# Work with AWS Site-to-Site VPN
You can work with Site-to-Site VPN resources using the Amazon VPC console or the AWS CLI.
**Topics**
+ [Create and manage VPN Concentrators](create-manage-vpn-concentrators.md)
+ [Create a VPN connection](create-vpn-connection.md)
+ [Test a VPN connection](HowToTestEndToEnd_Linux.md)
+ [Delete a VPN connection and gateway](delete-vpn.md)
+ [Modify the target gateway of a VPN connection](modify-vpn-target.md)
+ [Modify VPN connection options](modify-vpn-connection-options.md)
+ [Modify VPN tunnel options](modify-vpn-tunnel-options.md)
+ [Edit static routes for a VPN connection](vpn-edit-static-routes.md)
+ [Change the customer gateway for a VPN connection](change-vpn-cgw.md)
+ [Replace compromised credentials](CompromisedCredentials.md)
+ [Rotate VPN tunnel endpoint certificates](rotate-vpn-certificate.md)
+ [Private IP VPN with Direct Connect](private-ip-dx.md)
# Create and manage AWS Site-to-Site VPN Concentrators
Site-to-Site VPN Concentrators allow you to aggregate and manage multiple VPN connections from remote sites, providing centralized management.
After creating your Site-to-Site VPN Concentrators, you can view and manage them from the Site-to-Site VPN Concentrators main page in the Amazon VPC Console. This dashboard displays all active VPN Concentrators managing secure connections between AWS and your remote sites.
**Topics**
+ [Create a VPN Concentrator](create-vpn-concentrator.md)
+ [Manage VPN Concentrator tags](manage-vpn-concentrator-tags.md)
+ [Delete a VPN Concentrator](delete-vpn-concentrator.md)
# Create an AWS Site-to-Site VPN Concentrator
Create a Concentrator using either the Amazon VPC Console, the APIs, or the AWS CLI. Before you create a Concentrator, you must first have created a transit gateway to associate with the Concentrator. For more information about creating transit gateways, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/create-tgw.html) in the *Amazon VPC AWS Transit Gateway Guide*.
## Create a Site-to-Site VPN Concentrator using the console
To create a Site-to-Site VPN Concentrator using the AWS Management Console, follow these steps:
**To create a Site-to-Site VPN Concentrator using the console**
1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN Concentrators**.
1. Choose **Create Site-to-Site VPN Concentrator**.
1. (Optional) For **Name tag**, enter a name for your Site-to-Site VPN Concentrator.
1. For **Transit gateway**, select an existing transit gateway.
1. (Optional) Add tags to help identify and organize your Site-to-Site VPN Concentrator.
1. Choose **Add new tag**.
1. For **Key**, enter a tag key (for example, **Name**).
1. For **Value**, enter a tag value (for example, **Production-VPN-Concentrator**).
1. Repeat the previous steps to add additional tags as needed.
1. Choose **Create Site-to-Site VPN Concentrator**.
After creation, the Site-to-Site VPN Concentrator will be in a `pending` state while it is being provisioned. Once ready, the state will change to `available` and you can begin creating VPN connections that use the Site-to-Site VPN Concentrator.
## Create a Site-to-Site VPN Concentrator using the CLI
Before creating a Site-to-Site VPN Concentrator using the CLI, ensure you have the following:
+ An existing Transit Gateway in your AWS account
+ Appropriate IAM permissions to create Site-to-Site VPN Concentrators
+ The ID of the Transit Gateway you want to attach the Concentrator to
The following example creates a Site-to-Site VPN Concentrator for the specified transit gateway:
```
aws ec2 create-vpn-concentrator --transit-gateway-id tgw-123456789
```
The following shows a successful response:
```
{
"VpnConcentrator": {
"VpnConcentratorId": "vcn-0123456789abcdef0",
"State": "pending",
"TransitGatewayId": "tgw-123456789",
"CreationTime": "2025-09-29T17:26:31.000Z",
"Tags": []
}
}
```
## Create a Site-to-Site VPN Concentrator using the API
You can create a Site-to-Site VPN Concentrator using the CreateVpnConcentrators API.
The API accepts the following key parameters:
`TransitGatewayId`
The ID of the Transit Gateway to attach the Site-to-Site VPN Concentrator to.
`TagSpecification`
Tags to assign to the Site-to-Site VPN Concentrator for resource organization and billing.
The following example shows how to create a Site-to-Site VPN Concentrator attached to a Transit Gateway:
```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=...
Action=CreateVpnConcentrator
&Version=2016-11-15
&TransitGatewayId=tgw-0123456789abcdef0
&TagSpecification.1.ResourceType=vpn-concentrator
&TagSpecification.1.Tag.1.Key=Name
&TagSpecification.1.Tag.1.Value=MyVpnConcentrator
```
Upon successful creation, the API returns details about the newly created Site-to-Site VPN Concentrator:
```
12345678-1234-1234-1234-123456789012
vcn-0123456789abcdef0
pending
tgw-0123456789abcdef0
2024-01-15T10:30:00.000Z
-
Name
MyVpnConcentrator
```
# Manage AWS Site-to-Site VPN Concentrator tags
Tags are key-value pairs that help you organize and manage your Site-to-Site VPN Concentrators. You can use tags to categorize Site-to-Site VPN Concentrators by purpose, environment, cost center, or any other criteria that makes sense for your organization.
## Manage tags using the console
You can add or delete tags for a Site-to-Site VPN Concentrator using the AWS Management Console.
**To add tags to a Site-to-Site VPN Concentrator**
1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN Concentrators**.
1. Select the Site-to-Site VPN Concentrator that you want to tag.
1. Choose the **Tags** tab.
1. Choose **Manage tags**.
1. Choose **Add new tag**.
1. For **Key**, enter a tag key (for example, **Environment**).
1. For **Value**, enter a tag value (for example, **Production**).
1. Choose **Save changes**.
**To delete tags from a Site-to-Site VPN Concentrator**
1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN Concentrators.**
1. Select the Site-to-Site VPN Concentrator from which you want to remove tags.
1. Choose the **Tags** tab.
1. Choose **Manage tags**.
1. For each tag you want to remove, choose **Remove**.
1. Choose **Save changes**.
## Manage tags using the CLI
You can add, modify, or remove tags using the AWS CLI.
**Add tags**
The following example adds tags to a Site-to-Site VPN Concentrator:
```
aws ec2 create-tags --resources vcn-0123456789abcdef0 --tags Key=Environment,Value=Production Key=Team,Value=NetworkOps
```
This command returns no output on success.
**View tags**
The following example describes the tags for a Site-to-Site VPN Concentrator:
```
aws ec2 describe-tags --filters "Name=resource-id,Values=vcn-0123456789abcdef0"
```
The following response is returned:
```
{
"Tags": [
{
"Key": "Environment",
"ResourceId": "vcn-0123456789abcdef0",
"ResourceType": "vpn-concentrator",
"Value": "Production"
},
{
"Key": "Team",
"ResourceId": "vcn-0123456789abcdef0",
"ResourceType": "vpn-concentrator",
"Value": "NetworkOps"
}
]
}
```
**Remove tags**
The following example removes tags from a Site-to-Site VPN Concentrator:
```
aws ec2 delete-tags --resources vcn-0123456789abcdef0 --tags Key=Environment Key=Team
```
This command returns no output on success.
