The aws:networkmanager/coreNetwork:CoreNetwork resource, part of the Pulumi AWS provider, defines a Network Manager core network: the routing fabric within a global network that VPCs and other resources attach to. This guide focuses on three capabilities: core network creation, base policy generation for VPC attachments, and single and multi-region attachment workflows.
Core networks belong to global networks. Before VPCs can attach, the core network needs a LIVE policy. The examples are intentionally small. Combine them with your own global networks, VPCs, and policy documents.
Create a core network within a global network
Most Cloud WAN deployments start by creating a core network within an existing global network, establishing the routing fabric that VPC attachments connect to.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkmanager.CoreNetwork("example", {globalNetworkId: exampleAwsNetworkmanagerGlobalNetwork.id});
import pulumi
import pulumi_aws as aws
example = aws.networkmanager.CoreNetwork("example", global_network_id=example_aws_networkmanager_global_network["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: pulumi.Any(exampleAwsNetworkmanagerGlobalNetwork.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleAwsNetworkmanagerGlobalNetwork.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CoreNetwork("example", CoreNetworkArgs.builder()
.globalNetworkId(exampleAwsNetworkmanagerGlobalNetwork.id())
.build());
}
}
resources:
example:
type: aws:networkmanager:CoreNetwork
properties:
globalNetworkId: ${exampleAwsNetworkmanagerGlobalNetwork.id}
The globalNetworkId property links the core network to its parent global network. Without additional configuration, the core network exists but cannot accept VPC attachments until a policy is applied.
Attach VPCs with a custom base policy document
When your policy document includes static routes pointing to VPC attachments, you need a LIVE policy before VPCs can attach. A base policy document lets you customize edge locations and ASN assignments.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGlobalNetwork = new aws.networkmanager.GlobalNetwork("example", {});
const base = aws.networkmanager.getCoreNetworkPolicyDocument({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [{
location: "us-west-2",
asn: "65500",
}],
}],
segments: [{
name: "segment",
}],
});
const exampleCoreNetwork = new aws.networkmanager.CoreNetwork("example", {
globalNetworkId: exampleGlobalNetwork.id,
basePolicyDocument: base.then(base => base.json),
createBasePolicy: true,
});
const exampleVpcAttachment = new aws.networkmanager.VpcAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleAwsSubnet.map(__item => __item.arn),
vpcArn: exampleAwsVpc.arn,
});
const example = aws.networkmanager.getCoreNetworkPolicyDocumentOutput({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [{
location: "us-west-2",
asn: "65500",
}],
}],
segments: [{
name: "segment",
}],
segmentActions: [{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [exampleVpcAttachment.id],
}],
});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_global_network = aws.networkmanager.GlobalNetwork("example")
base = aws.networkmanager.get_core_network_policy_document(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [{
"location": "us-west-2",
"asn": "65500",
}],
}],
segments=[{
"name": "segment",
}])
example_core_network = aws.networkmanager.CoreNetwork("example",
global_network_id=example_global_network.id,
base_policy_document=base.json,
create_base_policy=True)
example_vpc_attachment = aws.networkmanager.VpcAttachment("example",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_aws_subnet],
vpc_arn=example_aws_vpc["arn"])
example = aws.networkmanager.get_core_network_policy_document_output(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [{
"location": "us-west-2",
"asn": "65500",
}],
}],
segments=[{
"name": "segment",
}],
segment_actions=[{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["0.0.0.0/0"],
"destinations": [example_vpc_attachment.id],
}])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example_core_network.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGlobalNetwork, err := networkmanager.NewGlobalNetwork(ctx, "example", nil)
if err != nil {
return err
}
base, err := networkmanager.GetCoreNetworkPolicyDocument(ctx, &networkmanager.GetCoreNetworkPolicyDocumentArgs{
CoreNetworkConfigurations: []networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfiguration{
{
AsnRanges: []string{
"65022-65534",
},
EdgeLocations: []networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocation{
{
Location: "us-west-2",
