# Direct Connect gateways
You can work with Direct Connect gateways using the Amazon VPC console or the AWS CLI.
+ [Direct Connect gateways](direct-connect-gateways-intro.md)
Using a Direct Connect gateway, you can associate the Direct Connect gateway with a transit gateway with multiple VPCs, a virtual private gateway, or if you use AWS Cloud WAN, to a Cloud WAN core network.
+ [Virtual private gateway associations](virtualgateways.md)
Using a virtual private gateway, you can associate the Direct Connect gateway over a private virtual interface to one or more VPCs in any account located in the same or different Regions.
+ [Transit gateway associations](direct-connect-transit-gateways.md)
Use a Direct Connect gateway to connect your Direct Connect connection over a transit virtual interface to the VPCs or VPNs that are attached to your transit gateway.
+ [Cloud WAN core network associations](direct-connect-cloud-wan.md)
Use a Direct Connect gateway to associate a Direct Connect gateway with an AWS Network Manager core network.
+ [Allowed prefixes interactions](allowed-to-prefixes.md)
Use allowed prefixes to interact with transit gateways and virtual private gateways.
**Topics**
+ [Direct Connect gateways](direct-connect-gateways-intro.md)
+ [Virtual private gateway associations](virtualgateways.md)
+ [Transit gateway associations](direct-connect-transit-gateways.md)
+ [Cloud WAN core network associations](direct-connect-cloud-wan.md)
+ [Allowed prefixes interactions](allowed-to-prefixes.md)
# Direct Connect gateways
Use Direct Connect gateway to connect your VPCs. You associate an Direct Connect gateway with any of the following:
+ A transit gateway when you have multiple VPCs in the same Region
+ A virtual private gateway
+ An AWS Cloud WAN core network
You can also use a virtual private gateway to extend your Local Zone. This configuration allows the VPC associated with the Local Zone to connect to a Direct Connect gateway. The Direct Connect gateway connects to a Direct Connect location in a Region. The on-premises data center has a Direct Connect connection to the Direct Connect location. For more information, see [Accessing Local Zones using a Direct Connect gateway](https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html#access-local-zone) in the *Amazon VPC User Guide*.
A Direct Connect gateway is a globally available resource. You can connect to any Region globally using a Direct Connect gateway. This includes AWS GovCloud (US), but it does not include the AWS China Regions. A Direct Connect gateway is a virtual component of Direct Connect designed to act as a distributed set of BGP route reflectors. Because it operates outside the data traffic path, it avoids creating a single point of failure or introducing dependencies on specific AWS Regions. High availability is inherently built into its design, eliminating the need for multiple Direct Connect gateways.
Customers using Direct Connect with VPCs that currently bypass a parent Availability Zone will not be able to migrate their Direct Connect connections or virtual interfaces.
The following describe scenarios where you can use a Direct Connect gateway.
A Direct Connect gateway does not allow gateway associations that are on the same Direct Connect gateway to send traffic to each other (for example, a virtual private gateway to another virtual private gateway). An exception to this rule, implemented in November 2021, is when a supernet is advertised across two or more VPCs, which have their attached virtual private gateways (VGWs) associated to the same Direct Connect gateway and on the same virtual interface. In this case, VPCs can communicate with each other via the Direct Connect endpoint. For example, if you advertise a supernet (for example, 10.0.0.0/8 or 0.0.0.0/0) that overlaps with the VPCs attached to a Direct Connect gateway (for example, 10.0.0.0/24 and 10.0.1.0/24), and on the same virtual interface, then from your on-premises network, the VPCs can communicate with each other.
If you want to block VPC-to-VPC communication within a Direct Connect gateway, do the following:
1. Set up security groups on the instances and other resources in the VPC to block traffic between VPCs, also using this as part of the default security group in the VPC.
1. Avoid advertising a supernet from your on- premises network that overlaps with your VPCs. Instead you can advertise more specific routes from your on-premises network that do not overlap with your VPCs.
1. Provision a single Direct Connect Gateway for each VPC that you want to connect to your on-premises network instead of using the same Direct Connect Gateway for multiple VPCs. For example, instead of using a single Direct Connect Gateway for your development and production VPCs, use separate Direct Connect Gateways for each of these VPCs.
A Direct Connect gateway does not prevent traffic from being sent from one gateway association back to the gateway association itself (for example when you have an on-premises supernet route that contains the prefixes from the gateway association). If you have a configuration with multiple VPCs connected to transit gateways associated to same Direct Connect gateway, the VPCs could communicate. To prevent the VPCs from communicating, associate a route table with the VPC attachments that have the **blackhole** option set.
**Topics**
+ [Scenarios](#dx-gateway-scenarios)
+ [Create a Direct Connect gateway](create-direct-connect-gateway.md)
+ [Migrate from a virtual private gateway to a Direct Connect gateway](migrate-to-direct-connect-gateway.md)
+ [Delete a Direct Connect gateway](delete-direct-connect-gateway.md)
## Scenarios
The following describe just a few scenarios for using Direct Connect gateways.
### Scenario: Virtual private gateway associations
In the following diagram, the Direct Connect gateway enables you to use your Direct Connect connection in the US East (N. Virginia) Region to access VPCs in your account in both the US East (N. Virginia) and US West (N. California) Regions.
Each VPC has a virtual private gateway that connects to the Direct Connect gateway using a virtual private gateway association. The Direct Connect gateway uses a private virtual interface for the connection to the Direct Connect location. There is an Direct Connect connection from the location to the customer data center.
![\[A Direct Connect gateway that connects VPCs in two AWS Regions and your data center.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dx-gateway.png)
### Scenario: Virtual private gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A and Account B want to use the Direct Connect gateway. Account A and Account B each send an association proposal to Account Z. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's virtual private gateway or Account B's virtual private gateway. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
![\[A Direct Connect gateway that connects three AWS accounts and your data center.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dx-gateway-shared.png)
### Scenario: Transit gateway associations
The following diagram illustrates how the Direct Connect gateway enables you to create a single connection to your Direct Connect connection that all of your VPCs can use.
![\[A Direct Connect gateway associated with a transit gateway with multiple VPC attachments.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/direct-connect-tgw.png)
The solution involves the following components:
+ A transit gateway that has VPC attachments.
+ A Direct Connect gateway.
+ An association between the Direct Connect gateway and the transit gateway.
+ A transit virtual interface that is attached to the Direct Connect gateway.
This configuration offers the following benefits. You can:
+ Manage a single connection for multiple VPCs or VPNs that are in the same Region.
+ Advertise prefixes from on-premises to AWS and from AWS to on-premises.
For information about configuring transit gateways, see [Working with Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html) in the *Amazon VPC Transit Gateways Guide*.
### Scenario: Transit gateway associations across accounts
Consider this scenario of a Direct Connect gateway owner (Account Z) who owns the Direct Connect gateway. Account A owns the transit gateway and wants to use the Direct Connect gateway. Account Z accepts the association proposals and can optionally update the prefixes that are allowed from Account A's transit gateway. After Account Z accepts the proposals, the VPCs attached to the transit gateway can route traffic from the transit gateway to the Direct Connect gateway. Account Z also owns the routing to the customers because Account Z owns the gateway.
![\[A Direct Connect gateway from an AWS account associated with a transit gateway from another AWS account.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/direct-connect-ma-tgw.png)
# Create an Direct Connect gateway
You can create a Direct Connect gateway in any supported Region using either the Direct Connect console or using the command line or API.
**To create a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways**.
1. Choose **Create Direct Connect gateway**.
1. Specify the following information, and choose **Create Direct Connect gateway**.
+ **Name**: Enter a name to help you identify the Direct Connect gateway.
+ **Amazon side ASN**: Specify the ASN for the Amazon side of the BGP session. The ASN must be in the 64,512 to 65,534 range or 4,200,000,000 to 4,294,967,294 range.
**Note**
If you want to create a Direct Connect gateway to use with an AWS Cloud WAN core network. The ASN must not be in the same range as the ASN of the core network.
**To create a Direct Connect gateway using the command line or API**
+ [create-direct-connect-gateway](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway.html) (AWS CLI)
+ [CreateDirectConnectGateway](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGateway.html) (Direct Connect API)
# Migrate from a virtual private gateway to an Direct Connect gateway
You can migrate a virtual private gateway attached to a virtual interface to a Direct Connect gateway.
If you're using Direct Connect with VPCs that currently bypass a parent Availability Zone you won't be able to migrate your Direct Connect connections or virtual interfaces.
The following steps describe the steps you need to take to migrate a virtual private gateway to a Direct Connect gateway.
**To migrate to a Direct Connect gateway**
1. Create a Direct Connect gateway.
If the Direct Connect gateway does not yet exist, you'll need to create it. For the steps to create a Direct Connect gateway, see [Create a Direct Connect gateway](create-direct-connect-gateway.md).
1. Create a virtual interface for the Direct Connect gateway.
A virtual interface is required for migration. If the interface does not exist, you'll need to create it. For the steps to create the virtual interface, see [Virtual interfaces](create-vif.md).
1. Associate the virtual private gateway with the Direct Connect gateway.
Both the Direct Connect gateway and a virtual private gateway need to be associated. For the steps to create the association, see [Associate or disassociate virtual private gateways](associate-vgw-with-direct-connect-gateway.md).
1. Delete the virtual interface that was associated with the virtual private gateway. For more information, see [Delete a virtual interface](deletevif.md).
# Delete an Direct Connect gateway
If you no longer require a Direct Connect gateway, you can delete it. You must first disassociate all associated virtual private gateways and delete the attached private virtual interface. Once you've disassociated any associated virtual private gateways and deleted any attached private virtual interfaces, you can delete the Direct Connect gateway using either the Direct Connect console or using the command line or API.
+ For the steps to disassociate a virutal private gateway, see [Associate or disassociate virtual private gateways](associate-vgw-with-direct-connect-gateway.md).
+ For the steps to delete a virtual interface, see [Delete a virtual interface](deletevif.md).
**To delete a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways**.
1. Select the gateways and choose **Delete**.
**To delete a Direct Connect gateway using the command line or API**
+ [delete-direct-connect-gateway](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway.html) (AWS CLI)
+ [DeleteDirectConnectGateway](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGateway.html) (Direct Connect API)
# Direct Connect virtual private gateway associations
You can associate a virtual private gateway with a Direct Connect gateway to enable connectivity between your Direct Connect connection and VPCs across different accounts and Regions. Each VPC requires a virtual private gateway that you associate with the Direct Connect gateway. Once these associations are established, you create private virtual interfaces on your Direct Connect connection to the Direct Connect gateway, allowing multiple VPCs to share the same Direct Connect connection through their respective virtual private gateway associations..
The following rules apply to virtual private gateway associations:
+ Do not enable route propagation until after you've associated a virtual gateway with a Direct Connect gateway. If you enable route propagation before associating the gateways, routes might be propagated incorrectly.
+ There are limits for creating and using Direct Connect gateways. For more information, see [Direct Connect quotas](limits.md).
+ You cannot attach a Direct Connect gateway to a virtual private gateway when the Direct Connect gateway is already associated with a transit gateway.
+ The VPCs to which you connect through a Direct Connect gateway cannot have overlapping CIDR blocks. If you add an IPv4 CIDR block to a VPC that's associated with a Direct Connect gateway, ensure that the CIDR block does not overlap with an existing CIDR block for any other associated VPC. For more information, see [Adding IPv4 CIDR Blocks to a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-resize) in the *Amazon VPC User Guide*.
+ You cannot create a public virtual interface to a Direct Connect gateway.
+ A Direct Connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only, and may enable a virtual private gateway to another private gateway. The following traffic flows are not supported:
+ Direct communication between the VPCs that are associated with a single Direct Connect gateway. This includes traffic from one VPC to another by using a hairpin through an on-premises network through a single Direct Connect gateway.
+ Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway.
+ Direct communication between the virtual interfaces that are attached to a single Direct Connect gateway and a VPN connection on a virtual private gateway that's associated with the same Direct Connect gateway.
+ You cannot associate a virtual private gateway with more than one Direct Connect gateway and you cannot attach a private virtual interface to more than one Direct Connect gateway.
+ A virtual private gateway that you associate with a Direct Connect gateway must be attached to a VPC.
+ A virtual private gateway association proposal expires 7 days after it is created.
+ An accepted virtual private gateway proposal, or a deleted virtual private gateway proposal remains visible for 3 days.
+ A virtual private gateway can be associated with a Direct Connect gateway and also attached to a virtual interface.
+ Detaching a virtual private gateway from a VPC also disassociates the virtual private gateway from a Direct Connect gateway.
+ If you are planning to use the virtual private gateway for a Direct Connect gateway and a dynamic VPN connection, set the ASN on the virtual private gateway to the value that you require for the VPN connection. Otherwise, the ASN on the virtual private gateway can be set to any permitted value. The Direct Connect gateway advertises all connected VPCs over the ASN assigned to it.
To connect your Direct Connect connection to a VPC in the same Region only, you can create a Direct Connect gateway. Or, you can create a private virtual interface and attach it to the virtual private gateway for the VPC. For more information, see [Create a private virtual interface](create-private-vif.md) and [VPN CloudHub](https://docs.aws.amazon.com/vpc/latest/userguide/VPN_CloudHub.html).
To use your Direct Connect connection with a VPC in another account, you can create a hosted private virtual interface for that account. When the owner of the other account accepts the hosted virtual interface, they can choose to attach it either to a virtual private gateway or to a Direct Connect gateway in their account. For more information, see [Virtual interfaces and hosted virtual interfaces](WorkingWithVirtualInterfaces.md).
**Topics**
+ [Create a virtual private gateway](create-virtual-private-gateway.md)
+ [Associate or disassociate virtual private gateways](associate-vgw-with-direct-connect-gateway.md)
+ [Create a private virtual interface to the Direct Connect gateway](create-private-vif-for-gateway.md)
+ [Associate a virtual private gateway across accounts](multi-account-associate-vgw.md)
# Create an Direct Connect virtual private gateway
The virtual private gateway must be attached to the VPC to which you want to connect. You can create a virtual private gateway and attach it to a VPC using either the Direct Connect console or using the command line or API.
**Note**
If you are planning to use the virtual private gateway for a Direct Connect gateway and a dynamic VPN connection, set the ASN on the virtual private gateway to the value that you require for the VPN connection. Otherwise, the ASN on the virtual private gateway can be set to any permitted value. The Direct Connect gateway advertises all connected VPCs over the ASN assigned to it.
After you create a virtual private gateway, you must attach it to your VPC.
**To create a virtual private gateway and attach it to your VPC**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Private Gateways**, and then choose **Create Virtual Private Gateway**.
1. (Optional) Enter a name for your virtual private gateway. Doing so creates a tag with a key of `Name` and the value that you specify.
1. For **ASN**, leave the default selection to use the default Amazon ASN. Otherwise, choose **Custom ASN** and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294 range.
1. Choose **Create Virtual Private Gateway**.
1. Select the virtual private gateway that you created, and then choose **Actions**, **Attach to VPC**.
1. Select your VPC from the list and choose **Yes, Attach**.
**To create a virtual private gateway using the command line or API**
+ [CreateVpnGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-CreateVpnGateway.html) (Amazon EC2 Query API)
+ [create-vpn-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-gateway.html) (AWS CLI)
+ [New-EC2VpnGateway](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpnGateway.html) (AWS Tools for Windows PowerShell)
**To attach a virtual private gateway to a VPC using the command line or API**
+ [AttachVpnGateway](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-AttachVpnGateway.html) (Amazon EC2 Query API)
+ [attach-vpn-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-vpn-gateway.html) (AWS CLI)
+ [Add-EC2VpnGateway](https://docs.aws.amazon.com/powershell/latest/reference/items/Add-EC2VpnGateway.html) (AWS Tools for Windows PowerShell)
# Associate or disassociate Direct Connect virtual private gateways
You can associate or disassociate a virtual private gateway and Direct Connect gateway using either the Direct Connect console or using the command line or API. The account owner of the virtual private gateway performs these operations.
**To associate a virtual private gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect gateways** and then choose the Direct Connect gateway.
1. Choose **View details**.
1. Choose **Gateway associations**, and then choose **Associate gateway**.
1. For **Gateways**, choose the virtual private gateways to associate, and then choose **Associate gateway**.
You can view all of the virtual private gateways that are associated with the Direct Connect gateway by choosing **Gateway associations**.
**To disassociate a virtual private gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways** and then select the Direct Connect gateway.
