A company operates an AWS environment with multiple VPCs interconnected via a transit gateway. They plan to use AWS Site-to-Site VPN to connect their on-premises network to the AWS environment. However, the on-premises network lacks a static public IP address. A network engineer needs to configure the VPN connection to be initiated from the AWS side to enable traffic from the AWS environment to the on-premises network.

Which three steps should the network engineer perform to establish VPN connectivity between the transit gateway and the on-premises network?