## Manage tags using the API
You can programmatically manage Site-to-Site VPN Concentrator tags using the Amazon EC2 API operations.
**CreateTags**
Use the `CreateTags` operation to add or update tags:
```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=CreateTags
&ResourceId.1=vcn-0123456789abcdef0
&Tag.1.Key=Environment
&Tag.1.Value=Production
&Tag.2.Key=Team
&Tag.2.Value=NetworkOps
&Version=2016-11-15
```
The following response is returned:
```
7a62c49f-347e-4fc4-9331-6e8eEXAMPLE
true
```
**DescribeTags**
Use the `DescribeTags` operation to retrieve tags:
```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=DescribeTags
&Filter.1.Name=resource-id
&Filter.1.Value.1=vcn-0123456789abcdef0
&Version=2016-11-15
```
The following response is returned:
```
7a62c49f-347e-4fc4-9331-6e8eEXAMPLE
-
vcn-0123456789abcdef0
vpn-concentrator
Environment
Production
-
vcn-0123456789abcdef0
vpn-concentrator
Team
NetworkOps
```
**DeleteTags**
Use the `DeleteTags` operation to remove tags:
```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=DeleteTags
&ResourceId.1=vcn-0123456789abcdef0
&Tag.1.Key=Environment
&Tag.2.Key=Team
&Version=2016-11-15
```
The following response is returned:
```
7a62c49f-347e-4fc4-9331-6e8eEXAMPLE
true
```
# Delete an AWS Site-to-Site VPN Concentrator
When you no longer need a Site-to-Site VPN Concentrator, you can delete it to stop incurring charges. Deleting a Site-to-Site VPN Concentrator permanently removes it and all associated configurations.
## Prerequisites
Before deleting a Site-to-Site VPN Concentrator, ensure the following:
+ All VPN connections associated with the Site-to-Site VPN Concentrator are deleted.
+ You have the necessary permissions to delete Site-to-Site VPN Concentrators (`ec2:DeleteVpnConcentrator`).
## Delete a Site-to-Site VPN Concentrator using the console
**To delete a Site-to-Site VPN Concentrator**
1. Open the Amazon VPC Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site Concentrators**.
1. Select the Site-to-Site VPN Concentrator that you want to delete.
1. Choose **Actions**, and then choose **Delete Site-to-Site VPN Concentrator**.
1. In the confirmation dialog, type **delete** to confirm the deletion.
1. Choose **Delete**.
## Delete a Site-to-Site VPN Concentrator using the CLI
Use the `delete-vpn-concentrator` command to delete a Site-to-Site VPN Concentrator. You'll need the `vpn-concentrator-id` in order to delete it.
The following example deletes a Site-to-Site VPN Concentrator:
```
aws ec2 delete-vpn-concentrator --vpn-concentrator-id vcn-0123456789abcdef0
```
The following response is returned:
```
{
"VpnConcentrator": {
"VpnConcentratorId": "vcn-0123456789abcdef0",
"State": "deleting",
"Message": "The Site-to-Site VPN Concentrator vcn-0123456789abcdef0 is being deleted and will be removed from your account."
}
}
```
## Delete a Site-to-Site VPN Concentrator using the API
Use the `DeleteVpnConcentrator` operation to delete a Site-to-Site VPN Concentrator. You'll need the `VpnConcentratorId` in order to delete it.
The following example deletes a Site-to-Site VPN Concentrator:
```
POST / HTTP/1.1
Host: ec2.region.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=DeleteVpnConcentrator
&VpnConcentratorId=vcn-0123456789abcdef0
&Version=2016-11-15
```
The following response is returned:
```
7a62c49f-347e-4fc4-9331-6e8eEXAMPLE
vcn-0123456789abcdef0
deleting
The Site-to-Site VPN Concentrator vcn-0123456789abcdef0 is being deleted and will be removed from your account.
```
# Create an AWS Site-to-Site VPN connection
You can create Site-to-Site VPN connections that attach to transit gateways or Cloud WAN global networks. Both attachment types support IPv4 and IPv6 protocols and can optionally use Site-to-Site VPN Concentrators for connecting multiple remote sites cost-effectively.
## Create a VPN connection using the console
**To create a VPN connection using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Choose **Create VPN connection**.
1. (Optional) For **Name tag**, enter a name for the connection. Doing so creates a tag with a key of `Name` and the value that you specify.
1. For **Target gateway type**, choose one of the following:
+ **Virtual private gateway** - Create a new virtual private gateway VPN connection by choosing an existing **Virtual private gateway**.
+ **Transit gateway** - Create a new transit gateway VPN connection by choosing an existing **Transit gateway**. For more information about creating a transit gateway, see [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in *Amazon VPC Transit Gateways*.
+ **Site-to-Site VPN Concentrator** - Create a new Site-to-Site VPN Concentrator connection by using an existing Site-to-Site VPN Concentrator or creating a new one. Choose one of the following:
+ **Existing** - Create a new Site-to-Site VPN Concentrator VPN connection using an existing Concentrator.
+ **New** - Enter an optional name for the Site-to-Site VPN Concentrator and then choose the transit gateway to associate with it.
+ **Not associated** - Create an unattached VPN connection that can later be associated with Cloud WAN through the Network Manager console or API. For more information about VPN attachments and Cloud WAN, see [Site-to-site VPN attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the *AWS Cloud WAN User Guide*.
1. For **Customer gateway**, do one of the following:
+ To use an existing customer gateway, choose **Existing**, and then choose the **Customer gateway ID**.
+ To create a new customer gateway, choose **New**, and then do the following:
+ For the **IP address **, enter a static **IPv4** or **IPv6** address.
+ (Optional) For **Certificate ARN**, choose the ARN of your private certificate (if using certificate-based authentication).
+ For **BGP ASN**, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For more information, see [Customer gateway options](cgw-options.md).
1. For **Routing options**, choose **Dynamic (requires BGP)** or **Static**.
**Note**
Cloud WAN VPN connections and VPN connections using Concentrators only support BGP routing. Static routing is not supported for these connection types.
1. For **Pre-shared key storage** choose either **Standard** or **Secrets Manager**. The default selection is **Standard**. For more information about using AWS Secrets Manager, see [Security](security.md).
1. For **Tunnel inside IP version**, choose **IPv4** or **IPv6**.
1. (Optional) For **Enable acceleration**, choose the check box to enable acceleration. For more information, see [Accelerated VPN connections](accelerated-vpn.md).
If you enable acceleration, we create two accelerators that are used by your VPN connection. Additional charges apply.
