Create a connection initiated from AWS with VPC Network Peering

This page describes the steps to successfully create and provision a partner Cross-Cloud Interconnect for Amazon Web Services (AWS) connection from AWS if you already have an activation key.

If you want to initiate a connection from the AWS Console, see Getting started with AWS Interconnect for creating the required resource. Provide the project and region information where you want the connection to land in Google Cloud. After AWS has created the resource, you must create the Google Cloud resource with the provided activation key.

Configuration requirements

Before you start the partner Cross-Cloud Interconnect for AWS provisioning process, ensure that the following conditions are met:

• You must already have an AWS account.
• You must also create a Virtual Private Cloud (VPC) network, if it doesn't already exist, to connect your transport resource to.

To achieve a successful connection, you must create the transport resource. Follow these instructions to create the transport.

Before you begin

Before you get started, review the following sections.

Create or select a project

To make it easier to configure partner Cross-Cloud Interconnect for AWS, start by identifying a valid project.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

1. If you are using the Google Cloud CLI, set your project ID by using the gcloud config set command.

   gcloud config set project PROJECT_ID

   Replace PROJECT_ID with your unique project ID.

   The gcloud CLI instructions on this page assume that you have set your project ID.

2. To confirm that you set the project ID correctly, use the gcloud config list command.

   gcloud config list --format='text(core.project)'

Enable the Network Connectivity API

Before you can perform any tasks using partner Cross-Cloud Interconnect for AWS, you must enable the Network Connectivity API.

Alternatively, you can enable the API by using the Google Cloud console API Library, as described in Enabling APIs.

Initiate a connection from AWS with an AWS activation key

Create the transport resource

gcloud network-connectivity transports create TRANSPORT_NAME \
    --region=REGION \
    --activation-key=ACTIVATION_KEY \
    --network=NETWORK \
    --advertised-routes=ADVERTISED_ROUTES \
    --stack-type=STACK_TYPE

POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT/locations/LOCATION/transport/TRANSPORT_NAME

curl \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://networkconnectivity.googleapis.com/v1/projects/PROJECT/locations/LOCATION/transports?transportId=TRANSPORT_NAME \
--data '
{
"network": "NETWORK",
"advertisedRoutes": ["ADVERTISED_ROUTE"],
"providedActivationKey": "ACTIVATION_KEY",
"stackType": "STACK_TYPE"
}'

Retrieve the peering network name

After you create the transport resource, retrieve the name of the peering network it is attached to. The name of the peering network is used to establish VPC Network Peering.

To view the peering network name, do the following:

gcloud network-connectivity transports describe "TRANSPORT_NAME"

GET https://networkconnectivity.googleapis.com/v1/projects/PROJECT/locations/LOCATION/transport/TRANSPORT_NAME

Establish VPC Network Peering

You can proactively establish VPC Network Peering at the Google Cloud end. To do this, use the peeringNetwork resource and ensure that you create a peering with the same stack type. The default stack type matches the transport resource using IPV4_ONLY.

To receive the AWS routes, you must enable the Import custom routes field.

The MTU in the peering VPC network is explicitly set to the maximum in order to avoid MTU issues in the connectivity. If you're using an MTU less than 8896, you might get a warning WARNING: Some requests generated warnings: - Network MTU 1460B does not match the peer's MTU 8896B. In that case, you must ensure that you're using matching MTU configurations between your Google Cloud VPC network and the AWS VPC network. If these are mismatched, you might need to override MTU values to the lowest common denominator. For example, if you're using 8896 in Google Cloud and 8800 in AWS, everything in Google Cloud must be configured as 8800.

gcloud compute networks peerings create "TRANSPORT_NAME" \
    --network="VPC_NETWORK" \
    --peer-network="PEERING_NETWORK" \
    --stack-type=STACK_TYPE \
    --import-custom-routes \
    --export-custom-routes

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks/NETWORK/addPeering

Verify your connection

You can verify that connectivity has been established by listing the peered VPC networks and the route tables. After the AWS configuration is complete, you can see your AWS routes in the list.

gcloud compute networks peerings list

NAME           NETWORK  PEER_PROJECT           PEER_NETWORK                   STACK_TYPE  PEER_MTU  IMPORT_CUSTOM_ROUTES  EXPORT_CUSTOM_ROUTES  UPDATE_STRATEGY  STATE   STATE_DETAILS
cci-virginia  cci      ke526b767340356b7p-tp  transport-b52816f13d929baf-vpc  IPV4_ONLY   8896      True                  True                  INDEPENDENT      ACTIVE  [2026-01-22T07:20:58.891-08:00]: Connected.

gcloud compute networks peerings list-routes TRANSPORT_NAME \
    --direction=INCOMING \
    --network=NETWORK \
    --region=REGION

DEST_RANGE   TYPE                   NEXT_HOP_REGION  PRIORITY  STATUS
10.0.0.0/16  DYNAMIC_PEERING_ROUTE  us-east4         0         accepted

GET https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks

GET https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks/NETWORK/listPeeringRoutes

What's next

• To find answers to common questions about Cloud Interconnect architecture and features, see the Cloud Interconnect FAQ.
• To find out more about Cloud Interconnect, see the Cloud Interconnect overview.
• To learn about best practices when planning for and configuring Cloud Interconnect, see Best practices.
• To find Google Cloud resource names, see the Cloud Interconnect APIs.