NetworkConfig / CustomerGatewayConfig / VpnConnectionConfig / VpnTunnelOptionsSpecificationsConfig

VPN tunnel options specification configuration. Use this configuration to define optional tunnel configurations for a site-to-site VPN connection.

IMPORTANT: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can only make property changes to one VPN tunnel per core pipeline run. You may make multiple property changes in that one VPN tunnel if necessary. Trying to modify properties in both tunnels will result in a pipeline failure. This is due to the fact that only a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.

Note: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html

Example

Versions v1.5.0 and up:

- dpdTimeoutAction: restart
dpdTimeoutSeconds: 60
ikeVersions: [2]
logging:
enable: true
phase1:
dhGroups: [14]
encryptionAlgorithms: [AES256]
integrityAlgorithms: [SHA2-256]
phase2:
dhGroups: [14]
encryptionAlgorithms: [AES256]
integrityAlgorithms: [SHA2-256]
tunnelInsideCidr: 169.254.200.0/30
preSharedKey: Key1-AbcXyz
- dpdTimeoutAction: restart
dpdTimeoutSeconds: 60
ikeVersions: [2]
logging:
enable: true
phase1:
dhGroups: [14]
encryptionAlgorithms: [AES256]
integrityAlgorithms: [SHA2-256]
phase2:
dhGroups: [14]
encryptionAlgorithms: [AES256]
integrityAlgorithms: [SHA2-256]
tunnelInsideCidr: 169.254.200.100/30
preSharedKey: Key1-AbcXyz

Versions prior to v1.5.0:

- tunnelInsideCidr: 169.254.200.0/30
preSharedKey: Key1-AbcXyz
- tunnelInsideCidr: 169.254.200.100/30
preSharedKey: Key1-AbcXyz

Hierarchy

  • VpnTunnelOptionsSpecificationsConfig

Implements

Constructors

Properties

dpdTimeoutAction: undefined | "none" | "restart" | "clear" = undefined

(OPTIONAL) Dead Peer Detection (DPD) timeout action. You can specify the action to take after DPD timeout occurs.

Default - clear

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Available actions:

  • clear: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
  • none: Take no action when DPD timeout occurs
  • restart: Restart the IKE session when DPD timeout occurs
dpdTimeoutSeconds: undefined | number = undefined

(OPTIONAL) The duration, in seconds, after which Dead Peer Detection (DPD) timeout occurs.

Default - 30

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

The value must be 30 seconds or higher.

ikeVersions: undefined | (2 | 1)[] = undefined

(OPTIONAL) The Internet Key Exchange (IKE) versions that are permitted on the tunnel.

Default - ikev1,ikev2

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Only include one or both versions of IKE in the array.

logging: undefined | VpnLoggingConfig = undefined

(OPTIONAL) Site-to-Site VPN CloudWatch logging configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

phase1: undefined | Phase1Config = undefined

(OPTIONAL) Internet Key Exchange (IKE) phase 1 configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

phase2: undefined | Phase2Config = undefined

(OPTIONAL) Internet Key Exchange (IKE) phase 2 configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

preSharedKey: undefined | string = undefined

(OPTIONAL): The Secrets Manager name that stores the pre-shared key (PSK), that exists in the same account and region that the VPN Connection will be created in.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Include the random hash suffix value in the Secrets Manager name. This can be found using the following procedure:

  1. Navigate to the Secrets Manager console.
  2. Select the region you stored the secret in.
  3. Click on the name of the secret.
  4. Under Secret details, the Secret ARN contains the full name of the secret, including the random hash suffix. This is the value after secret: in the ARN.

NOTE: The preSharedKey (PSK) parameter is optional. If a PSK is not provided, Amazon will generate a PSK for you.

rekeyFuzzPercentage: undefined | number = undefined

(OPTIONAL) The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.

Default - 100

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a percentage value between 0 and 100.

rekeyMarginTimeSeconds: undefined | number = undefined

(OPTIONAL) The margin time in seconds before the phase 1 and phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.

Default - 270 (4.5 minutes)

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a number between 60 and half of the value of the phase 2 lifetime. The exact time of the rekey is randomly selected based on the value for rekey fuzz.

replayWindowSize: undefined | number = undefined

(OPTIONAL) The number of packets in an IKE replay window.

Default - 1024

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a value between 64 and 2048.

startupAction: undefined | "add" | "start" = undefined

(OPTIONAL) The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.

Default - add

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

tunnelInsideCidr: undefined | string = undefined

(OPTIONAL): The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

The following CIDR blocks are reserved and cannot be used: - 169.254.0.0/30 - 169.254.1.0/30 - 169.254.2.0/30 - 169.254.3.0/30 - 169.254.4.0/30 - 169.254.5.0/30 - 169.254.169.252/30

tunnelLifecycleControl: undefined | boolean = undefined

(OPTIONAL) Enable tunnel endpoint lifecycle control. This feature provides control over the schedule of endpoint replacements. For more information, see Tunnel Endpoint Lifecycle Control.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Generated using TypeDoc