1. (Optional) Depending on which tunnel inside IP version you've chosen, do one of the following:
+ IPv4 — For **Local IPv4 network CIDR**, specify the IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv4 network CIDR**, choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `0.0.0.0/0`.
+ IPv6 — For **Local IPv6 network CIDR**, specify the IPv6 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv6 network CIDR**, choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `::/0`
1. For **Outside IP address type**, choose one of the following options:
+ **Public IPv4** - (Default) Use IPv4 addresses for the outer tunnel IPs.
+ **Private IPv4** - Use a private IPv4 address for use within private networks.
+ **IPv6** - Use IPv6 addresses for the outer tunnel IPs. This option requires that your customer gateway device supports IPv6 addressing.
**Note**
If you select **IPv6** for the outside IP address type, you must create a customer gateway with an IPv6 address
1. (Optional) For **Tunnel 1 options**, you can specify the following information for each tunnel:
+ A size /30 IPv4 CIDR block from the `169.254.0.0/16` range for the inside tunnel IPv4 addresses.
+ If you specified **IPv6** for **Tunnel inside IP version**, a /126 IPv6 CIDR block from the `fd00::/8` range for the inside tunnel IPv6 addresses.
+ The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
+ To edit the advanced options for your tunnel, choose **Edit tunnel options**. For more information, see [VPN tunnel options](VPNTunnels.md).
+ (Optional) Choose **Enable** for the **Tunnel activity log** to capture log messages for IPsec activity and DPD protocol messages.
+ (Optional) Choose **Turn on** for **Tunnel endpoint lifecycle** to control the schedule for endpoint replacements. For more information about tunnel endpoint lifecycle, see [Tunnel endpoint lifecycle](tunnel-endpoint-lifecycle.md).
1. (Optional) Choose **Tunnel 2 options** and follow the previous steps to set up a second tunnel.
1. Choose **Create VPN connection**.
# Create an AWS Site-to-Site VPN transit gateway connection using the CLI or API
## Create a VPN connection to Transit Gateway using the CLI
Use the [create-vpn-connection](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpn-connection.html) command and specify the transit gateway ID for the `--transit-gateway-id` option.
The following example demonstrates creating a VPN connection with IPv6 outer tunnel IPs and IPv6 inner tunnel IPs:
```
aws ec2 create-vpn-connection \
--type ipsec.1 \
--transit-gateway-id tgw-12312312312312312 \
--customer-gateway-id cgw-001122334455aabbc \
--options OutsideIPAddressType=Ipv6,TunnelInsideIpVersion=ipv6,TunnelOptions=[{StartupAction=start},{StartupAction=start}]
```
Example response:
```
{
"VpnConnection": {
"VpnConnectionId": "vpn-0abcdef1234567890",
"State": "pending",
"CustomerGatewayId": "cgw-001122334455aabbc",
"Type": "ipsec.1",
"TransitGatewayId": "tgw-12312312312312312",
"Category": "VPN",
"Routes": [],
"Options": {
"StaticRoutesOnly": false,
"OutsideIPAddressType": "Ipv6",
"TunnelInsideIpVersion": "ipv6"
}
}
}
```
## Create a VPN connection to Transit Gateway using the API
You can create a VPN connection using the Amazon EC2 API. This section provides example request and response messages for creating a transit gateway VPN connection using the API.
### Prerequisites
Before creating a VPN connection using the API, ensure you have:
+ A transit gateway created and available
+ A customer gateway configured with your on-premises device details
The following example shows how to create a VPN connection using the `CreateVpnConnection` API action:
```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=CreateVpnConnection
&Type=ipsec.1
&TransitGatewayId=tgw-12345678901234567
&CustomerGatewayId=cgw-12345678901234567
&Options.StaticRoutesOnly=false
&Version=2016-11-15
```
This example creates a VPN connection with dynamic routing (BGP) between the specified transit gateway and customer gateway.
A successful API response returns the VPN connection details:
```
7a62c49f-347e-4fc4-9331-6e8eEXAMPLE
vpn-1a2b3c4d5e6f78901
pending
cgw-12345678901234567
ipsec.1
tgw-12345678901234567
VPN
false
```
The response includes the VPN connection ID, current state, and configuration details. The connection will initially be in a "pending" state while AWS provisions the VPN tunnels.
# Create an AWS Site-to-Site VPN Cloud WAN connection using the CLI or API
You can create an Site-to-Site VPN connections between your on-premises and AWS Cloud WAN following the procedure below. For more information, see [ Site-to-site VPN attachments in AWS Cloud WAN ](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the *AWS Cloud WAN User Guide*.
## Create a VPN connection to Cloud WAN using the CLI
Use the [create-vpn-connection](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpn-connection.html) command to create a VPN connection that will later be attached to a Cloud WAN global network. This creates an unattached VPN connection that can subsequently be associated with Cloud WAN through the Network Manager console or API.
**Prerequisites**
Before creating a Cloud WAN VPN connection, ensure you have the following:
+ `customer-gateway-id` - An existing customer gateway resource (`cgw-xxxxxxxxx`) that represents your on-premises VPN device.
+ **Cloud WAN Global Network** - A Cloud WAN global network must be created and configured with appropriate network segments.
+ **BGP Configuration** - Cloud WAN VPN connections require BGP routing; static routing is not supported. You must set `StaticRoutesOnly=false` in the options parameter
This command creates a VPN connection without specifying a target gateway. The connection will be in an unattached state and can later be associated with your Cloud WAN global network through the Network Manager console or API. The `StaticRoutesOnly=false` option enables BGP routing, which is mandatory for Cloud WAN VPN attachments as static routing is not supported.
The following example creates an unattached VPN connection for Cloud WAN:
```
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-0123456789abcdef0 \
--options StaticRoutesOnly=false
```
The response returns the following:
```
{
"VpnConnection": {
"VpnConnectionId": "vpn-0abcdef1234567890",
"State": "pending",
"CustomerGatewayId": "cgw-0123456789abcdef0",
"Type": "ipsec.1",
"Category": "VPN",
"Routes": [],
"Options": {
"StaticRoutesOnly": false
}
}
}
```
After creating the VPN connection, you can attach it to your Cloud WAN global network using the Network Manager console or the `create-site-to-site-vpn-attachment` API call.
## Create a VPN Cloud WAN connection using the API
You can use the EC2 API to create a VPN connection for Cloud WAN integration. This involves making a `CreateVpnConnection` API call that creates an unattached VPN connection, which can then be associated with your Cloud WAN global network.
The API request creates a VPN connection without specifying a target gateway, leaving it in an unattached state that's ready for Cloud WAN integration. The connection uses BGP routing, which is required for Cloud WAN VPN attachments.
The following example shows the HTTP request to create a Cloud WAN VPN connection:
```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=...
Action=CreateVpnConnection
&Type=ipsec.1
&CustomerGatewayId=cgw-0123456789abcdef0
&Options.StaticRoutesOnly=false
&Version=2016-11-15
```
The API returns a successful response containing the VPN connection details. The connection will be in a `pending` state initially while AWS provisions the VPN tunnels, at which time the status changes to `available`.
```
12345678-1234-1234-1234-123456789012
vpn-0abcdef1234567890
pending
cgw-0123456789abcdef0
ipsec.1
VPN
false
```
**Response Details**
The API response provides the following key information:
+ **vpnConnectionId** - The unique identifier for your VPN connection (e.g., `vpn-0abcdef1234567890`) that you'll use to attach it to Cloud WAN
+ **state** - Initially "pending" while AWS provisions the VPN tunnels, then transitions to "available" when ready for attachment
+ **category** - Shows "VPN" indicating this is an unattached VPN connection suitable for Cloud WAN integration
+ **staticRoutesOnly** - Set to "false" to enable BGP routing, which is required for Cloud WAN VPN attachments
Once the VPN connection reaches the "available" state, you can attach it to your Cloud WAN global network using the Network Manager `CreateSiteToSiteVpnAttachment` API or through the AWS console.
# Create an AWS Site-to-Site VPN Concentrator connection using the CLI or API
## Create a Site-to-Site VPN Concentrator connection using the CLI
After creating a Site-to-Site VPN Concentrator, you need to establish individual VPN connections from your remote sites to the Site-to-Site VPN Concentrator. Each remote site requires its own VPN connection that references the Site-to-Site VPN Concentrator ID. This allows multiple remote sites to share the same Site-to-Site VPN Concentrator infrastructure while maintaining separate, secure tunnels for each site.
To establish a VPN connection using a Site-to-Site VPN Concentrator, specify the Site-to-Site VPN Concentrator instead of the transit gateway when creating the VPN connection. The following example creates a VPN connection using a Site-to-Site VPN Concentrator:
```
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-123456789 \
--vpn-concentrator-id vcn-0123456789abcdef0
```
A successful response returns the following:
```
{
"VpnConnection": {
"VpnConnectionId": "vpn-0abcdef1234567890",
"State": "pending",
"CustomerGatewayId": "cgw-123456789",
"Type": "ipsec.1",
"VpnConcentratorId": "vcn-0123456789abcdef0",
"Category": "VPN",
"Routes": [],
"Options": {
"StaticRoutesOnly": false
}
}
}
```
## Create a Site-to-Site VPN Concentrator connection using the API
You can create a VPN connection that uses a Site-to-Site VPN Concentrator using the Amazon EC2 API. This section provides example request and response messages for creating a VPN connection with a Site-to-Site VPN Concentrator.
Before creating a VPN connection with a Site-to-Site VPN Concentrator using the API, ensure you have:
+ A Site-to-Site VPN Concentrator created and available
+ A customer gateway configured for your remote site
+ Network configuration allowing IPsec traffic between your site and AWS
The following example shows how to create a VPN connection using a Site-to-Site VPN Concentrator with the `CreateVpnConnection` API action:
```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Action=CreateVpnConnection
&Type=ipsec.1
&VpnConcentratorId=vcn-0123456789abcdef0
&CustomerGatewayId=cgw-12345678901234567
&Options.StaticRoutesOnly=false
&Version=2016-11-15
```
This example creates a VPN connection between the specified Site-to-Site VPN Concentrator and customer gateway. The Site-to-Site VPN Concentrator acts as the AWS side endpoint, allowing multiple remote sites to connect through a centralized hub.
A successful API response returns the VPN connection details with Site-to-Site VPN Concentrator information:
```
8b73d60f-458f-5gc5-a442-7f9fEXAMPLE
vpn-9z8y7x6w5v4u32109
pending
cgw-12345678901234567
ipsec.1
vcn-0123456789abcdef0
VPN
false
```
The response includes the VPN connection ID and references the Site-to-Site VPN Concentrator ID instead of a transit gateway ID. This connection allows your remote site to communicate with other sites connected to the same Site-to-Site VPN Concentrator, enabling hub-and-spoke network topologies.
# View AWS Site-to-Site VPN connections
## View VPN connections using the console
You can view your VPN connections and their details using the AWS Management Console. This provides a visual interface to monitor connection status, tunnel health, and configuration details.
**To view VPN connections using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN Connections**.
1. Select your VPN connection to view detailed information including:
+ Connection state and status
+ Tunnel details and health status
+ Route information
+ Configuration parameters
The console displays real-time status information and allows you to monitor tunnel connectivity, view routing tables, and access configuration details for troubleshooting.
## View VPN connections using the CLI
Use the AWS CLI to query and retrieve detailed information about your VPN connections programmatically. This method enables automation, scripting, and integration with monitoring tools.
To query all VPN connections in your current AWS account and region, execute the `describe-vpn-connections` command without parameters. However, if you want to view the details about a particular VPN connection you'll need to know the VPN connection Id.
To retrieve detailed information for a specific VPN connection, specify the connection ID as a parameter. The following example shows a request to view details about a specific VPN connection.
```
aws ec2 describe-vpn-connections --vpn-connection-ids vpn-1234567890abcdef0
```
The response includes comprehensive information about the VPN connection, including tunnel options, routing details, and current status.
+ `State` - The current state of the VPN connection
+ `TunnelOptions` - Configuration and status for each tunnel
+ `OutsideIpAddress` - The public IP addresses of the VPN tunnels
+ `Routes` - Routing information for the connection
Example response excerpt showing key connection details:
```
{
"VpnConnections": [
{
"VpnConnectionId": "vpn-1234567890abcdef0",
"State": "available",
"CustomerGatewayId": "cgw-1234567890abcdef0",
"Type": "ipsec.1",
"Options": {
"StaticRoutesOnly": false,
"TunnelOptions": [
{
"OutsideIpAddress": "203.0.113.12",
"TunnelInsideCidr": "169.254.10.0/30",
"PreSharedKey": "example_key_1234567890abcdef0",
"Phase1LifetimeSeconds": 28800,
"Phase2LifetimeSeconds": 3600
},
{
"OutsideIpAddress": "203.0.113.34",
"TunnelInsideCidr": "169.254.11.0/30",
"PreSharedKey": "example_key_0987654321fedcba0",
"Phase1LifetimeSeconds": 28800,
"Phase2LifetimeSeconds": 3600
}
]
}
}
]
}
```
## View VPN connections using the API
Make direct API calls to the Amazon EC2 service to retrieve VPN connection information. This approach provides maximum flexibility for custom applications and programmatic integrations.
The `DescribeVpnConnections` API action queries and returns detailed information about one or more VPN connections. You can apply filters by connection ID, state, or other attributes to narrow your results.
The following shows an example request to provide details about a single VPN connection.
```
POST / HTTP/1.1
Host: ec2.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/ec2/aws4_request, SignedHeaders=host;x-amz-date, Signature=example_signature
Action=DescribeVpnConnections
&VpnConnectionId.1=vpn-1234567890abcdef0
&Version=2016-11-15
```
The response returns details about that VPN connection.
```
12345678-1234-1234-1234-123456789012
-
vpn-1234567890abcdef0
available
cgw-1234567890abcdef0
ipsec.1
false
-
203.0.113.12
169.254.10.0/30
example_key_1234567890abcdef0
-
203.0.113.34
169.254.11.0/30
example_key_0987654321fedcba0
```
# Test an AWS Site-to-Site VPN connection
After you create the AWS Site-to-Site VPN connection and configure the customer gateway, you can launch an instance and test the connection by pinging the instance.
Before you begin, make sure of the following:
+ Use an AMI that responds to ping requests. We recommend that you use one of the Amazon Linux AMIs.
+ Configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic. This enables the instance to receive `ping` requests.
+ If you are using instances running Windows Server, connect to the instance and enable inbound ICMPv4 on the Windows firewall in order to ping the instance.
+ (Static routing) Ensure that the customer gateway device has a static route to your VPC, and that your VPN connection has a static route so that traffic can get back to your customer gateway device.
+ (Dynamic routing) Ensure that the BGP status on your customer gateway device is established. It takes approximately 30 seconds for a BGP peering session to be established. Ensure that routes are advertised with BGP correctly and showing in the subnet route table, so that traffic can get back to your customer gateway. Make sure that both tunnels are configured with BGP routing.
+ Ensure that you have configured routing in your subnet route tables for the VPN connection.
**To test connectivity**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. On the dashboard, choose **Launch instance**.
1. (Optional) For **Name**, enter a descriptive name for your instance.
1. For **Application and OS Images (Amazon Machine Image)**, choose **Quick Start**, and then choose the operating system for your instance.
1. For **Key pair name**, choose an existing key pair or create a new one.
1. For **Network settings**, choose **Select existing security group**, and then choose the security group that you configured.
1. In the **Summary** panel, choose **Launch instance**.
1. After the instance is running, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance's details.
1. From a computer in your network that is behind the customer gateway device, use the **ping** command with the instance's private IP address.
```
ping 10.0.0.4
```
A successful response is similar to the following.
```
Pinging 10.0.0.4 with 32 bytes of data:
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.4:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
To test tunnel failover, you can temporarily disable one of the tunnels on your customer gateway device and then repeat this step. You can't disable a tunnel on the AWS side of the VPN connection.
1. To test the connection from AWS to your on-premises network, you can use SSH or RDP to connect to your instance from your network. You can then run the `ping` command with the private IP address of another computer in your network, to verify that both sides of the connection can initiate and receive requests.
For more information about how to connect to a Linux instance, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-linux-instance.html) in the *Amazon EC2 User Guide*. For more information about how to connect to a Windows instance, see [Connect to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
# Delete an AWS Site-to-Site VPN connection and gateway
If you no longer need an AWS Site-to-Site VPN connection, you can delete it. When you delete a Site-to-Site VPN connection, we do not delete the customer gateway or virtual private gateway that was associated with the Site-to-Site VPN connection. If you no longer need the customer gateway and virtual private gateway, you can delete them.
**Warning**
If you delete your Site-to-Site VPN connection and then create a new one, you must download a new configuration file and reconfigure the customer gateway device.
**Topics**
+ [Delete a VPN connection](delete-vpn-connection.md)
+ [Delete a customer gateway](delete-cgw.md)
+ [Detach and delete a virtual private gateway](delete-vgw.md)
# Delete an AWS Site-to-Site VPN connection
After you delete your Site-to-Site VPN connection, it remains visible for a short while with a state of `deleted`, and then the entry is automatically removed.
**To delete a VPN connection using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the VPN connection and choose **Actions**, **Delete VPN connection**.
1. When prompted for confirmation, enter **delete** and then choose **Delete**.
**To delete a VPN connection using the command line or API**
+ [DeleteVpnConnection](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnConnection.html) (Amazon EC2 Query API)
+ [delete-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-connection.html) (AWS CLI)
+ [Remove-EC2VpnConnection](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpnConnection.html) (AWS Tools for Windows PowerShell)
# Delete an AWS Site-to-Site VPN customer gateway
If you no longer need a customer gateway, you can delete it. You can't delete a customer gateway that's being used in a Site-to-Site VPN connection.
**To delete a customer gateway using the console**
1. In the navigation pane, choose **Customer gateways**.
1. Select the customer gateway and choose **Actions**, **Delete customer gateway**.
1. When prompted for confirmation, enter **delete** and then choose **Delete**.
**To delete a customer gateway using the command line or API**
+ [DeleteCustomerGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway.html) (Amazon EC2 Query API)
+ [delete-customer-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-customer-gateway.html) (AWS CLI)
+ [Remove-EC2CustomerGateway](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2CustomerGateway.html) (AWS Tools for Windows PowerShell)
# Detach and delete a virtual private gateway in AWS Site-to-Site VPN
If you no longer require a virtual private gateway for your VPC, you can detach it from the VPC.
**To detach a virtual private gateway using the console**
1. In the navigation pane, choose **Virtual private gateways**.
1. Select the virtual private gateway and choose **Actions**, **Detach from VPC**.
1. Choose **Detach virtual private gateway**.
If you no longer require a detached virtual private gateway, you can delete it. You can't delete a virtual private gateway that's still attached to a VPC. After you delete your virtual private gateway, it remains visible for a short while with a state of `deleted`, and then the entry is automatically removed.
**To delete a virtual private gateway using the console**
1. In the navigation pane, choose **Virtual private gateways**.
1. Select the virtual private gateway and choose **Actions**, **Delete virtual private gateway**.
1. When prompted for confirmation, enter **delete** and then choose **Delete**.
**To detach a virtual private gateway using the command line or API**
+ [DetachVpnGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachVpnGateway.html) (Amazon EC2 Query API)
+ [detach-vpn-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/detach-vpn-gateway.html) (AWS CLI)
+ [Dismount-EC2VpnGateway](https://docs.aws.amazon.com/powershell/latest/reference/items/Dismount-EC2VpnGateway.html) (AWS Tools for Windows PowerShell)
**To delete a virtual private gateway using the command line or API**
+ [DeleteVpnGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnGateway.html) (Amazon EC2 Query API)
+ [delete-vpn-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-gateway.html) (AWS CLI)
+ [Remove-EC2VpnGateway](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpnGateway.html) (AWS Tools for Windows PowerShell)
# Modify the target gateway of an AWS Site-to-Site VPN connection
You can modify the target gateway of an AWS Site-to-Site VPN connection. The following migration options are available:
+ An existing virtual private gateway to a transit gateway
+ An existing virtual private gateway to another virtual private gateway
+ An existing transit gateway to another transit gateway
+ An existing transit gateway to a virtual private gateway
After you modify the target gateway, your Site-to-Site VPN connection will be temporarily unavailable for a brief period while we provision the new endpoints.
The following tasks help you complete the migration to a new gateway.
**Topics**
+ [Step 1: Create the new target gateway](#step-create-gateway)
+ [Step 2: Delete your static routes (conditional)](#step-update-staic-route)
+ [Step 3: Migrate to a new gateway](#step-migrate-gateway)
+ [Step 4: Update VPC route tables](#step-update-routing)
+ [Step 5: Update the target gateway routing (conditional)](#step-update-transit-gateway-routing)
+ [Step 6: Update the customer gateway ASN (conditional)](#step-update-customer-gateway-asn)
## Step 1: Create the new target gateway
Before you perform the migration to the new target gateway, you must first configure the new gateway. For information about adding a virtual private gateway, see [Create a virtual private gateway](SetUpVPNConnections.md#vpn-create-vpg). For more information about adding a transit gateway, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) in *Amazon VPC Transit Gateways*.
If the new target gateway is a transit gateway, attach the VPCs to the transit gateway. For information about VPC attachments, see [Transit gateway attachments to a VPC](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html) in *Amazon VPC Transit Gateways*.
When you modify the target from a virtual private gateway to a transit gateway, you can optionally set the transit gateway ASN to be the same value as the virtual private gateway ASN. If you choose to have a different ASN, then you must set the ASN on your customer gateway device to the transit gateway ASN. For more information, see [Step 6: Update the customer gateway ASN (conditional)](#step-update-customer-gateway-asn).
## Step 2: Delete your static routes (conditional)
This step is required when you migrate from a virtual private gateway with static routes to a transit gateway.
You must delete the static routes before you migrate to the new gateway.
**Tip**
Keep a copy of the static route before you delete it. You will need to add back these routes to the transit gateway after the VPN connection migration is complete.
**To delete a route from a route table**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Route tables**, and then select the route table.
1. On the **Routes** tab, choose **Edit routes**.
1. Choose **Remove** for the static route to the virtual private gateway.
1. Choose **Save changes**.
## Step 3: Migrate to a new gateway
**To change the target gateway**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the VPN connection and choose **Actions**, **Modify VPN connection**.
1. For **Target type**, choose the gateway type.
1. If the new target gateway is a virtual private gateway, choose **VPN gateway**.
1. If the new target gateway is transit gateway, choose **Transit gateway**.
1. Choose **Save changes**.
**To modify a Site-to-Site VPN connection using the command line or API**
+ [ModifyVpnConnection](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnConnection.html) (Amazon EC2 Query API)
+ [modify-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-connection.html) (AWS CLI)
## Step 4: Update VPC route tables
After you migrate to the new gateway, you might need to modify your VPC route table. For more information, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*.
The following table provides information about the VPC route table updates to make after you modify the VPN gateway target.
| Existing gateway | New gateway | VPC route table change |
| --- | --- | --- |
| Virtual private gateway with propagated routes | Transit gateway | Add a route that contains the ID of the transit gateway. |
| Virtual private gateway with propagated routes | Virtual private gateway with propagated routes | There is no action required. |
| Virtual private gateway with propagated routes | Virtual private gateway with static route | Add a route that contains the ID of the new virtual private gateway. |
| Virtual private gateway with static routes | Transit gateway | Update the route that contains the ID of the virtual private gateway to the ID of the transit gateway. |
| Virtual private gateway with static routes | Virtual private gateway with static routes | Update the route that contains the ID of the virtual private gateway to the ID of the new virtual private gateway. |
| Virtual private gateway with static routes | Virtual private gateway with propagated routes | Delete the route that contains the ID of the virtual private gateway. |
| Transit gateway | Virtual private gateway with static routes | Update the route that contains the ID of the transit gateway to the ID of the virtual private gateway. |
| Transit gateway | Virtual private gateway with propagated routes | Delete the route that contains the ID of the transit gateway. |
| Transit gateway | Transit gateway | Update the route that contains the ID of the transit gateway to the ID of the new transit gateway. |
## Step 5: Update the target gateway routing (conditional)
When the new gateway is a transit gateway, modify the transit gateway route table to allow traffic between the VPC and the Site-to-Site VPN. For more information, see [Transit gateway route tables](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html) in *Amazon VPC Transit Gateways*.
If you deleted VPN static routes, you must add the static routes to the transit gateway route table.
Unlike a virtual private gateway, a transit gateway sets the same value for the multi-exit discriminator (MED) across all the tunnels on a VPN attachment. If you are migrating from a virtual private gateway to a transit gateway and relied on the MED value for tunnel selection, we recommend that you make routing changes to avoid connection issues. For example, you can advertise more specific routes on your transit gateway. For more information, see [Route tables and AWS Site-to-Site VPN route priority](vpn-route-priority.md).
## Step 6: Update the customer gateway ASN (conditional)
When the new gateway has a different ASN from the old gateway, you must update the ASN on your customer gateway device to point to the new ASN. See [Customer gateway options for your AWS Site-to-Site VPN connection](cgw-options.md) for more information.
# Modify AWS Site-to-Site VPN connection options
You can modify the connection options for your Site-to-Site VPN connection. You can modify the following options:
+ The IPv4 CIDR ranges on the local (customer gateway) side and the remote (AWS) side of the VPN connection that can communicate over the VPN tunnels. The default is `0.0.0.0/0` for both ranges.
+ The IPv6 CIDR ranges on the local (customer gateway) and the remote (AWS) side of the VPN connection that can communicate over the VPN tunnels. The default is `::/0` for both ranges.
When you modify the VPN connection options, the VPN endpoint IP addresses on the AWS side do not change, and the tunnel options do not change. Your VPN connection will be temporarily unavailable for a brief period while the VPN connection is updated.
**To modify the VPN connection options using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select your VPN connection, and choose **Actions**, **Modify VPN connection options**.
1. Enter new CIDR ranges as needed.
1. Choose **Save changes**.
**To modify the VPN connection options using the command line or API**
+ [modify-vpn-connection-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-connection-options.html) (AWS CLI)
+ [ModifyVpnConnectionOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnConnectionOptions.html) (Amazon EC2 Query API)
# Modify AWS Site-to-Site VPN tunnel options
You can modify the tunnel options for the VPN tunnels in your Site-to-Site VPN connection. You can modify one VPN tunnel at a time.
**Important**
When you modify a VPN tunnel, connectivity over the tunnel is interrupted for up to several minutes. Ensure that you plan for the expected downtime.
**To modify the VPN tunnel options using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the Site-to-Site VPN connection, and choose **Actions**, **Modify VPN tunnel options**.
1. For **VPN tunnel outside IP address**, choose the tunnel endpoint IP of the VPN tunnel.
1. Choose or enter new values for the tunnel options as needed. For more information about the tunnel options, see [VPN tunnel options](VPNTunnels.md).
**Note**
Some tunnel options have multiple default values. Click to remove any default value. That default value is then removed from the tunnel option.
1. Choose **Save changes**.
**To modify the VPN tunnel options using the command line or API**
+ (AWS CLI) Use [describe-vpn-connections](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpn-connections.html) to view the current tunnel options, and [modify-vpn-tunnel-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-options.html) to modify the tunnel options.
+ (Amazon EC2 Query API) Use [DescribeVpnConnections](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpnConnections.html) to view the current tunnel options, and [ModifyVpnTunnelOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptions.html) to modify the tunnel options.
# Edit static routes for an AWS Site-to-Site VPN connection
For a Site-to-Site VPN connection on a virtual private gateway that's configured for static routing, you can add or remove static routes from your VPN configuration.
**To add or remove a static route using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the VPN connection.
1. Choose **Edit static routes**.
1. Add or remove routes as needed.
1. Choose **Save changes**.
1. If you have not enabled route propagation for your route table, you must manually update the routes in your route table to reflect the updated static IP prefixes in your VPN connection. For more information, see [(Virtual private gateway) Enable route propagation in your route table](SetUpVPNConnections.md#vpn-configure-routing).
1. For a VPN connection on a transit gateway, you add, modify, or remove the static routes in the transit gateway route table. For more information, see [Transit gateway route tables](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html) in *Amazon VPC Transit Gateways*.
**To add a static route using the command line or API**
+ [CreateVpnConnectionRoute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnConnectionRoute.html) (Amazon EC2 Query API)
+ [create-vpn-connection-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-connection-route.html) (AWS CLI)
+ [New-EC2VpnConnectionRoute](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpnConnectionRoute.html) (AWS Tools for Windows PowerShell)
**To delete a static route using the command line or API**
+ [DeleteVpnConnectionRoute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnConnectionRoute.html) (Amazon EC2 Query API)
+ [delete-vpn-connection-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpn-connection-route.html) (AWS CLI)
+ [Remove-EC2VpnConnectionRoute](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpnConnectionRoute.html) (AWS Tools for Windows PowerShell)
# Change the customer gateway for an AWS Site-to-Site VPN connection
You can change the customer gateway of your Site-to-Site VPN connection by using the Amazon VPC console or a command line tool.
After you change the customer gateway, your VPN connection will be temporarily unavailable for a brief period while we provision the new endpoints.
**To change the customer gateway using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the VPN connection.
1. Choose **Actions**, **Modify VPN connection**.
1. For **Target type**, choose **Customer gateway**.
1. For **Target customer gateway**, choose the new customer gateway.
1. Choose **Save changes**.
**To change the customer gateway using the command line or API**
+ [ModifyVpnConnection](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnConnection.html) (Amazon EC2 Query API)
+ [modify-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-connection.html) (AWS CLI)
# Replace compromised credentials for an AWS Site-to-Site VPN connection
If you believe that the tunnel credentials for your Site-to-Site VPN connection have been compromised, you can change the IKE pre-shared key or change the ACM certificate. The method you use depends on the authentication option you used for your VPN tunnels. For more information, see [AWS Site-to-Site VPN tunnel authentication options](vpn-tunnel-authentication-options.md).
**To change the IKE pre-shared key**
You can modify the tunnel options for the VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see [Modify AWS Site-to-Site VPN tunnel options](modify-vpn-tunnel-options.md).
Alternatively, you can delete the VPN connection. For more information, see [Delete a VPN connection and gateway](delete-vpn.md). You don't need to delete the VPC or the virtual private gateway. Then, create a new VPN connection using the same virtual private gateway, and configure the new keys on your customer gateway device. You can specify your own pre-shared keys for the tunnels or let AWS generate new pre-shared keys for you. For more information, see [Create a VPN connection](SetUpVPNConnections.md#vpn-create-vpn-connection). The tunnel's inside and outside addresses might change when you recreate the VPN connection.
**To change the certificate for the AWS side of the tunnel endpoint**
Rotate the certificate. For more information, see [Rotate VPN tunnel endpoint certificates](rotate-vpn-certificate.md).
**To change the certificate on the customer gateway device**
1. Create a new certificate. For information, see [Issuing and managing certificates](https://docs.aws.amazon.com/acm/latest/userguide/gs.html) in the *AWS Certificate Manager User Guide*.
1. Add the certificate to the customer gateway device.
# Rotate AWS Site-to-Site VPN tunnel endpoint certificates
You can rotate the certificates on the tunnel endpoints on the AWS side by using the Amazon VPC console. When a tunnel endpoint’s certificate is close to expiration, AWS automatically rotates the certificate using the service-linked role. For more information, see [Service-linked roles for Site-to-Site VPN](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service-linked).
**To rotate the Site-to-Site VPN tunnel endpoint certificate using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Select the Site-to-Site VPN connection, and then choose **Actions**, **Modify VPN tunnel certificate**.
1. Select the tunnel endpoint.
1. Choose **Save**.
**To rotate the Site-to-Site VPN tunnel endpoint certificate using the AWS CLI**
Use the [modify-vpn-tunnel-certificate](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-certificate.html) command.
# Private IP AWS Site-to-Site VPN with Direct Connect
With private IP VPN, you can deploy IPsec VPN over Direct Connect, encrypting traffic between your on-premises network and AWS, without the use of public IP addresses or additional third-party VPN equipment.
One of the main use cases for private IP VPN over Direct Connect is helping customers in the financial, healthcare, and federal industries meet regulatory and compliance goals. Private IP VPN over Direct Connect ensures that traffic between AWS and on-premises networks is both secure and private, allowing customers to comply with their regulatory and security mandates.
## Benefits of private IP VPN
+ **Simplified network management and operations:** Without private IP VPN, customers have to deploy third-party VPN and routers to implement private VPNs over Direct Connect networks. With private IP VPN capability, customers don’t have to deploy and manage their own VPN infrastructure. This leads to simplified network operations and reduced costs.
+ **Improved security posture:** Previously, customers had to use a public Direct Connect virtual interface (VIF) for encrypting traffic over Direct Connect, which requires public IP addresses for VPN endpoints. Using public IPs increases the probability of external (DOS) attacks, which in turn compels customers to deploy additional security gear for network protection. Also, a public VIF opens access between all AWS public services and customer on-premises networks, increasing the severity of the risk. The private IP VPN feature allows encryption over Direct Connect transit VIFs (instead of public VIFs), coupled with the ability to configure private IPs. This provides end-to-end private connectivity in addition to encryption, improving the overall security posture.
+ **Higher route scale:** Private IP VPN connections offer higher route limits (5000 outbound routes and 1000 inbound routes) as compared to Direct Connect alone, which currently has a limit of 200 outbound and 100 inbound routes.
## How private IP VPN works
Private IP Site-to-Site VPN works over an Direct Connect transit virtual interface (VIF). It uses an Direct Connect gateway and a transit gateway to interconnect your on-premises networks with AWS VPCs. A private IP VPN connection has termination points at the transit gateway on the AWS side, and at your customer gateway device on the on-premises side. You must assign private IP addresses to both the transit gateway and the customer gateway device ends of the IPsec tunnels. You can use private IP addresses from either RFC1918 or RFC6598 private IPv4 address ranges.
You attach a private IP VPN connection to a transit gateway. You then route traffic between the VPN attachment and any VPCs (or other networks) that are also attached to the transit gateway. You do that by associating a route table with the VPN attachment. In the reverse direction, you can route traffic from your VPCs to the private IP VPN attachment by using route tables that are associated with the VPCs.
