| Plugin Title | VPN Tunnel State |
| Cloud | AWS |
| Category | EC2 |
| Description | Ensures that each AWS Virtual Private Network (VPN) connection has all tunnels up. |
| More Info | AWS Virtual Private Network (VPN) should have tunnels up to ensure network traffic flow over Virtual Private Network. |
| AWS Link | https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html |
| Recommended Action | Establish a successful VPN connection using IKE or IPsec configuration |
You can modify the tunnel options for the VPN tunnels in your Site-to-Site VPN connection. You can modify one VPN tunnel at a time. Important When you modify a VPN tunnel, connectivity over the tunnel is interrupted for up to several minutes. Ensure that you plan for the expected downtime.
To modify the VPN tunnel options using the console
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Site-to-Site VPN Connections.
- Select the Site-to-Site VPN connection, and choose Actions, Modify VPN Tunnel Options.
- For VPN Tunnel Outside IP Address, choose the tunnel endpoint IP of the VPN tunnel that you're modifying options for.
- Choose or enter new values for the tunnel options. For more information, see https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html.
- Choose Save.
If you don't have any tunnel configured and need to create a Site-to-Site VPN connection
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Site-to-Site VPN Connections, Create VPN connection.
- (Optional) For Name tag, enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of Name and the value that you specify.
- For Target gateway type, choose either Virtual private gateway or Transit gateway. Then, choose the virtual private gateway or transit gateway that you created earlier.
- For Customer gateway, select Existing, then choose the customer gateway that you created earlier from the drop-down list under Customer gateway ID.
- Select one of the routing options based on whether your customer gateway device supports Border Gateway Protocol (BGP):
a. If your customer gateway device supports BGP, choose Dynamic (requires BGP).
b. If your customer gateway device does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your Site-to-Site VPN connection. - (Optional) If your target gateway type is transit gateway, for Tunnel Inside IP Version, specify whether the VPN tunnels support IPv4 or IPv6 traffic. IPv6 traffic is only supported for VPN connections on a transit gateway.
- (Optional) If you specified IPv4 for Tunnel Inside IP Version, you can optionally specify the IPv4 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.
- For Outside IP address type, leave the default option of PublicIpv4 selected.
- (Optional) For Tunnel Options, you can specify the following information for each tunnel:
a. A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.
b. If you specified IPv6 for Tunnel Inside IP Version, a /126 IPv6 CIDR block from the fd00::/8 range for the inside tunnel IPv6 addresses.
c. The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
d. Advanced tunnel information, which includes the following:
Encryption algorithms for phases 1 and 2 of the IKE negotiations
Integrity algorithms for phases 1 and 2 of the IKE negotiations
Diffie-Hellman groups for phases 1 and 2 of the IKE negotiations
IKE version
Phase 1 and 2 lifetimes
Rekey margin time
Rekey fuzz
Replay window size
Dead peer detection interval
Dead peer detection timeout action
Startup action
VPN tunnel logging options - Choose Create VPN connection. It might take a few minutes to create the Site-to-Site VPN connection.