# Create a private IP AWS Site-to-Site VPN over Direct Connect
<a name="private-ip-dx-steps"></a>

To create a private IP VPN with Direct Connect follow these steps. Before you create the private IP VPN over Direct Connect, you need to ensure that a transit gateway and Direct Connect gateway are first created. After creating the two gateways you then need to create an assocation between the two. These prerequisites are described in the following table. Once you've created and associated the two gateways, you'll create a VPN customer cateway and connection using that association.

## Prerequisites
<a name="private-ip-dx-prereqs"></a>

The following table describes the perquisites before creating a private IP VPN over Direct Connect.


| Item | Steps | Information | 
| --- | --- | --- | 
| Prepare the transit gateway for Site-to-Site VPN. |  Create the transit gateway by using the Amazon Virtual Private Cloud (VPC) console or using the command-line or API. See [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in the *Amazon VPC Transit Gateways Guide*.  | A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. You can create a new transit gateway or use an existing one for the private IP VPN connection. When you create the transit gateway, or modify an existing transit gateway, you specify a private IP CIDR block for the connection. When specifying the transit gateway CIDR block to be associated with your Private IP VPN, ensure the CIDR block does not overlap with any IP addresses for any other network attachments on the transit gateway. If any IP CIDR blocks do overlap, it may cause configuration issues with your customer gateway device.  | 
| Create the Direct Connect gateway for Site-to-Site VPN. | Create the Direct Connect gateway by using the Direct Connect console or by using the command-line or API. See [Create an AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-direct-connect-gateway.html) in the *Direct Connect User Guide*. | A Direct Connect gateway allows you to connect virtual interfaces (VIFs) across multiple AWS Regions. This gateway is used to connect to your VIF. | 
| Create the transit gateway association for Site-to-Site VPN. |  Create the association between the Direct Connect gateway and the transit gateway by using the Direct Connect console or using the command-line or API. See [Associate or disassociate Direct Connect with a transit gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/associate-tgw-with-direct-connect-gateway.html) in the *Direct Connect User Guide*.  |  After creating the Direct Connect gateway, create a transit gateway association for the Direct Connect gateway. Specify the private IP CIDR for the transit gateway that was identified earlier in the allowed prefixes list. | 

## Create the customer gateway and connection for Site-to-Site VPN
<a name="private-ip-dx-cgw"></a>

A customer gateway is a resource that you create in AWS. It represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS. For more details, see [Customer gateway](how_it_works.md#CustomerGateway).

**To create a customer gateway using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Customer gateways**.

1. Choose **Create customer gateway**.

1. (Optional) For **Name tag**, enter a name for your customer gateway. Doing so creates a tag with a key of `Name` and the value that you specify.

1. For **BGP ASN**, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway. 

1. For **IP address**, enter the private IP address for your customer gateway device.
**Important**  
When configuring AWS Private IP AWS Site-to-Site VPN, you must specify your own tunnel endpoint IP addresses using RFC 1918 addresses. Do not use the point-to-point IP addresses for the eBGP peering between your customer gateway router and the Direct Connect endpoint. AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of point-to-point connections.  
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).

1. (Optional) For **Device**, enter a name for the device that hosts this customer gateway.

1. Choose **Create customer gateway**.

1. In the navigation pane, choose **Site-to-Site VPN connections**.

1. Choose **Create VPN connection**.

1. (Optional) For **Name tag**, enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of `Name` and the value that you specify.

1. For **Target gateway type**, choose **Transit gateway**. Then, choose the transit gateway that you identified earlier.

1. For **Customer gateway**, select **Existing**. Then, choose the customer gateway that you created earlier.

1. Select one of the routing options based on whether your customer gateway device supports Border Gateway Protocol (BGP):
   + If your customer gateway device supports BGP, choose **Dynamic (requires BGP)**.
   + If your customer gateway device does not support BGP, choose **Static**.

1. For **Tunnel inside IP version**, specify whether the VPN tunnels support IPv4 or IPv6 traffic.

1. (Optional) If you specified **IPv4** for **Tunnel inside IP Version**, you can optionally specify the IPv4 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default is `0.0.0.0/0`.

   If you specified **IPv6** for **Tunnel inside IP version**, you can optionally specify the IPv6 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default for both ranges is `::/0`.

1. For **Outside IP address type**, choose **PrivateIpv4**.

1. For **Transport attachment ID**, choose the transit gateway attachment for the appropriate Direct Connect gateway.

1. Choose **Create VPN connection**.

**Note**  
The **Enable acceleration** option is not applicable for VPN connections over Direct Connect.

**To create a customer gateway using the command line or API**
+ [CreateCustomerGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway.html) (Amazon EC2 Query API)
+ [create-customer-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-customer-gateway.html) (AWS CLI)