The aws:networkmanager/coreNetworkPolicyAttachment:CoreNetworkPolicyAttachment resource, part of the Pulumi AWS provider, attaches a policy document to a Core Network and deploys it globally as the LIVE policy. This guide focuses on three capabilities: attaching policies to existing networks, bootstrapping new networks with base policies, and multi-region deployment patterns.
Policy attachments require an existing Core Network and Global Network. VPC attachments require a LIVE policy before they can connect, creating a bootstrapping dependency for new networks. The examples are intentionally small. Combine them with your own Global Network, VPC infrastructure, and routing requirements.
Attach a policy to an existing core network
Teams with an established core network can deploy policy changes by attaching a new policy document that becomes LIVE immediately.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkmanager.CoreNetwork("example", {globalNetworkId: exampleAwsNetworkmanagerGlobalNetwork.id});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: example.id,
policyDocument: exampleAwsNetworkmanagerCoreNetworkPolicyDocument.json,
});
import pulumi
import pulumi_aws as aws
example = aws.networkmanager.CoreNetwork("example", global_network_id=example_aws_networkmanager_global_network["id"])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example.id,
policy_document=example_aws_networkmanager_core_network_policy_document["json"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: pulumi.Any(exampleAwsNetworkmanagerGlobalNetwork.Id),
})
if err != nil {
return err
}
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: example.ID(),
PolicyDocument: pulumi.Any(exampleAwsNetworkmanagerCoreNetworkPolicyDocument.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleAwsNetworkmanagerGlobalNetwork.Id,
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = example.Id,
PolicyDocument = exampleAwsNetworkmanagerCoreNetworkPolicyDocument.Json,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CoreNetwork("example", CoreNetworkArgs.builder()
.globalNetworkId(exampleAwsNetworkmanagerGlobalNetwork.id())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(example.id())
.policyDocument(exampleAwsNetworkmanagerCoreNetworkPolicyDocument.json())
.build());
}
}
resources:
example:
type: aws:networkmanager:CoreNetwork
properties:
globalNetworkId: ${exampleAwsNetworkmanagerGlobalNetwork.id}
exampleCoreNetworkPolicyAttachment:
type: aws:networkmanager:CoreNetworkPolicyAttachment
name: example
properties:
coreNetworkId: ${example.id}
policyDocument: ${exampleAwsNetworkmanagerCoreNetworkPolicyDocument.json}
The coreNetworkId references your existing Core Network. The policyDocument contains the routing and segmentation rules. When you update policyDocument, the new version becomes both LATEST and LIVE, deploying changes globally. Deleting this resource does not revert the LIVE policy to a previous version.
Bootstrap a new core network with VPC attachments
New core networks require a LIVE policy before VPCs can attach. You can create a minimal base policy, attach VPCs, then apply the full policy with static routes.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGlobalNetwork = new aws.networkmanager.GlobalNetwork("example", {});
const base = aws.networkmanager.getCoreNetworkPolicyDocument({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [{
location: "us-west-2",
asn: "65500",
}],
}],
segments: [{
name: "segment",
}],
});
const exampleCoreNetwork = new aws.networkmanager.CoreNetwork("example", {
globalNetworkId: exampleGlobalNetwork.id,
basePolicyDocument: base.then(base => base.json),
createBasePolicy: true,
});
const exampleVpcAttachment = new aws.networkmanager.VpcAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleAwsSubnet.map(__item => __item.arn),
vpcArn: exampleAwsVpc.arn,
});
const example = aws.networkmanager.getCoreNetworkPolicyDocumentOutput({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [{
location: "us-west-2",
asn: "65500",
}],
}],
segments: [{
name: "segment",
}],
segmentActions: [{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [exampleVpcAttachment.id],
}],
});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_global_network = aws.networkmanager.GlobalNetwork("example")
base = aws.networkmanager.get_core_network_policy_document(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [{
"location": "us-west-2",
"asn": "65500",
}],
}],
segments=[{
"name": "segment",
}])
example_core_network = aws.networkmanager.CoreNetwork("example",
global_network_id=example_global_network.id,
base_policy_document=base.json,
create_base_policy=True)
example_vpc_attachment = aws.networkmanager.VpcAttachment("example",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_aws_subnet],
vpc_arn=example_aws_vpc["arn"])
example = aws.networkmanager.get_core_network_policy_document_output(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [{
"location": "us-west-2",
"asn": "65500",
}],
}],
segments=[{
"name": "segment",
}],
segment_actions=[{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["0.0.0.0/0"],
"destinations": [example_vpc_attachment.id],