Asn: pulumi.StringRef("65500"),
},
},
},
},
Segments: []networkmanager.GetCoreNetworkPolicyDocumentSegment{
{
Name: "segment",
},
},
}, nil);
if err != nil {
return err
}
exampleCoreNetwork, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: exampleGlobalNetwork.ID(),
BasePolicyDocument: pulumi.String(base.Json),
CreateBasePolicy: pulumi.Bool(true),
})
if err != nil {
return err
}
var splat0 []interface{}
for _, val0 := range exampleAwsSubnet {
splat0 = append(splat0, val0.Arn)
}
exampleVpcAttachment, err := networkmanager.NewVpcAttachment(ctx, "example", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat0),
VpcArn: pulumi.Any(exampleAwsVpc.Arn),
})
if err != nil {
return err
}
example := networkmanager.GetCoreNetworkPolicyDocumentOutput(ctx, networkmanager.GetCoreNetworkPolicyDocumentOutputArgs{
CoreNetworkConfigurations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs{
AsnRanges: pulumi.StringArray{
pulumi.String("65022-65534"),
},
EdgeLocations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-west-2"),
Asn: pulumi.String("65500"),
},
},
},
},
Segments: networkmanager.GetCoreNetworkPolicyDocumentSegmentArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment"),
},
},
SegmentActions: networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
Destinations: pulumi.StringArray{
exampleVpcAttachment.ID(),
},
},
},
}, nil);
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
PolicyDocument: pulumi.String(example.ApplyT(func(example networkmanager.GetCoreNetworkPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
func toPulumiArray(arr []) pulumi.Array {
var pulumiArr pulumi.Array
for _, v := range arr {
pulumiArr = append(pulumiArr, pulumi.(v))
}
return pulumiArr
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGlobalNetwork = new Aws.NetworkManager.GlobalNetwork("example");
var @base = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
Asn = "65500",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
},
});
var exampleCoreNetwork = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleGlobalNetwork.Id,
BasePolicyDocument = @base.Apply(@base => @base.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json)),
CreateBasePolicy = true,
});
var exampleVpcAttachment = new Aws.NetworkManager.VpcAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleAwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleAwsVpc.Arn,
});
var example = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
Asn = "65500",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
},
SegmentActions = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"0.0.0.0/0",
},
Destinations = new[]
{
exampleVpcAttachment.Id,
},
},
},
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
PolicyDocument = example.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.GlobalNetwork;
import com.pulumi.aws.networkmanager.NetworkmanagerFunctions;
import com.pulumi.aws.networkmanager.inputs.GetCoreNetworkPolicyDocumentArgs;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.VpcAttachment;
import com.pulumi.aws.networkmanager.VpcAttachmentArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGlobalNetwork = new GlobalNetwork("exampleGlobalNetwork");
final var base = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.asn("65500")
.build())
.build())
.segments(GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build())
.build());
var exampleCoreNetwork = new CoreNetwork("exampleCoreNetwork", CoreNetworkArgs.builder()
.globalNetworkId(exampleGlobalNetwork.id())
.basePolicyDocument(base.json())
.createBasePolicy(true)
.build());
var exampleVpcAttachment = new VpcAttachment("exampleVpcAttachment", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleAwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleAwsVpc.arn())
.build());
final var example = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.asn("65500")
.build())
.build())
.segments(GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build())
.segmentActions(GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("0.0.0.0/0")
.destinations(exampleVpcAttachment.id())
.build())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.policyDocument(example.applyValue(_example -> _example.json()))
.build());
}
}
The basePolicyDocument property accepts a policy generated by getCoreNetworkPolicyDocument, which defines edge locations with specific ASNs (here, us-west-2 with ASN 65500). Setting createBasePolicy to true makes this policy LIVE, allowing the VpcAttachment to succeed. After VPCs attach, CoreNetworkPolicyAttachment applies your full policy with static routes pointing to the attachment IDs.
Attach VPCs using provider region defaults
For simpler deployments where you don’t need custom ASN assignments, setting createBasePolicy to true generates a base policy using the provider’s configured region.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGlobalNetwork = new aws.networkmanager.GlobalNetwork("example", {});
const exampleCoreNetwork = new aws.networkmanager.CoreNetwork("example", {
globalNetworkId: exampleGlobalNetwork.id,
createBasePolicy: true,
});
const exampleVpcAttachment = new aws.networkmanager.VpcAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleAwsSubnet.map(__item => __item.arn),
vpcArn: exampleAwsVpc.arn,
});
const example = aws.networkmanager.getCoreNetworkPolicyDocumentOutput({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [{
location: "us-west-2",
}],
}],
segments: [{
name: "segment",
}],
segmentActions: [{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [exampleVpcAttachment.id],
}],
});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_global_network = aws.networkmanager.GlobalNetwork("example")
example_core_network = aws.networkmanager.CoreNetwork("example",
global_network_id=example_global_network.id,
create_base_policy=True)
example_vpc_attachment = aws.networkmanager.VpcAttachment("example",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_aws_subnet],
vpc_arn=example_aws_vpc["arn"])
example = aws.networkmanager.get_core_network_policy_document_output(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [{
"location": "us-west-2",
}],
}],
segments=[{
"name": "segment",
}],
segment_actions=[{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["0.0.0.0/0"],
"destinations": [example_vpc_attachment.id],
}])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example_core_network.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGlobalNetwork, err := networkmanager.NewGlobalNetwork(ctx, "example", nil)
if err != nil {
return err
}
exampleCoreNetwork, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: exampleGlobalNetwork.ID(),
CreateBasePolicy: pulumi.Bool(true),
})
if err != nil {
return err
}
var splat0 []interface{}
for _, val0 := range exampleAwsSubnet {
splat0 = append(splat0, val0.Arn)
}
exampleVpcAttachment, err := networkmanager.NewVpcAttachment(ctx, "example", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat0),
VpcArn: pulumi.Any(exampleAwsVpc.Arn),
})
if err != nil {
return err
}
example := networkmanager.GetCoreNetworkPolicyDocumentOutput(ctx, networkmanager.GetCoreNetworkPolicyDocumentOutputArgs{
CoreNetworkConfigurations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs{
AsnRanges: pulumi.StringArray{
pulumi.String("65022-65534"),
},
EdgeLocations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-west-2"),
},
},
},
},
Segments: networkmanager.GetCoreNetworkPolicyDocumentSegmentArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment"),
},
},
SegmentActions: networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
Destinations: pulumi.StringArray{
exampleVpcAttachment.ID(),
},
},
},
}, nil);
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
PolicyDocument: pulumi.String(example.ApplyT(func(example networkmanager.GetCoreNetworkPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
func toPulumiArray(arr []) pulumi.Array {
var pulumiArr pulumi.Array
for _, v := range arr {
pulumiArr = append(pulumiArr, pulumi.(v))
}
return pulumiArr
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGlobalNetwork = new Aws.NetworkManager.GlobalNetwork("example");
var exampleCoreNetwork = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleGlobalNetwork.Id,
CreateBasePolicy = true,
});
var exampleVpcAttachment = new Aws.NetworkManager.VpcAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleAwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleAwsVpc.Arn,
});
var example = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
},
SegmentActions = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"0.0.0.0/0",
},
Destinations = new[]
{
exampleVpcAttachment.Id,
},
},
},
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
PolicyDocument = example.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.GlobalNetwork;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.VpcAttachment;
import com.pulumi.aws.networkmanager.VpcAttachmentArgs;
import com.pulumi.aws.networkmanager.NetworkmanagerFunctions;
import com.pulumi.aws.networkmanager.inputs.GetCoreNetworkPolicyDocumentArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGlobalNetwork = new GlobalNetwork("exampleGlobalNetwork");
var exampleCoreNetwork = new CoreNetwork("exampleCoreNetwork", CoreNetworkArgs.builder()
.globalNetworkId(exampleGlobalNetwork.id())
.createBasePolicy(true)
.build());
var exampleVpcAttachment = new VpcAttachment("exampleVpcAttachment", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleAwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleAwsVpc.arn())
.build());
final var example = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.build())
.build())
.segments(GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build())
.segmentActions(GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("0.0.0.0/0")
.destinations(exampleVpcAttachment.id())
.build())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.policyDocument(example.applyValue(_example -> _example.json()))
.build());
}
}
Without basePolicyDocument, the core network generates a base policy using the provider’s region. This approach works when you don’t need to control ASN assignments. The workflow remains the same: create the core network, attach VPCs, then apply your full policy via CoreNetworkPolicyAttachment.
Attach VPCs across multiple regions
Multi-region deployments need edge locations in each region where VPCs will attach. The basePolicyRegions property lists regions to include without requiring a full policy document.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGlobalNetwork = new aws.networkmanager.GlobalNetwork("example", {});
const exampleCoreNetwork = new aws.networkmanager.CoreNetwork("example", {
globalNetworkId: exampleGlobalNetwork.id,
basePolicyRegions: [
"us-west-2",
"us-east-1",
],
createBasePolicy: true,
});
const exampleUsWest2 = new aws.networkmanager.VpcAttachment("example_us_west_2", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleUsWest2AwsSubnet.map(__item => __item.arn),
vpcArn: exampleUsWest2AwsVpc.arn,
});
const exampleUsEast1 = new aws.networkmanager.VpcAttachment("example_us_east_1", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleUsEast1AwsSubnet.map(__item => __item.arn),
vpcArn: exampleUsEast1AwsVpc.arn,
});
const example = aws.networkmanager.getCoreNetworkPolicyDocumentOutput({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
{
location: "us-east-1",
},
],
}],
segments: [
{
name: "segment",
},
{
name: "segment2",
},
],
segmentActions: [
{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["10.0.0.0/16"],
destinations: [exampleUsWest2.id],
},
{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["10.1.0.0/16"],
destinations: [exampleUsEast1.id],
},
],
});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_global_network = aws.networkmanager.GlobalNetwork("example")
example_core_network = aws.networkmanager.CoreNetwork("example",
global_network_id=example_global_network.id,
base_policy_regions=[
"us-west-2",
"us-east-1",
],
create_base_policy=True)
example_us_west2 = aws.networkmanager.VpcAttachment("example_us_west_2",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_us_west2_aws_subnet],
vpc_arn=example_us_west2_aws_vpc["arn"])
example_us_east1 = aws.networkmanager.VpcAttachment("example_us_east_1",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_us_east1_aws_subnet],
vpc_arn=example_us_east1_aws_vpc["arn"])
example = aws.networkmanager.get_core_network_policy_document_output(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [
{
"location": "us-west-2",
},
{
"location": "us-east-1",
},
],
}],
segments=[
{
"name": "segment",
},
{
"name": "segment2",
},
],
segment_actions=[
{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["10.0.0.0/16"],
"destinations": [example_us_west2.id],
},
{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["10.1.0.0/16"],
"destinations": [example_us_east1.id],
},
])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example_core_network.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGlobalNetwork, err := networkmanager.NewGlobalNetwork(ctx, "example", nil)
if err != nil {
return err
}
exampleCoreNetwork, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: exampleGlobalNetwork.ID(),
BasePolicyRegions: pulumi.StringArray{
pulumi.String("us-west-2"),
pulumi.String("us-east-1"),
},
CreateBasePolicy: pulumi.Bool(true),
})
if err != nil {
return err
}
var splat0 []interface{}
for _, val0 := range exampleUsWest2AwsSubnet {
splat0 = append(splat0, val0.Arn)
}
exampleUsWest2, err := networkmanager.NewVpcAttachment(ctx, "example_us_west_2", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat0),
VpcArn: pulumi.Any(exampleUsWest2AwsVpc.Arn),
})
if err != nil {
return err
}
var splat1 []interface{}
for _, val0 := range exampleUsEast1AwsSubnet {
splat1 = append(splat1, val0.Arn)
}
exampleUsEast1, err := networkmanager.NewVpcAttachment(ctx, "example_us_east_1", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat1),
VpcArn: pulumi.Any(exampleUsEast1AwsVpc.Arn),
})
if err != nil {
return err
}
example := networkmanager.GetCoreNetworkPolicyDocumentOutput(ctx, networkmanager.GetCoreNetworkPolicyDocumentOutputArgs{
CoreNetworkConfigurations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs{
AsnRanges: pulumi.StringArray{
pulumi.String("65022-65534"),
},
EdgeLocations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-west-2"),
},
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-east-1"),
},
},
},
},
Segments: networkmanager.GetCoreNetworkPolicyDocumentSegmentArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment"),
},
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment2"),
},
},
SegmentActions: networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("10.0.0.0/16"),
},
Destinations: pulumi.StringArray{
exampleUsWest2.ID(),
},
},
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("10.1.0.0/16"),
},
Destinations: pulumi.StringArray{
exampleUsEast1.ID(),
},
},
},
}, nil);
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
PolicyDocument: pulumi.String(example.ApplyT(func(example networkmanager.GetCoreNetworkPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
func toPulumiArray(arr []) pulumi.Array {
var pulumiArr pulumi.Array
for _, v := range arr {
pulumiArr = append(pulumiArr, pulumi.(v))
}
return pulumiArr
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGlobalNetwork = new Aws.NetworkManager.GlobalNetwork("example");
var exampleCoreNetwork = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleGlobalNetwork.Id,
BasePolicyRegions = new[]
{
"us-west-2",
"us-east-1",
},
CreateBasePolicy = true,
});
var exampleUsWest2 = new Aws.NetworkManager.VpcAttachment("example_us_west_2", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleUsWest2AwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleUsWest2AwsVpc.Arn,
});
var exampleUsEast1 = new Aws.NetworkManager.VpcAttachment("example_us_east_1", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleUsEast1AwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleUsEast1AwsVpc.Arn,
});
var example = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-east-1",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment2",
},
},
SegmentActions = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"10.0.0.0/16",
},
Destinations = new[]
{
exampleUsWest2.Id,
},
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"10.1.0.0/16",
},
Destinations = new[]
{
exampleUsEast1.Id,
},
},
},
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
PolicyDocument = example.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.GlobalNetwork;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.VpcAttachment;
import com.pulumi.aws.networkmanager.VpcAttachmentArgs;
import com.pulumi.aws.networkmanager.NetworkmanagerFunctions;
import com.pulumi.aws.networkmanager.inputs.GetCoreNetworkPolicyDocumentArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGlobalNetwork = new GlobalNetwork("exampleGlobalNetwork");
var exampleCoreNetwork = new CoreNetwork("exampleCoreNetwork", CoreNetworkArgs.builder()
.globalNetworkId(exampleGlobalNetwork.id())
.basePolicyRegions(
"us-west-2",
"us-east-1")
.createBasePolicy(true)
.build());
var exampleUsWest2 = new VpcAttachment("exampleUsWest2", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleUsWest2AwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleUsWest2AwsVpc.arn())
.build());
var exampleUsEast1 = new VpcAttachment("exampleUsEast1", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleUsEast1AwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleUsEast1AwsVpc.arn())
.build());
final var example = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(
GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.build(),
GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-east-1")
.build())
.build())
.segments(
GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build(),
GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment2")
.build())
.segmentActions(
GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("10.0.0.0/16")
.destinations(exampleUsWest2.id())
.build(),
GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("10.1.0.0/16")
.destinations(exampleUsEast1.id())
.build())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.policyDocument(example.applyValue(_example -> _example.json()))
.build());
}
}
The basePolicyRegions property lists us-west-2 and us-east-1, creating edge locations in both regions with default ASNs. VPC attachments in each region succeed because the base policy includes their edge locations. The final policy document references both attachment IDs in its segment actions.
Beyond these examples
These snippets focus on specific core network features: core network creation and metadata, base policy generation for VPC attachments, and single and multi-region VPC attachment workflows. They’re intentionally minimal rather than full Cloud WAN deployments.
The examples rely on pre-existing infrastructure such as global networks, and VPCs, subnets, and their ARNs. They focus on configuring the core network rather than provisioning everything around it.
To keep things focused, common core network patterns are omitted, including:
- Policy document structure and segment configuration
- Static route definitions in segment actions
- Edge location ASN customization (when using basePolicyRegions)
- Policy versioning and update workflows
These omissions are intentional: the goal is to illustrate how each core network feature is wired, not provide drop-in Cloud WAN modules. See the Core Network resource reference for all available configuration options.
Let's create AWS Network Manager Core Networks
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Base Policy & Initial Setup
When do I need to set createBasePolicy to true?
Set
createBasePolicy to true if your core network doesn’t have any LIVE policies (e.g., first deployment) and your policy document has static routes pointing to VPC attachments. The base policy allows VPC attachments before applying your final policy via aws.networkmanager.CoreNetworkPolicyAttachment.What happens to the base policy after I apply my final policy?
The base policy is overridden by the policy you specify in the
aws.networkmanager.CoreNetworkPolicyAttachment resource.What does the base policy contain?
The base policy includes a default ASN range (
64512-65534), edge locations, and a single segment named “segment”. It sets vpn-ecmp-support to false and creates a non-isolated segment that doesn’t require attachment acceptance.Policy Configuration Options
What's the difference between basePolicyDocument and basePolicyRegions?
basePolicyDocument allows full customization including custom ASN values for each edge location. basePolicyRegions is simpler, accepting just a list of region names and using default ASN ranges. Use basePolicyDocument when you need specific ASN values; use basePolicyRegions for straightforward multi-region setup.What region is used if I don't specify basePolicyRegions?
If
basePolicyRegions is not specified, the region used in the base policy defaults to the region specified in the provider block.Multi-Region Setup
How do I set up a multi-region core network?
You have two options:
- Custom ASNs - Use
basePolicyDocumentwith multiple edge locations, each specifyinglocationandasn - Simple setup - Use
basePolicyRegionswith a list of region names (e.g.,["us-west-2", "us-east-1"])
Both approaches require createBasePolicy set to true for initial deployment.
Resource Properties
Can I change the globalNetworkId after creating a core network?
No,
globalNetworkId is immutable and cannot be changed after the core network is created.What's required to create a core network?
Only
globalNetworkId is required. All other properties (description, tags, createBasePolicy, basePolicyDocument, basePolicyRegions) are optional.Using a different cloud?
Explore networking guides for other cloud providers: