Create an attachment policy in an AWS Cloud WAN core network policy version
The following steps guide you through configuring a core network for a policy version using the Policy versions link on the AWS Network Manager console. For more information about attachment policies, see Attachment policies.
An attachment policy requires the following:
-
The core network configured. See Configure the core network settings in an AWS Cloud WAN policy version.
-
One or more segments. See Segments.
-
If you are optionally creating a service insertion action, you'll first need the following:
-
A network functions group. See Network function groups.
-
At least one VPC attachment. See VPC attachments in AWS Cloud WAN.
Important
An attachment is required when creating a policy that includes a service insertion action. If there is no associated attachment in the policy, the policy will fail deployment.
-
To create an attachment policy
Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/
. -
Under Connectivity choose Cloud WAN.
-
On the Global networks page, choose the global network ID that for the core network you want to create a policy version for, and then choose Core network.
-
In the navigation pane, choose Policy versions.
-
Choose Create policy version.
-
Choose Attachment policies.
-
Choose Create.
-
For the Rule number, enter the rule number to apply to this attachment. Rule numbers determine the order in which rules are run.
-
Enter an optional Description to identify the attachment policy.
-
In the Action section, choose how you want to associate the attachment to the segment. Choose one of the following:
-
Segment name — associates the attachment by the segment name. After choosing this option, the segment to attach to from the Attach to segment dropdown list.
-
Attachment tag value — associates the attachment by the tag's value in a key-value pair. Enter the tag value in the Attachment tag value field.
-
Network function group — creates an attachment policy rule for service insertion. Choose a network functions group for the service insertion policy. This option requires that you use the and Condition logic and the
-
-
Choose one of the following:
-
Inherit segments acceptance value if the attachment inherits the acceptance setting from a segment when a segment was created. This can't be changed.
-
Requires attachment acceptance if you require approval for attachments to be mapped to this segment.
-
If no acceptance option is chosen, attachments are automatically mapped to the segment.
Note
If
require-attachment-acceptance
isfalse
for a segment, it's still possible for attachments to be added to or removed from a segment automatically when their tags change. If this behavior is not desired, setrequire-attachment-acceptance
totrue
. -
-
(Optional) For Condition logic, further refine how the attachment is associated with the segment.
Important
Condition logic is required using AND for a network functions group attachment policy rule. The AND condition must use a Tag name or Tag value associated with the attachment.
-
Choose OR — if you want to associate the attachment with the segment by either the Segment name/Attachment tag value, or by the chosen conditions.
-
Choose AND — if you want to associate the attachment with the segment by either the Segment name/Attachment tag value and by the chosen conditions.
If no acceptance option is chosen, attachments are automatically mapped to the segment.
-
-
In Conditions, set the condition logic by doing the following:
-
From the Type dropdown list, choose one of the following condition types:
-
Resource Id — Set an OR or AND condition that uses a Resource ID.
-
Attachment type — Set an OR or AND condition that matches a specific attachment type.
-
Account — Set an OR or AND condition that matches an account.
-
Tag name — Set an OR or AND condition that matches a specific tag name.
-
Tag value — Set an OR or AND condition that matches a specific tag value.
Important
Tag name and Tag value are the only supported and available Conditions for a Network function group attachment policy.
-
-
From the Operator dropdown list, choose one of the following operators. The operator determines the relationship of the Type.
Note
Operators are not supported when for a network function group attachment policy when the Type is Tag name. The full tag name must be used.
-
Equals — Filters results that match the passed Condition value.
-
Not equals — Filters results that do not match the passed Condition value. This option is not used for Attachment type.
-
Begins with — Filters results that start with the passed Condition value. This option is not used for Attachment type.
-
Contains — Filters results that match a substring within a string. This option is not used for Attachment type.
-
Any — Filters results that match any field. This option is not used for Attachment type.
-
-
In the Condition values field, enter the value that corresponds to the Type and Operator. This option is not used for Attachment type. If you're creating a network function group attachment policy, the full tag name or value are required. Partial C
-
Choose Add to include additional conditions or choose Remove to delete any conditions.
-
-
Choose Create attachment policy.
-
Choose Create policy.
Example condition logic for a network function group attachment policy
The following shows a partial JSON example using the OR operator for a network function group attachment policy.
-
There are two segments,
production
anddevelopment
. -
Rule numbers are manually assigned to each attachment policy for rule processing. Rules are then processed in numerical order according to the number assigned to them. In this example, the rule number is assigned
600
. -
Using the OR Condition logic, the network function group attachment policy looks for any segment with the value
production
ordevelopment
.
For more information on the parameters used in the JSON file, see Core network policy version parameters in AWS Cloud WAN.
{ "rule-number": 600, "condition-logic": "or", "conditions": [ { "type": "tag-value", "operator": "equals", "key": "segment", "value": "production" }, { "type": "tag-value", "operator": "equals", "key": "stage", "value": "development" } ], "action": { "add-to-network-function-group": "networkfunctiongroupone" } }
Example attachment policy
The following shows a JSON containing three attachment policies for a core network.
-
There are three segments,
DevelopmentSegment
,TestingSegment
, andProductionSegment
, which were first created on the Segments tab of the Create policy page. When these segments were created,DevelopmentSegment
was set to automatically accept attachments, whileTestingSegment
andProductionSegment
were required to accept attachments.ProductionSegment
was also limited tous-east-1
only and onlyTestingSegment
is allowed to advertise to this segment. -
Rule numbers are manually assigned to each attachment policy for rule processing. Rules are then processed in numerical order according to the number assigned to them. In this example, the following rule numbers are used:
100
forDevelopmentSegment
,200
forTestingSegment
, and300
forProductionSegment
. This indicates that rule100
will be run first, followed by rule200
and then rule300
. Once an attachment matches a rule, no further rules are processed for that attachment. Rule300
forProductionSegment
additionally indicates that the policy will only acceptvpc
attachments and only if the request comes fromus-east-2
.
For more information on the parameters used in the JSON file, see Core network policy version parameters in AWS Cloud WAN.
{ "version": "2021.12", "core-network-configuration": { "vpn-ecmp-support": true }, "segments": [ { "name": "DevelopmentSegment", "require-attachment-acceptance": false }, { "name": "TestingSegment", "require-attachment-acceptance": true }, { "name": "ProductionSegment", "edge-locations": [ "us-east-1" ], "require-attachment-acceptance": true, "isolate-attachments": true, "allow-filter": [ "TestingSegment" ] } ], "attachment-policies": [ { "rule-number": 100, "condition-logic": "or", "conditions": [], "action": { "association-method": "constant", "segment": "DevelopmentSegment" } }, { "rule-number": 200, "condition-logic": "or", "conditions": [], "action": { "association-method": "constant", "segment": "TestingSegment", "require-acceptance": true } }, { "rule-number": 300, "condition-logic": "and", "conditions": [ { "type": "region", "operator": "equals", "value": "us-east-2" }, { "type": "attachment-type", "operator": "equals", "value": "vpc" } ], "action": { "association-method": "constant", "segment": "ProductionSegment", "require-acceptance": true } } ] }
Using the Visual editor, the same policies display as follows:
Note that if an attachment policy uses the and condition, each condition appears on a separate row of the editor. In this example, since rule number 300 uses region and attachment-type conditions, each of those conditions appear on separate rows.