}])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example_core_network.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGlobalNetwork, err := networkmanager.NewGlobalNetwork(ctx, "example", nil)
if err != nil {
return err
}
base, err := networkmanager.GetCoreNetworkPolicyDocument(ctx, &networkmanager.GetCoreNetworkPolicyDocumentArgs{
CoreNetworkConfigurations: []networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfiguration{
{
AsnRanges: []string{
"65022-65534",
},
EdgeLocations: []networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocation{
{
Location: "us-west-2",
Asn: pulumi.StringRef("65500"),
},
},
},
},
Segments: []networkmanager.GetCoreNetworkPolicyDocumentSegment{
{
Name: "segment",
},
},
}, nil);
if err != nil {
return err
}
exampleCoreNetwork, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: exampleGlobalNetwork.ID(),
BasePolicyDocument: pulumi.String(base.Json),
CreateBasePolicy: pulumi.Bool(true),
})
if err != nil {
return err
}
var splat0 []interface{}
for _, val0 := range exampleAwsSubnet {
splat0 = append(splat0, val0.Arn)
}
exampleVpcAttachment, err := networkmanager.NewVpcAttachment(ctx, "example", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat0),
VpcArn: pulumi.Any(exampleAwsVpc.Arn),
})
if err != nil {
return err
}
example := networkmanager.GetCoreNetworkPolicyDocumentOutput(ctx, networkmanager.GetCoreNetworkPolicyDocumentOutputArgs{
CoreNetworkConfigurations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs{
AsnRanges: pulumi.StringArray{
pulumi.String("65022-65534"),
},
EdgeLocations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-west-2"),
Asn: pulumi.String("65500"),
},
},
},
},
Segments: networkmanager.GetCoreNetworkPolicyDocumentSegmentArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment"),
},
},
SegmentActions: networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
Destinations: pulumi.StringArray{
exampleVpcAttachment.ID(),
},
},
},
}, nil);
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
PolicyDocument: pulumi.String(example.ApplyT(func(example networkmanager.GetCoreNetworkPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
func toPulumiArray(arr []) pulumi.Array {
var pulumiArr pulumi.Array
for _, v := range arr {
pulumiArr = append(pulumiArr, pulumi.(v))
}
return pulumiArr
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGlobalNetwork = new Aws.NetworkManager.GlobalNetwork("example");
var @base = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
Asn = "65500",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
},
});
var exampleCoreNetwork = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleGlobalNetwork.Id,
BasePolicyDocument = @base.Apply(@base => @base.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json)),
CreateBasePolicy = true,
});
var exampleVpcAttachment = new Aws.NetworkManager.VpcAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleAwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleAwsVpc.Arn,
});
var example = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
Asn = "65500",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
},
SegmentActions = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"0.0.0.0/0",
},
Destinations = new[]
{
exampleVpcAttachment.Id,
},
},
},
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
PolicyDocument = example.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.GlobalNetwork;
import com.pulumi.aws.networkmanager.NetworkmanagerFunctions;
import com.pulumi.aws.networkmanager.inputs.GetCoreNetworkPolicyDocumentArgs;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.VpcAttachment;
import com.pulumi.aws.networkmanager.VpcAttachmentArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGlobalNetwork = new GlobalNetwork("exampleGlobalNetwork");
final var base = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.asn("65500")
.build())
.build())
.segments(GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build())
.build());
var exampleCoreNetwork = new CoreNetwork("exampleCoreNetwork", CoreNetworkArgs.builder()
.globalNetworkId(exampleGlobalNetwork.id())
.basePolicyDocument(base.json())
.createBasePolicy(true)
.build());
var exampleVpcAttachment = new VpcAttachment("exampleVpcAttachment", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleAwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleAwsVpc.arn())
.build());
final var example = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.asn("65500")
.build())
.build())
.segments(GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build())
.segmentActions(GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("0.0.0.0/0")
.destinations(exampleVpcAttachment.id())
.build())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.policyDocument(example.applyValue(_example -> _example.json()))
.build());
}
}
The createBasePolicy flag tells the Core Network to deploy the basePolicyDocument as the initial LIVE policy. This base policy defines edgeLocations with specific ASNs (65500 for us-west-2) and a minimal segment structure. Once the base policy is LIVE, VpcAttachment resources can connect. The final policy adds segmentActions that create static routes pointing to the VPC attachment IDs.