The route table that's associated with the VPN attachment can be the same or different from the one associated with the underlying Direct Connect attachment. This gives you the ability to route both encrypted and unencrypted traffic simultaneously between your VPCs and your on-premises networks.
For more details on the traffic path leaving the VPN, see [Private virtual interface and transit virtual interface routing policies](https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#private-routing-policies) in the *Direct Connect User Guide*.
## Prerequisites
The following table describes the perquisites before creating a private IP VPN over Direct Connect.
| Item | Steps | Information |
| --- | --- | --- |
| Prepare the transit gateway for Site-to-Site VPN. | Create the transit gateway by using the Amazon Virtual Private Cloud (VPC) console or using the command-line or API. See [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in the *Amazon VPC Transit Gateways Guide*. | A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. You can create a new transit gateway or use an existing one for the private IP VPN connection. When you create the transit gateway, or modify an existing transit gateway, you specify a private IP CIDR block for the connection. When specifying the transit gateway CIDR block to be associated with your Private IP VPN, ensure the CIDR block does not overlap with any IP addresses for any other network attachments on the transit gateway. If any IP CIDR blocks do overlap, it may cause configuration issues with your customer gateway device. |
| Create the Direct Connect gateway for Site-to-Site VPN. | Create the Direct Connect gateway by using the Direct Connect console or by using the command-line or API. See [Create an AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-direct-connect-gateway.html) in the *Direct Connect User Guide*. | A Direct Connect gateway allows you to connect virtual interfaces (VIFs) across multiple AWS Regions. This gateway is used to connect to your VIF. |
| Create the transit gateway association for Site-to-Site VPN. | Create the association between the Direct Connect gateway and the transit gateway by using the Direct Connect console or using the command-line or API. See [Associate or disassociate Direct Connect with a transit gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/associate-tgw-with-direct-connect-gateway.html) in the *Direct Connect User Guide*. | After creating the Direct Connect gateway, create a transit gateway association for the Direct Connect gateway. Specify the private IP CIDR for the transit gateway that was identified earlier in the allowed prefixes list. |
**Topics**
+ [Benefits of private IP VPN](#private-ip-dx-features)
+ [How private IP VPN works](#private-ip-dx-how)
+ [Prerequisites](#private-ip-dx-prereqs)
+ [Create a private IP VPN over Direct Connect](private-ip-dx-steps.md)
# Create a private IP AWS Site-to-Site VPN over Direct Connect
To create a private IP VPN with Direct Connect follow these steps. Before you create the private IP VPN over Direct Connect, you need to ensure that a transit gateway and Direct Connect gateway are first created. After creating the two gateways you then need to create an assocation between the two. These prerequisites are described in the following table. Once you've created and associated the two gateways, you'll create a VPN customer cateway and connection using that association.
## Prerequisites
The following table describes the perquisites before creating a private IP VPN over Direct Connect.
| Item | Steps | Information |
| --- | --- | --- |
| Prepare the transit gateway for Site-to-Site VPN. | Create the transit gateway by using the Amazon Virtual Private Cloud (VPC) console or using the command-line or API. See [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in the *Amazon VPC Transit Gateways Guide*. | A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. You can create a new transit gateway or use an existing one for the private IP VPN connection. When you create the transit gateway, or modify an existing transit gateway, you specify a private IP CIDR block for the connection. When specifying the transit gateway CIDR block to be associated with your Private IP VPN, ensure the CIDR block does not overlap with any IP addresses for any other network attachments on the transit gateway. If any IP CIDR blocks do overlap, it may cause configuration issues with your customer gateway device. |
| Create the Direct Connect gateway for Site-to-Site VPN. | Create the Direct Connect gateway by using the Direct Connect console or by using the command-line or API. See [Create an AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-direct-connect-gateway.html) in the *Direct Connect User Guide*. | A Direct Connect gateway allows you to connect virtual interfaces (VIFs) across multiple AWS Regions. This gateway is used to connect to your VIF. |
| Create the transit gateway association for Site-to-Site VPN. | Create the association between the Direct Connect gateway and the transit gateway by using the Direct Connect console or using the command-line or API. See [Associate or disassociate Direct Connect with a transit gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/associate-tgw-with-direct-connect-gateway.html) in the *Direct Connect User Guide*. | After creating the Direct Connect gateway, create a transit gateway association for the Direct Connect gateway. Specify the private IP CIDR for the transit gateway that was identified earlier in the allowed prefixes list. |
## Create the customer gateway and connection for Site-to-Site VPN
A customer gateway is a resource that you create in AWS. It represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS. For more details, see [Customer gateway](how_it_works.md#CustomerGateway).
**To create a customer gateway using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Customer gateways**.
1. Choose **Create customer gateway**.
1. (Optional) For **Name tag**, enter a name for your customer gateway. Doing so creates a tag with a key of `Name` and the value that you specify.
1. For **BGP ASN**, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway.
1. For **IP address**, enter the private IP address for your customer gateway device.
**Important**
When configuring AWS Private IP AWS Site-to-Site VPN, you must specify your own tunnel endpoint IP addresses using RFC 1918 addresses. Do not use the point-to-point IP addresses for the eBGP peering between your customer gateway router and the Direct Connect endpoint. AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
1. (Optional) For **Device**, enter a name for the device that hosts this customer gateway.
1. Choose **Create customer gateway**.
1. In the navigation pane, choose **Site-to-Site VPN connections**.
1. Choose **Create VPN connection**.
1. (Optional) For **Name tag**, enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of `Name` and the value that you specify.
1. For **Target gateway type**, choose **Transit gateway**. Then, choose the transit gateway that you identified earlier.
1. For **Customer gateway**, select **Existing**. Then, choose the customer gateway that you created earlier.
1. Select one of the routing options based on whether your customer gateway device supports Border Gateway Protocol (BGP):
+ If your customer gateway device supports BGP, choose **Dynamic (requires BGP)**.
+ If your customer gateway device does not support BGP, choose **Static**.
1. For **Tunnel inside IP version**, specify whether the VPN tunnels support IPv4 or IPv6 traffic.
1. (Optional) If you specified **IPv4** for **Tunnel inside IP Version**, you can optionally specify the IPv4 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default is `0.0.0.0/0`.
If you specified **IPv6** for **Tunnel inside IP version**, you can optionally specify the IPv6 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default for both ranges is `::/0`.
1. For **Outside IP address type**, choose **PrivateIpv4**.
1. For **Transport attachment ID**, choose the transit gateway attachment for the appropriate Direct Connect gateway.
1. Choose **Create VPN connection**.
**Note**
The **Enable acceleration** option is not applicable for VPN connections over Direct Connect.
**To create a customer gateway using the command line or API**
+ [CreateCustomerGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway.html) (Amazon EC2 Query API)
+ [create-customer-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-customer-gateway.html) (AWS CLI)