1. Choose **View details**.
1. Choose **Gateway associations** and then select the virtual private gateway.
1. Choose **Disassociate**.
**To associate a virtual private gateway using the command line or API**
+ [create-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway-association.html) (AWS CLI)
+ [CreateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGatewayAssociation.html) (Direct Connect API)
**To view the virtual private gateways associated with a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-associations](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-associations.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAssociations](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociations.html) (Direct Connect API)
**To disassociate a virtual private gateway using the command line or API**
+ [delete-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociation.html) (Direct Connect API)
# Create a private virtual interface to the Direct Connect gateway
To connect your Direct Connect connection to the remote VPC, you must create a private virtual interface for your connection. Specify the Direct Connect gateway to which to connect. You can create a private virtual interface using either the Direct Connect console or using the command line or API.
**Note**
If you're accepting a hosted private virtual interface, you can associate it with a Direct Connect gateway in your account. For more information, see [Accept a hosted virtual interface](accepthostedvirtualinterface.md).
**To provision a private virtual interface to a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, choose **Private**.
1. Under **Private virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Virtual interface owner**, choose **My AWS account** if the virtual interface is for your AWS account.
1. For **Direct Connect gateway**, select the Direct Connect gateway.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 9001 (jumbo frames), select **Jumbo MTU (MTU size 9001)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
After you've created the virtual interface, you can download the router configuration for your device. For more information, see [Download the router configuration file](vif-router-config.md).
**To create a private virtual interface using the command line or API**
+ [create-private-virtual-interface](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-private-virtual-interface.html) (AWS CLI)
+ [CreatePrivateVirtualInterface](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreatePrivateVirtualInterface.html) (Direct Connect API)
**To view the virtual interfaces that are attached to a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-attachments](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-attachments.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAttachments](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAttachments.html) (Direct Connect API)
# Associate an Direct Connect virtual private gateway across accounts
You can associate a Direct Connect gateway with a virtual private gateway that is owned by any AWS account. The Direct Connect gateway can be an existing gateway, or you can create a new gateway. The owner of the virtual private gateway creates an *association proposal* and the owner of the Direct Connect gateway must accept the association proposal.
An association proposal can contain prefixes that will be allowed from the virtual private gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.
## Allowed prefixes
When you associate a virtual private gateway with a Direct Connect gateway, you specify a list of Amazon VPC prefixes to advertise to the Direct Connect gateway. The prefix list acts as a filter that allows the same CIDRs, or smaller CIDRs to be advertised to the Direct Connect gateway. You must set the **Allowed prefixes** to a range that is the same or wider than the VPC CIDR because we provision entire VPC CIDR on the virtual private gateway.
Consider the case where the VPC CIDR is 10.0.0.0/16. You can set the **Allowed prefixes** to 10.0.0.0/16 (the VPC CIDR value), or 10.0.0.0/15 ( a value that is wider than the VPC CIDR).
Any virtual interface inside network prefixes advertised over Direct Connect are only propagated to transit gateways across Regions, not within the same Region. For more information on how allowed prefixes interact with virtual private gateways and transit gateways, see [Allowed prefixes interactions](allowed-to-prefixes.md).
# Direct Connect gateways and transit gateway associations
You can use Direct Connect gateway to connect your Direct Connect connection over a transit virtual interface to the VPCs or VPNs that are attached to your transit gateway. You associate a Direct Connect gateway with the transit gateway. Then, create a transit virtual interface for your Direct Connect connection to the Direct Connect gateway.
The following rules apply to transit gateway associations:
+ You cannot attach a Direct Connect gateway to a transit gateway when the Direct Connect gateway is already associated with a virtual private gateway or is attached to a private virtual interface.
+ There are limits for creating and using Direct Connect gateways. For more information, see [Direct Connect quotas](limits.md).
+ A Direct Connect gateway supports communication between attached transit virtual interfaces and associated transit gateways.
+ If you connect to multiple transit gateways that are in different Regions, use unique ASNs for each transit gateway.
+ Any point-to-point connectivity address using a `/30` range — for example, `192.168.0.0/30` — does not propagate to a transit gateway.
## Associating a transit gateway across accounts
You can associate an existing Direct Connect gateway or a new Direct Connect gateway with a transit gateway that is owned by any AWS account. The owner of the transit gateway creates an *association proposal* and the owner of the Direct Connect gateway must accept the association proposal.
An association proposal can contain prefixes that will be allowed from the transit gateway. The owner of the Direct Connect gateway can optionally override any requested prefixes in the association proposal.
### Allowed prefixes
For a transit gateway association, you provision the allowed prefixes list on the Direct Connect gateway. The list is used to route traffic from on-premises to AWS into the transit gateway even if the VPCs attached to the transit gateway do not have assigned CIDRs. Prefixes in the Direct Connect gateway allowed prefix list originate on the Direct Connect gateway and are advertised to the on-premises network. For more information on how allowed prefixes interact with transit gateway and virtual private gateways, see [Allowed prefixes interactions](allowed-to-prefixes.md).
**Topics**
+ [Associating a transit gateway across accounts](#multi-account-associate-tgw)
+ [Associate or disassociate a transit gateway with Direct Connect.](associate-tgw-with-direct-connect-gateway.md)
+ [Create a transit virtual interface to the Direct Connect gateway](create-transit-vif-for-gateway.md)
+ [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md)
+ [Accept or reject a transit gateway association proposal](multi-account-tgw-accept-reject-proposal.md)
+ [Update the allowed prefixes for a transit gateway association](multi-account-tgw-update-proposal-routes.md)
+ [Delete a transit gateway association proposal](multi-account-tgw-delete-proposal.md)
# Associate or disassociate Direct Connect with a transit gateway
Associate or disassociate a transit gateway using either the Direct Connect console or using the command line or API.
**To associate a transit gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect Gateways** and then select the Direct Connect gateway.
1. Choose **View details**.
1. Choose **Gateway associations** and then choose **Associate gateway**.
1. For **Gateways**, choose the transit gateway to associate.
1. In **Allowed prefixes**, enter the prefixes (separated by a comma, or on a new line) which the Direct Connect gateway advertises to the on-premises data center. For more information on allowed prefixes, see [Allowed prefixes interactions](allowed-to-prefixes.md).
1. Choose **Associate gateway**
You can view all of the gateways that are associated with the Direct Connect gateway by choosing **Gateway associations**.
**To disassociate a transit gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect gateways** and then select the Direct Connect gateway.
1. Choose **View details**.
1. Choose **Gateway associations** and then select the transit gateway.
1. Choose **Disassociate**.
**To update allowed prefixes for a transit gateway**
You can add or remove allowed prefixes to the transit gateway.
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect gateways** and then choose the Direct Connect gateway you want to add or remove allowed prefixes for.
1. Choose the **Gateway associations** tab.
1. Choose the gateway you want to modify allowed prefixes for, and then choose **Edit**.
1. In **Allowed prefixes**, enter the prefixes which the Direct Connect gateway advertises to the on-premises data center. For multiple prefixes, separate each prefix by a comma or put each prefix on a new line. The prefixes you add should match the Amazon VPC CIDRs for all virtual private gateways. For more information on allowed prefixes, see [Allowed prefixes interactions](allowed-to-prefixes.md).
1. Choose **Edit association**.
In the **Gateway association** section the **State** displays **updating**. When complete, the **State** changes to **associated**. This might take several minutes or longer to complete.
**To associate a transit gateway using the command line or API**
+ [create-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway-association.html) (AWS CLI)
+ [CreateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGatewayAssociation.html) (Direct Connect API)
**To view the transit gateways associated with a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-associations](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-associations.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAssociations](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociations.html) (Direct Connect API)
**To disassociate a transit gateway using the command line or API**
+ [delete-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociation.html) (Direct Connect API)
**To update allowed prefixes for a transit gateway using the command line or API**
+ [update-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-direct-connect-gateway-association.html) (AWS CLI)
+ [UpdateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateDirectConnectGatewayAssociation.html) (Direct Connect API)
# Create a transit virtual interface to the Direct Connect gateway
To connect your Direct Connect connection to the transit gateway, you must create a transit interface for your connection. Specify the Direct Connect gateway to which to connect. You can use either the Direct Connect console or use the command line or API.
**Important**
If you associate your transit gateway with one or more Direct Connect gateways, the Autonomous System Number (ASN) used by the transit gateway and the Direct Connect gateway must be different. For example, if you use the default ASN 64512 for both the transit gateway and the Direct Connect gateway, the association request fails.
**To provision a transit virtual interface to a Direct Connect gateway**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Virtual Interfaces**.
1. Choose **Create virtual interface**.
1. Under **Virtual interface type**, for **Type**, choose **Transit**.
1. Under **Transit virtual interface settings**, do the following:
1. For **Virtual interface name**, enter a name for the virtual interface.
1. For **Connection**, choose the Direct Connect connection that you want to use for this interface.
1. For **Virtual interface owner**, choose **My AWS account** if the virtual interface is for your AWS account.
1. For **Direct Connect gateway**, select the Direct Connect gateway.
1. For **VLAN**, enter the ID number for your virtual local area network (VLAN).
1. For **BGP ASN**, enter the Border Gateway Protocol Autonomous System Number of your on-premises peer router for the new virtual interface.
The valid values are 1 to 4294967294. This includes support for both ASNs (1-2147483647) and long ASNs (1-4294967294). For more information about ASNs and long ASNs see [Long ASN support in Direct Connect](long-asn-support.md).
1. Under **Additional Settings**, do the following:
1. To configure an IPv4 BGP or an IPv6 peer, do the following:
[IPv4] To configure an IPv4 BGP peer, choose **IPv4** and do one of the following:
+ To specify these IP addresses yourself, for **Your router peer ip**, enter the destination IPv4 CIDR address to which Amazon should send traffic.
+ For **Amazon router peer ip**, enter the IPv4 CIDR address to use to send traffic to AWS.
**Important**
When configuring AWS Direct Connect virtual interfaces, you can specify your own IP addresses using RFC 1918, use other addressing schemes, or opt for AWS assigned IPv4 /29 CIDR addresses allocated from the RFC 3927 169.254.0.0/16 IPv4 Link-Local range for point-to-point connectivity. These point-to-point connections should be used exclusively for eBGP peering between your customer gateway router and the Direct Connect endpoint. For VPC traffic or tunnelling purposes, such as AWS Site-to-Site Private IP VPN, or Transit Gateway Connect, AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of the point-to-point connections.
For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
For more information about RFC 3927, see [Dynamic Configuration of IPv4 Link-Local Addresses](https://datatracker.ietf.org/doc/html/rfc3927).
[IPv6] To configure an IPv6 BGP peer, choose **IPv6**. The peer IPv6 addresses are automatically assigned from Amazon's pool of IPv6 addresses. You cannot specify custom IPv6 addresses.
1. To change the maximum transmission unit (MTU) from 1500 (default) to 8500 (jumbo frames), select **Jumbo MTU (MTU size 8500)**.
1. (Optional) Under **Enable SiteLink**, choose **Enabled** to enable direct connectivity between Direct Connect points of presence.
1. (Optional) Add or remove a tag.
[Add a tag] Choose **Add tag** and do the following:
+ For **Key**, enter the key name.
+ For **Value**, enter the key value.
[Remove a tag] Next to the tag, choose **Remove tag**.
1. Choose **Create virtual interface**.
After you've created the virtual interface, you can download the router configuration for your device. For more information, see [Download the router configuration file](vif-router-config.md).
**To create a transit virtual interface using the command line or API**
+ [create-transit-virtual-interface](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-transit-virtual-interface.html) (AWS CLI)
+ [CreateTransitVirtualInterface](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateTransitVirtualInterface.html) (Direct Connect API)
**To view the virtual interfaces that are attached to a Direct Connect gateway using the command line or API**
+ [describe-direct-connect-gateway-attachments](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-attachments.html) (AWS CLI)
+ [DescribeDirectConnectGatewayAttachments](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAttachments.html) (Direct Connect API)
# Create a transit gateway and Direct Connect association proposal
If you own the transit gateway, you must create the association proposal. The transit gateway must be attached to a VPC or VPN in your AWS account. The owner of the Direct Connect gateway must share the ID of the Direct Connect gateway and the ID of its AWS account. After you create the proposal, the owner of the Direct Connect gateway must accept it in order for you to gain access to the on-premises network over Direct Connect. You can create an association proposal using either the Direct Connect console or using the command line or API.
**To create an association proposal**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Transit gateways** and then select the transit gateway.
1. Choose **View details**.
1. Choose **Direct Connect gateway associations** and then choose **Associate Direct Connect gateway**.
1. Under **Association account type**, for **Account owner**, choose **Another account**.
1. For **Direct Connect gateway owner**, enter the ID of the account that owns the Direct Connect gateway.
1. Under **Association settings**, do the following:
1. For **Direct Connect gateway ID**, enter the ID of the Direct Connect gateway.
1. For **Virtual interface owner**, enter the ID of the account that owns the virtual interface for the association.
1. (Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to **Allowed prefixes**, separating them using commas, or entering them on separate lines.
1. Choose **Associate Direct Connect gateway**.
**To create an association proposal using the command line or API**
+ [create-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/create-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [CreateDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_CreateDirectConnectGatewayAssociationProposal.html) (Direct Connect API)
# Accept or reject a transit gateway and Direct Connect association proposal
If you own the Direct Connect gateway, you must accept the association proposal in order to create the association. You also have the option of rejecting the association proposal. You can accept or reject the association proposal using either the Direct Connect console or using the command line or API.
**To accept an association proposal**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect gateways**.
1. Select the Direct Connect gateway with pending proposals and then choose **View details**.
1. On the **Pending proposals** tab, select the proposal and then choose **Accept proposal**.
1. ((Optional) To specify a list of prefixes to be allowed from the transit gateway, add the prefixes to **Allowed prefixes**, separating them using commas, or entering them on separate lines.
1. Choose **Accept proposal**.
**To reject an association proposal**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Direct Connect gateways**.
1. Select the Direct Connect gateway with pending proposals and then choose **View details**.
1. On the **Pending proposals** tab, select the transit gateway and then choose **Reject proposal**.
1. In the **Reject proposal** dialog box, enter Delete and then choose **Reject proposal**.
**To view association proposals using the command line or API**
+ [describe-direct-connect-gateway-association-proposals](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-association-proposals.htm) (AWS CLI)
+ [DescribeDirectConnectGatewayAssociationProposals](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociationProposals.html) (Direct Connect API)
**To accept an association proposal using the command line or API**
+ [accept-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/accept-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [AcceptDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_AcceptDirectConnectGatewayAssociationProposal.html) (Direct Connect API)
**To reject an association proposal using the command line or API**
+ [delete-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociationProposal.html) (Direct Connect API)
# Update the allowed prefixes for a transit gateway and Direct Connect association
You can update the prefixes that are allowed from the transit gateway over the Direct Connect gateway using either the Direct Connect console or using the command line or API. To update the allowed prefixes for a transit gateway and Direct Connect association using the Direct Connect console,
+ If you're the owner of the transit gateway. you'll need to create a new association proposal for that Direct Connect gateway, specifying the prefixes to allow. For the steps to create a new association proposal, see [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md).
+ If you're the owner of the Direct Connect gateway you can update the allowed prefixes when you accept the association proposal, or if you update the allowed prefixes for an existing association. For the steps to update the allowed prefixes when you accept the association, see [Accept or reject a transit gateway association proposal](multi-account-tgw-accept-reject-proposal.md).
**To update the allowed prefixes for an existing association using the command line or API**
+ [update-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/update-direct-connect-gateway-association.html) (AWS CLI)
+ [UpdateDirectConnectGatewayAssociation](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_UpdateDirectConnectGatewayAssociation.html) (Direct Connect API)
# Delete a transit gateway and Direct Connect association proposal
The owner of the transit gateway can delete the Direct Connect gateway association proposal if it is still pending acceptance. After an association proposal is accepted, you can't delete it, but you can disassociate the transit gateway from the Direct Connect gateway. For more information, see [Create a transit gateway association proposal](multi-account-tgw-create-proposal.md).
You can delete a transit gateway and Direct Connect association proposal using either the Direct Connect console or using the command line or API.
**To delete an association proposal**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. In the navigation pane, choose **Transit gateways** and then select the transit gateway.
1. Choose **View details**.
1. Choose **Pending gateway associations**, select the association and then choose **Delete association**.
1. In the **Delete association proposal** dialog box, enter **Delete** and then choose **Delete**.
**To delete a pending association proposal using the command line or API**
+ [delete-direct-connect-gateway-association-proposal](https://docs.aws.amazon.com/cli/latest/reference/directconnect/delete-direct-connect-gateway-association-proposal.html) (AWS CLI)
+ [DeleteDirectConnectGatewayAssociationProposal](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DeleteDirectConnectGatewayAssociationProposal.html) (Direct Connect API)
# Direct Connect gateway and AWS Cloud WAN core network associations
Associate an Direct Connect gateway to an AWS Cloud WAN core network using a Direct Connect attachment type in Cloud WAN. This direct association routes traffic between your core network’s selected edge locations and your Direct Connect connections using the shortest available path
The Direct Connect gateway attachment type supports BGP (Border Gateway protocol) for automatic propagation of routing information between your core network and on-premises locations. The Direct Connect attachment also supports the standard Cloud WAN features such as central policy-based management, tag-based attachment automation, and segmentation for advanced security configurations.
**Note**
The association between a core network and a Direct Connect gateway is created, deleted, and managed from the Cloud WAN Console in Network Manager. When using a Direct Connect gateway with Cloud WAN, the Direct Connect Console and the APIs and CLI will reflect the association, but cannot be used to modify it. You can, however, use the Direct Connect API or command line to verify if an association was created.
The following example shows a Cloud WAN global network with three Regions within the Cloud WAN core network. Each Region has its own VPC connected to a core network Development segment shared across those three Regions. Using Cloud WAN, a Direct Connect gateway attachment is created within Cloud WAN using a Direct Connect gateway, which was created using Direct Connect. The attachment is associated with two of the three Regions, ap-southeast-2 and us-west-2 and is allowed access to the Development segment. Even though us-east-1 shares the same Development segment, the Direct Connect gateway attachment is not shared with that Region and is therefore not available.
![\[An Direct Connect gateway attachment association with an AWS Cloud WAN core network.\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dxattachment-cloudwan.png)
**Topics**
+ [Prerequisites](#direct-connect-cloud-wan-prereq)
+ [Considerations](#direct-connect-cloud-wan-limits)
+ [Direct Connect gateway associations to a Cloud WAN core network](#associate-cloudwan-with-direct-connect-gateway)
+ [Verify a Direct Connect gateway association](edit-cloudwan-with-direct-connect-gateway.md)
## Prerequisites
A Direct Connect gateway association with a Cloud WAN core network requires the following:
+ An existing Direct Connect gateway. For the steps to create a Direct Connect gateway, see [Create a Direct Connect gateway](create-direct-connect-gateway.md).
+ An AWS Cloud WAN core network. For information about Cloud WAN, see the [https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html).
## Considerations
The following limits apply for Direct Connect gateway associations with a Cloud WAN core network:
+ A Direct Connect gateway can be associated with a single Cloud WAN core network and to a single segment of that core network. Once an association is created, that gateway cannot associated to other resources in AWS regions. If you disassociate the gateway from the core network, you can then use that gateway for other association types.
+ The Cloud WAN Direct Connect gateway attachment uses the transit virtual interface type for connectivity.
+ The Cloud WAN attachment does not support allowed prefixes lists. All prefixes in a core network segment will be advertised to the Direct Connect gateway associated to that segment.
+ The quota for maximum prefixes that can be advertised from on-premises to AWS via a transit virtual interface is different from the quota for prefixes advertised from a Cloud WAN core network to on-premises. Quotas for other Direct Connect resources used with a Cloud WAN association are also applicable. See [Direct Connect quotas](limits.md).
+ The AS-PATH BGP attribute will be retained across the core network, Direct Connect gateway, and virtual interface.
+ The ASN of a Direct Connect gateway must be outside of the ASN range configured for the Cloud WAN core network. For example, if you have an ASN range of 64512 - 65534 for the core network, the ASN of the Direct Connect gateway must use an ASN outside of that range.
+ Cloud WAN might not support specific attachment types using the Direct Connect attachment type for transport. For more information about Direct Connect gateway attachments to a Cloud WAN core network, see [Direct Connect gateway attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-create-attachment.html) in the *AWS Cloud WAN User Guide*.
+ CloudWatch Network Monitor supports latency and packet loss metrics when used with a Cloud WAN Direct Connect gateway attachment type. The Network Health Indicator feature is not supported. For more information, see [Using Amazon CloudWatch Network Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/what-is-network-monitor.html) in the *Amazon CloudWatch User Guide*.
## Direct Connect gateway associations to a Cloud WAN core network
Associating a Direct Connect gateway to an AWS Cloud WAN core network is performed using either the AWS Cloud WAN console or the Cloud WAN APIs or command line.
To associate an existing Direct connect gateway to a Cloud WAN core network, create a new Direct Connect attachment in the Cloud WAN Console. After the Direct Connect attachment has been created the association is established. By default, when creating the association you can choose the default to include all core network edge locations in the chosen core network segment. Alternatively, you can specify individual edge locations.
For more information about Direct Connect gateway attachments to a Cloud WAN core network, see [Direct Connect gateway attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-dxattach-about.html) in the *AWS Cloud WAN User Guide*.
# Verify an Direct Connect gateway association to an AWS Cloud WAN core network
You can verify the association of a Direct Connect gateway to a Cloud WAN core network using the Direct Connect console or the Direct Connect API or command line.
**To verify a Direct Connect gateway association to a Cloud WAN core network using the console**
1. Open the **Direct Connect** console at [https://console.aws.amazon.com/directconnect/v2/home](https://console.aws.amazon.com/directconnect/v2/home).
1. Choose **Direct Connect gateways** in the navigation pane.
1. Choose the Direct Connect gateway attachment that you want to view the association for.
1. Choose the **Gateway associations** tab.
+ The **ID** column displays the core network ID that the Direct Connect gateway is associated with.
+ The **State** column displays **associated**.
+ The **Association type** column displays **Cloud WAN Core Network**.
**To verify a Direct Connect gateway association to a Cloud WAN core network using the command line or API**
+ [DescribeDirectConnectGatewayAssociations](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DescribeDirectConnectGatewayAssociations.html.html) (Direct Connect API)
+ [describe-direct-connect-gateway-association](https://docs.aws.amazon.com/cli/latest/reference/directconnect/describe-direct-connect-gateway-association.html) (AWS CLI)
# Allowed prefixes interactions for Direct Connect gateways
Learn how allowed prefixes interact with transit gateways and virtual private gateways. For more information, see [Routing policies and BGP communities](routing-and-bgp.md).
## Virtual private gateway associations
The prefix list (IPv4 and IPv6) acts as a filter that allows the same CIDRs, or a smaller range of CIDRs to be advertised to the Direct Connect gateway. You must set the prefixes to a range that is the same or wider than the VPC CIDR block.
**Note**
The allowed list only functions as a filter, and only the associated VPC CIDR will be advertised to the customer gateway.
Consider the scenario where you have a VPC with CIDR 10.0.0.0/16 is attached to a virtual private gateway.
+ When the allowed prefixes list is set to 22.0.0.0/24, you do not receive any route because 22.0.0.0/24 is not the same as, or wider than 10.0.0.0/16.
+ When the allowed prefixes list is set to 10.0.0.0/24, you do not receive any route because 10.0.0.0/24 is not the same as 10.0.0.0/16.
+ When the allowed prefixes list is set to 10.0.0.0/15, you do receive 10.0.0.0/16, because the IP address is wider than 10.0.0.0/16.
When you remove or add an allowed prefix, traffic which doesn't use that prefix is not impacted. During updates the status changes from `associated` to `updating`. Modifying an existing prefix can delay or drop only that traffic which uses that prefix.
## Transit gateway associations
For a transit gateway association, you provision the allowed prefixes list on the Direct Connect gateway. The list routes on-premises traffic to or from a Direct Connect gateway to the transit gateway, even when the VPCs attached to the transit gateway do not have assigned CIDRs. Allowed prefixes work differently, depending on the gateway type:
+ For transit gateway associations, only the allowed prefixes entered will be advertised to on-premises. These will show as originating from the Direct Connect gateway ASN.
+ For virtual private gateways, the allowed prefixes entered act as a filter to allow the same or smaller CIDRs.
Consider the scenario where you have a VPC with CIDR 10.0.0.0/16 attached to a transit gateway.
+ When the allowed prefixes list is set to 22.0.0.0/24, you receive 22.0.0.0/24 through BGP on your transit virtual interface. You do not receive 10.0.0.0/16 because we directly provision the prefixes that are in the allowed prefix list.
+ When the allowed prefixes list is set to 10.0.0.0/24, you receive 10.0.0.0/24 through BGP on your transit virtual interface. You do not receive 10.0.0.0/16 because we directly provision the prefixes that are in the allowed prefix list.
+ When the allowed prefixes list is set to 10.0.0.0/8, you receive 10.0.0.0/8 through BGP on your transit virtual interface.
Allowed prefix overlaps are not allowed when multiple transit gateways are associated with a Direct Connect gateway. For example, if you have a transit gateway with an allowed prefix list that includes 10.1.0.0/16, and a second transit gateway with an allowed prefix list that includes 10.2.0.0/16 and 0.0.0.0/0, you can't set the associations from the second transit gateway to 0.0.0.0/0. Since 0.0.0.0/0 includes all IPv4 networks, you can't configure 0.0.0.0/0 if multiple transit gateways are associated with a Direct Connect gateway. An error is returned indicating that the allowed routes overlap one or more existing allowed routes on the Direct Connect gateway.
When you remove or add an allowed prefix, traffic which doesn't use that prefix is not impacted. During updates the status changes from `associated` to `updating`. Modifying an existing prefix can delay or drop only that traffic which uses that prefix.
## Example: Allowed to prefixes in a transit gateway configuration
Consider the configuration where you have instances in two different AWS Regions which need to access the corporate data center. You can use the following resources for this configuration:
+ A transit gateway in each Region.
+ A transit gateway peering connection.
+ A Direct connect gateway.
+ A transit gateway association between one of the transit gateways (the one in us-east-1) to the Direct Connect gateway.
+ A transit virtual interface from the on-premises location and the Direct Connect location.
![\[Private VIF Routing no AS_PATH\]](http://docs.aws.amazon.com/directconnect/latest/UserGuide/images/dxg-asn.png)
Configure the following options for the resources:
+ Direct Connect gateway: Set the ASN to 65030. For more information, see [Create a Direct Connect gateway](create-direct-connect-gateway.md).
+ Transit virtual interface: Set the VLAN to 899, and the customer router peer ASN to 65020. For more information, see [Create a transit virtual interface to the Direct Connect gateway](create-transit-vif-dx.md).
+ Direct Connect gateway association with the transit gateway: Set the allowed prefixes to 10.0.0.0/8.
This CIDR block encompasses both VPC CIDR blocks (10.0.0.0/16 and 10.2.0.0/16). For more information, see [Associate or disassociate a transit gateway with Direct Connect.](associate-tgw-with-direct-connect-gateway.md).
+ VPC route: To route traffic from the 10.2.0.0/16 VPC, create a route in the VPC route table with a Destination of 0.0.0.0/0 and the transit gateway ID as the Target. This enables traffic from the VPC to reach the Direct Connect gateway. For more information about routing to a transit gateway, see [Routing for a transit gateway](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-tgw) in the * Amazon VPC User Guide*.