Deploy multi-region core networks with simplified base policy
Multi-region deployments can use basePolicyRegions to generate a base policy automatically, avoiding manual ASN assignment.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGlobalNetwork = new aws.networkmanager.GlobalNetwork("example", {});
const exampleCoreNetwork = new aws.networkmanager.CoreNetwork("example", {
globalNetworkId: exampleGlobalNetwork.id,
basePolicyRegions: [
"us-west-2",
"us-east-1",
],
createBasePolicy: true,
});
const exampleUsWest2 = new aws.networkmanager.VpcAttachment("example_us_west_2", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleUsWest2AwsSubnet.map(__item => __item.arn),
vpcArn: exampleUsWest2AwsVpc.arn,
});
const exampleUsEast1 = new aws.networkmanager.VpcAttachment("example_us_east_1", {
coreNetworkId: exampleCoreNetwork.id,
subnetArns: exampleUsEast1AwsSubnet.map(__item => __item.arn),
vpcArn: exampleUsEast1AwsVpc.arn,
});
const example = aws.networkmanager.getCoreNetworkPolicyDocumentOutput({
coreNetworkConfigurations: [{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
{
location: "us-east-1",
},
],
}],
segments: [
{
name: "segment",
},
{
name: "segment2",
},
],
segmentActions: [
{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["10.0.0.0/16"],
destinations: [exampleUsWest2.id],
},
{
action: "create-route",
segment: "segment",
destinationCidrBlocks: ["10.1.0.0/16"],
destinations: [exampleUsEast1.id],
},
],
});
const exampleCoreNetworkPolicyAttachment = new aws.networkmanager.CoreNetworkPolicyAttachment("example", {
coreNetworkId: exampleCoreNetwork.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_global_network = aws.networkmanager.GlobalNetwork("example")
example_core_network = aws.networkmanager.CoreNetwork("example",
global_network_id=example_global_network.id,
base_policy_regions=[
"us-west-2",
"us-east-1",
],
create_base_policy=True)
example_us_west2 = aws.networkmanager.VpcAttachment("example_us_west_2",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_us_west2_aws_subnet],
vpc_arn=example_us_west2_aws_vpc["arn"])
example_us_east1 = aws.networkmanager.VpcAttachment("example_us_east_1",
core_network_id=example_core_network.id,
subnet_arns=[__item["arn"] for __item in example_us_east1_aws_subnet],
vpc_arn=example_us_east1_aws_vpc["arn"])
example = aws.networkmanager.get_core_network_policy_document_output(core_network_configurations=[{
"asn_ranges": ["65022-65534"],
"edge_locations": [
{
"location": "us-west-2",
},
{
"location": "us-east-1",
},
],
}],
segments=[
{
"name": "segment",
},
{
"name": "segment2",
},
],
segment_actions=[
{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["10.0.0.0/16"],
"destinations": [example_us_west2.id],
},
{
"action": "create-route",
"segment": "segment",
"destination_cidr_blocks": ["10.1.0.0/16"],
"destinations": [example_us_east1.id],
},
])
example_core_network_policy_attachment = aws.networkmanager.CoreNetworkPolicyAttachment("example",
core_network_id=example_core_network.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGlobalNetwork, err := networkmanager.NewGlobalNetwork(ctx, "example", nil)
if err != nil {
return err
}
exampleCoreNetwork, err := networkmanager.NewCoreNetwork(ctx, "example", &networkmanager.CoreNetworkArgs{
GlobalNetworkId: exampleGlobalNetwork.ID(),
BasePolicyRegions: pulumi.StringArray{
pulumi.String("us-west-2"),
pulumi.String("us-east-1"),
},
CreateBasePolicy: pulumi.Bool(true),
})
if err != nil {
return err
}
var splat0 []interface{}
for _, val0 := range exampleUsWest2AwsSubnet {
splat0 = append(splat0, val0.Arn)
}
exampleUsWest2, err := networkmanager.NewVpcAttachment(ctx, "example_us_west_2", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat0),
VpcArn: pulumi.Any(exampleUsWest2AwsVpc.Arn),
})
if err != nil {
return err
}
var splat1 []interface{}
for _, val0 := range exampleUsEast1AwsSubnet {
splat1 = append(splat1, val0.Arn)
}
exampleUsEast1, err := networkmanager.NewVpcAttachment(ctx, "example_us_east_1", &networkmanager.VpcAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
SubnetArns: toPulumiArray(splat1),
VpcArn: pulumi.Any(exampleUsEast1AwsVpc.Arn),
})
if err != nil {
return err
}
example := networkmanager.GetCoreNetworkPolicyDocumentOutput(ctx, networkmanager.GetCoreNetworkPolicyDocumentOutputArgs{
CoreNetworkConfigurations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs{
AsnRanges: pulumi.StringArray{
pulumi.String("65022-65534"),
},
EdgeLocations: networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArray{
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-west-2"),
},
&networkmanager.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs{
Location: pulumi.String("us-east-1"),
},
},
},
},
Segments: networkmanager.GetCoreNetworkPolicyDocumentSegmentArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment"),
},
&networkmanager.GetCoreNetworkPolicyDocumentSegmentArgs{
Name: pulumi.String("segment2"),
},
},
SegmentActions: networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArray{
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("10.0.0.0/16"),
},
Destinations: pulumi.StringArray{
exampleUsWest2.ID(),
},
},
&networkmanager.GetCoreNetworkPolicyDocumentSegmentActionArgs{
Action: pulumi.String("create-route"),
Segment: pulumi.String("segment"),
DestinationCidrBlocks: pulumi.StringArray{
pulumi.String("10.1.0.0/16"),
},
Destinations: pulumi.StringArray{
exampleUsEast1.ID(),
},
},
},
}, nil);
_, err = networkmanager.NewCoreNetworkPolicyAttachment(ctx, "example", &networkmanager.CoreNetworkPolicyAttachmentArgs{
CoreNetworkId: exampleCoreNetwork.ID(),
PolicyDocument: pulumi.String(example.ApplyT(func(example networkmanager.GetCoreNetworkPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
func toPulumiArray(arr []) pulumi.Array {
var pulumiArr pulumi.Array
for _, v := range arr {
pulumiArr = append(pulumiArr, pulumi.(v))
}
return pulumiArr
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGlobalNetwork = new Aws.NetworkManager.GlobalNetwork("example");
var exampleCoreNetwork = new Aws.NetworkManager.CoreNetwork("example", new()
{
GlobalNetworkId = exampleGlobalNetwork.Id,
BasePolicyRegions = new[]
{
"us-west-2",
"us-east-1",
},
CreateBasePolicy = true,
});
var exampleUsWest2 = new Aws.NetworkManager.VpcAttachment("example_us_west_2", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleUsWest2AwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleUsWest2AwsVpc.Arn,
});
var exampleUsEast1 = new Aws.NetworkManager.VpcAttachment("example_us_east_1", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
SubnetArns = exampleUsEast1AwsSubnet.Select(__item => __item.Arn).ToList(),
VpcArn = exampleUsEast1AwsVpc.Arn,
});
var example = Aws.NetworkManager.GetCoreNetworkPolicyDocument.Invoke(new()
{
CoreNetworkConfigurations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationInputArgs
{
AsnRanges = new[]
{
"65022-65534",
},
EdgeLocations = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-west-2",
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationInputArgs
{
Location = "us-east-1",
},
},
},
},
Segments = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment",
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentInputArgs
{
Name = "segment2",
},
},
SegmentActions = new[]
{
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"10.0.0.0/16",
},
Destinations = new[]
{
exampleUsWest2.Id,
},
},
new Aws.NetworkManager.Inputs.GetCoreNetworkPolicyDocumentSegmentActionInputArgs
{
Action = "create-route",
Segment = "segment",
DestinationCidrBlocks = new[]
{
"10.1.0.0/16",
},
Destinations = new[]
{
exampleUsEast1.Id,
},
},
},
});
var exampleCoreNetworkPolicyAttachment = new Aws.NetworkManager.CoreNetworkPolicyAttachment("example", new()
{
CoreNetworkId = exampleCoreNetwork.Id,
PolicyDocument = example.Apply(getCoreNetworkPolicyDocumentResult => getCoreNetworkPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.GlobalNetwork;
import com.pulumi.aws.networkmanager.CoreNetwork;
import com.pulumi.aws.networkmanager.CoreNetworkArgs;
import com.pulumi.aws.networkmanager.VpcAttachment;
import com.pulumi.aws.networkmanager.VpcAttachmentArgs;
import com.pulumi.aws.networkmanager.NetworkmanagerFunctions;
import com.pulumi.aws.networkmanager.inputs.GetCoreNetworkPolicyDocumentArgs;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachment;
import com.pulumi.aws.networkmanager.CoreNetworkPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGlobalNetwork = new GlobalNetwork("exampleGlobalNetwork");
var exampleCoreNetwork = new CoreNetwork("exampleCoreNetwork", CoreNetworkArgs.builder()
.globalNetworkId(exampleGlobalNetwork.id())
.basePolicyRegions(
"us-west-2",
"us-east-1")
.createBasePolicy(true)
.build());
var exampleUsWest2 = new VpcAttachment("exampleUsWest2", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleUsWest2AwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleUsWest2AwsVpc.arn())
.build());
var exampleUsEast1 = new VpcAttachment("exampleUsEast1", VpcAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.subnetArns(exampleUsEast1AwsSubnet.stream().map(element -> element.arn()).collect(toList()))
.vpcArn(exampleUsEast1AwsVpc.arn())
.build());
final var example = NetworkmanagerFunctions.getCoreNetworkPolicyDocument(GetCoreNetworkPolicyDocumentArgs.builder()
.coreNetworkConfigurations(GetCoreNetworkPolicyDocumentCoreNetworkConfigurationArgs.builder()
.asnRanges("65022-65534")
.edgeLocations(
GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-west-2")
.build(),
GetCoreNetworkPolicyDocumentCoreNetworkConfigurationEdgeLocationArgs.builder()
.location("us-east-1")
.build())
.build())
.segments(
GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment")
.build(),
GetCoreNetworkPolicyDocumentSegmentArgs.builder()
.name("segment2")
.build())
.segmentActions(
GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("10.0.0.0/16")
.destinations(exampleUsWest2.id())
.build(),
GetCoreNetworkPolicyDocumentSegmentActionArgs.builder()
.action("create-route")
.segment("segment")
.destinationCidrBlocks("10.1.0.0/16")
.destinations(exampleUsEast1.id())
.build())
.build());
var exampleCoreNetworkPolicyAttachment = new CoreNetworkPolicyAttachment("exampleCoreNetworkPolicyAttachment", CoreNetworkPolicyAttachmentArgs.builder()
.coreNetworkId(exampleCoreNetwork.id())
.policyDocument(example.applyValue(_example -> _example.json()))
.build());
}
}
The basePolicyRegions property lists regions where the core network should operate. AWS automatically assigns ASNs for each region. After VPC attachments connect in both regions, the final policy defines segments and segmentActions that route traffic between regions. This approach simplifies multi-region bootstrapping compared to manually specifying ASNs in basePolicyDocument.
Beyond these examples
These snippets focus on specific policy attachment features: policy attachment and LIVE deployment, base policy bootstrapping for new networks, and multi-region core network configuration. They’re intentionally minimal rather than full network architectures.
The examples may reference pre-existing infrastructure such as Global Network resources and VPC subnets and VPC ARNs for attachments. They focus on configuring the policy attachment rather than provisioning the underlying network infrastructure.
To keep things focused, common policy patterns are omitted, including:
- Policy versioning and rollback (deleting this resource doesn’t revert LIVE policy)
- Segment isolation rules and attachment policies
- Cross-region peering and transit gateway integration
- Policy validation before deployment
These omissions are intentional: the goal is to illustrate how policy attachment is wired, not provide drop-in network modules. See the Core Network Policy Attachment resource reference for all available configuration options.
Let's attach AWS Network Manager Core Network Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Policy Lifecycle & Deployment
What happens when I delete a CoreNetworkPolicyAttachment resource?
Deleting the resource removes it from Pulumi state but does not delete the policy from AWS or revert to a previous policy version. The current policy remains as the LIVE policy in your core network.
What happens when I update the policy document?
Updating
policyDocument immediately sets the new version as both LATEST and LIVE, deploying changes globally across your core network. Test policy changes carefully before applying updates.Why can't I attach VPCs to my new core network?
A LIVE policy must exist before VPCs can be attached to the core network. On first deployment, set
createBasePolicy to true in your aws.networkmanager.CoreNetwork resource, or provide a basePolicyDocument or basePolicyRegions.Initial Setup & Base Policies
When do I need to use createBasePolicy?
Use
createBasePolicy set to true on the aws.networkmanager.CoreNetwork resource during your first deployment if the core network doesn’t have any LIVE policies yet. This is required before you can attach VPCs. If a LIVE policy already exists, you can omit this argument.What's the difference between basePolicyDocument and basePolicyRegions?
basePolicyDocument allows full customization of the base policy, including specifying ASN values for each edge location. basePolicyRegions is simpler and just takes a list of regions, automatically creating a base policy for those regions. Both are set on the aws.networkmanager.CoreNetwork resource.Which base policy option should I use for multi-region deployments?
For multi-region deployments, you have two options: use
basePolicyDocument if you need to customize ASN values for each region (e.g., us-west-2 with ASN 65500, us-east-1 with ASN 65501), or use basePolicyRegions with a list of regions for a simpler setup with automatic ASN assignment.Configuration & Limitations
Can I change the core network ID after creating the attachment?
No,
coreNetworkId is immutable and cannot be changed after the resource is created. You must destroy and recreate the attachment to use a different core network.Using a different cloud?
Explore networking guides for other cloud providers: