-vpn-concentrator.md)

# Create an AWS Site-to-Site VPN Concentrator
<a name="create-vpn-concentrator"></a>

Create a Concentrator using either the Amazon VPC Console, the APIs, or the AWS CLI. Before you create a Concentrator, you must first have created a transit gateway to associate with the Concentrator. For more information about creating transit gateways, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/create-tgw.html) in the *Amazon VPC AWS Transit Gateway Guide*.

## Create a Site-to-Site VPN Concentrator using the console
<a name="create-Concentrator-console"></a>

To create a Site-to-Site VPN Concentrator using the AWS Management Console, follow these steps:

**To create a Site-to-Site VPN Concentrator using the console**

1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Concentrators**.

1. Choose **Create Site-to-Site VPN Concentrator**.

1. (Optional) For **Name tag**, enter a name for your Site-to-Site VPN Concentrator.

1. For **Transit gateway**, select an existing transit gateway.

1. (Optional) Add tags to help identify and organize your Site-to-Site VPN Concentrator.

   1. Choose **Add new tag**.

   1. For **Key**, enter a tag key (for example, **Name**).

   1. For **Value**, enter a tag value (for example, **Production-VPN-Concentrator**).

   1. Repeat the previous steps to add additional tags as needed.

1. Choose **Create Site-to-Site VPN Concentrator**.

After creation, the Site-to-Site VPN Concentrator will be in a `pending` state while it is being provisioned. Once ready, the state will change to `available` and you can begin creating VPN connections that use the Site-to-Site VPN Concentrator.

## Create a Site-to-Site VPN Concentrator using the CLI
<a name="create-Concentrator-cli"></a>

Before creating a Site-to-Site VPN Concentrator using the CLI, ensure you have the following:
+ An existing Transit Gateway in your AWS account
+ Appropriate IAM permissions to create Site-to-Site VPN Concentrators
+ The ID of the Transit Gateway you want to attach the Concentrator to

The following example creates a Site-to-Site VPN Concentrator for the specified transit gateway:

```
aws ec2 create-vpn-concentrator --transit-gateway-id tgw-123456789
```

The following shows a successful response:

```
{
    "VpnConcentrator": {
        "VpnConcentratorId": "vcn-0123456789abcdef0",
        "State": "pending",
        "TransitGatewayId": "tgw-123456789",
        "CreationTime": "2025-09-29T17:26:31.000Z",
        "Tags": []
    }
}
```

## Create a Site-to-Site VPN Concentrator using the API
<a name="create-Concentrator-api"></a>

You can create a Site-to-Site VPN Concentrator using the CreateVpnConcentrators API.

The API accepts the following key parameters:

`TransitGatewayId`  
The ID of the Transit Gateway to attach the Site-to-Site VPN Concentrator to.

`TagSpecification`  
Tags to assign to the Site-to-Site VPN Concentrator for resource organization and billing.

The following example shows how to create a Site-to-Site VPN Concentrator attached to a Transit Gateway:

```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=...

Action=CreateVpnConcentrator
&Version=2016-11-15
&TransitGatewayId=tgw-0123456789abcdef0
&TagSpecification.1.ResourceType=vpn-concentrator
&TagSpecification.1.Tag.1.Key=Name
&TagSpecification.1.Tag.1.Value=MyVpnConcentrator
```

Upon successful creation, the API returns details about the newly created Site-to-Site VPN Concentrator:

```
<?xml version="1.0" encoding="UTF-8"?>
<CreateVpnConcentratorResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>12345678-1234-1234-1234-123456789012</requestId>
    <vpnConcentrator>
        <vpnConcentratorId>vcn-0123456789abcdef0</vpnConcentratorId>
        <state>pending</state>
        <transitGatewayId>tgw-0123456789abcdef0</transitGatewayId>
        <creationTime>2024-01-15T10:30:00.000Z</creationTime>
        <tagSet>
            <item>
                <key>Name</key>
                <value>MyVpnConcentrator</value>
            </item>
        </tagSet>
    </vpnConcentrator>
</CreateVpnConcentratorResponse>
```

# Manage AWS Site-to-Site VPN Concentrator tags
<a name="manage-vpn-concentrator-tags"></a>

Tags are key-value pairs that help you organize and manage your Site-to-Site VPN Concentrators. You can use tags to categorize Site-to-Site VPN Concentrators by purpose, environment, cost center, or any other criteria that makes sense for your organization.

## Manage tags using the console
<a name="add-Concentrator-tags-console"></a>

You can add or delete tags for a Site-to-Site VPN Concentrator using the AWS Management Console.

**To add tags to a Site-to-Site VPN Concentrator**

1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Concentrators**.

1. Select the Site-to-Site VPN Concentrator that you want to tag.

1. Choose the **Tags** tab.

1. Choose **Manage tags**.

1. Choose **Add new tag**.

1. For **Key**, enter a tag key (for example, **Environment**).

1. For **Value**, enter a tag value (for example, **Production**).

1. Choose **Save changes**.

**To delete tags from a Site-to-Site VPN Concentrator**

1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Concentrators.**

1. Select the Site-to-Site VPN Concentrator from which you want to remove tags.

1. Choose the **Tags** tab.

1. Choose **Manage tags**.

1. For each tag you want to remove, choose **Remove**.

1. Choose **Save changes**.

## Manage tags using the CLI
<a name="manage-Concentrator-tags-cli"></a>

You can add, modify, or remove tags using the AWS CLI.

**Add tags**  
The following example adds tags to a Site-to-Site VPN Concentrator:

```
aws ec2 create-tags --resources vcn-0123456789abcdef0 --tags Key=Environment,Value=Production Key=Team,Value=NetworkOps
```

This command returns no output on success.

**View tags**  
The following example describes the tags for a Site-to-Site VPN Concentrator:

```
aws ec2 describe-tags --filters "Name=resource-id,Values=vcn-0123456789abcdef0"
```

The following response is returned:

```
{
    "Tags": [
        {
            "Key": "Environment",
            "ResourceId": "vcn-0123456789abcdef0",
            "ResourceType": "vpn-concentrator",
            "Value": "Production"
        },
        {
            "Key": "Team",
            "ResourceId": "vcn-0123456789abcdef0",
            "ResourceType": "vpn-concentrator",
            "Value": "NetworkOps"
        }
    ]
}
```

**Remove tags**  
The following example removes tags from a Site-to-Site VPN Concentrator:

```
aws ec2 delete-tags --resources vcn-0123456789abcdef0 --tags Key=Environment Key=Team
```

This command returns no output on success.

## Manage tags using the API
<a name="manage-Concentrator-tags-api"></a>

You can programmatically manage Site-to-Site VPN Concentrator tags using the Amazon EC2 API operations.

**CreateTags**  
Use the `CreateTags` operation to add or update tags:

```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=CreateTags
&ResourceId.1=vcn-0123456789abcdef0
&Tag.1.Key=Environment
&Tag.1.Value=Production
&Tag.2.Key=Team
&Tag.2.Value=NetworkOps
&Version=2016-11-15
```

The following response is returned:

```
<?xml version="1.0" encoding="UTF-8"?>
<CreateTagsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
    <return>true</return>
</CreateTagsResponse>
```

**DescribeTags**  
Use the `DescribeTags` operation to retrieve tags:

```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=DescribeTags
&Filter.1.Name=resource-id
&Filter.1.Value.1=vcn-0123456789abcdef0
&Version=2016-11-15
```

The following response is returned:

```
<?xml version="1.0" encoding="UTF-8"?>
<DescribeTagsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
    <tagSet>
        <item>
            <resourceId>vcn-0123456789abcdef0</resourceId>
            <resourceType>vpn-concentrator</resourceType>
            <key>Environment</key>
            <value>Production</value>
        </item>
        <item>
            <resourceId>vcn-0123456789abcdef0</resourceId>
            <resourceType>vpn-concentrator</resourceType>
            <key>Team</key>
            <value>NetworkOps</value>
        </item>
    </tagSet>
</DescribeTagsResponse>
```

**DeleteTags**  
Use the `DeleteTags` operation to remove tags:

```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=DeleteTags
&ResourceId.1=vcn-0123456789abcdef0
&Tag.1.Key=Environment
&Tag.2.Key=Team
&Version=2016-11-15
```

The following response is returned:

```
<?xml version="1.0" encoding="UTF-8"?>
<DeleteTagsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
    <return>true</return>
</DeleteTagsResponse>
```

# Delete an AWS Site-to-Site VPN Concentrator
<a name="delete-vpn-concentrator"></a>

When you no longer need a Site-to-Site VPN Concentrator, you can delete it to stop incurring charges. Deleting a Site-to-Site VPN Concentrator permanently removes it and all associated configurations.

## Prerequisites
<a name="delete-Concentrator-prerequisites"></a>

Before deleting a Site-to-Site VPN Concentrator, ensure the following:
+ All VPN connections associated with the Site-to-Site VPN Concentrator are deleted.
+ You have the necessary permissions to delete Site-to-Site VPN Concentrators (`ec2:DeleteVpnConcentrator`).

## Delete a Site-to-Site VPN Concentrator using the console
<a name="delete-Concentrator-console"></a>

**To delete a Site-to-Site VPN Concentrator**

1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site Concentrators**.

1. Select the Site-to-Site VPN Concentrator that you want to delete.

1. Choose **Actions**, and then choose **Delete Site-to-Site VPN Concentrator**.

1. In the confirmation dialog, type **delete** to confirm the deletion.

1. Choose **Delete**.

## Delete a Site-to-Site VPN Concentrator using the CLI
<a name="delete-Concentrator-cli"></a>

Use the `delete-vpn-concentrator` command to delete a Site-to-Site VPN Concentrator. You'll need the `vpn-concentrator-id` in order to delete it.

The following example deletes a Site-to-Site VPN Concentrator:

```
aws ec2 delete-vpn-concentrator --vpn-concentrator-id vcn-0123456789abcdef0
```

The following response is returned:

```
{
    "VpnConcentrator": {
        "VpnConcentratorId": "vcn-0123456789abcdef0",
        "State": "deleting",
        "Message": "The Site-to-Site VPN Concentrator vcn-0123456789abcdef0 is being deleted and will be removed from your account."
    }
}
```

## Delete a Site-to-Site VPN Concentrator using the API
<a name="delete-Concentrator-api"></a>

Use the `DeleteVpnConcentrator` operation to delete a Site-to-Site VPN Concentrator. You'll need the `VpnConcentratorId` in order to delete it.

The following example deletes a Site-to-Site VPN Concentrator:

```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded

Action=DeleteVpnConcentrator
&VpnConcentratorId=vcn-0123456789abcdef0
&Version=2016-11-15
```

The following response is returned:

```
<?xml version="1.0" encoding="UTF-8"?>
<DeleteVpnConcentratorResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
    <vpnConcentrator>
        <vpnConcentratorId>vcn-0123456789abcdef0</vpnConcentratorId>
        <state>deleting</state>
        <message>The Site-to-Site VPN Concentrator vcn-0123456789abcdef0 is being deleted and will be removed from your account.</message>
    </vpnConcentrator>
</DeleteVpnConcentratorResponse>
```