Readonly
dpd(OPTIONAL) Dead Peer Detection (DPD) timeout action. You can specify the action to take after DPD timeout occurs.
Default - clear
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Available actions:
clear
: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)none
: Take no action when DPD timeout occursrestart
: Restart the IKE session when DPD timeout occursReadonly
dpd(OPTIONAL) The duration, in seconds, after which Dead Peer Detection (DPD) timeout occurs.
Default - 30
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
The value must be 30 seconds or higher.
Readonly
ike(OPTIONAL) The Internet Key Exchange (IKE) versions that are permitted on the tunnel.
Default - ikev1
,ikev2
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Only include one or both versions of IKE in the array.
Readonly
logging(OPTIONAL) Site-to-Site VPN CloudWatch logging configuration.
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Readonly
phase1(OPTIONAL) Internet Key Exchange (IKE) phase 1 configuration.
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Readonly
phase2(OPTIONAL) Internet Key Exchange (IKE) phase 2 configuration.
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Readonly
pre(OPTIONAL): The Secrets Manager name that stores the pre-shared key (PSK), that exists in the same account and region that the VPN Connection will be created in.
CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.
Include the random hash suffix value in the Secrets Manager name. This can be found using the following procedure:
NOTE: The preSharedKey
(PSK) parameter is optional. If a PSK is not provided, Amazon will generate a
PSK for you.
Readonly
rekey(OPTIONAL) The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.
Default - 100
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
You can specify a percentage value between 0 and 100.
Readonly
rekey(OPTIONAL) The margin time in seconds before the phase 1 and phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.
Default - 270
(4.5 minutes)
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
You can specify a number between 60 and half of the value of the phase 2 lifetime. The exact time of the rekey is randomly selected based on the value for rekey fuzz.
Readonly
replay(OPTIONAL) The number of packets in an IKE replay window.
Default - 1024
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
You can specify a value between 64 and 2048.
Readonly
startup(OPTIONAL) The action to take when the establishing the tunnel for the VPN connection.
By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
Specify start
for Amazon Web Services to initiate the IKE negotiation.
Default - add
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
Readonly
tunnel(OPTIONAL): The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.
CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.
The following CIDR blocks are reserved and cannot be used: - 169.254.0.0/30 - 169.254.1.0/30 - 169.254.2.0/30 - 169.254.3.0/30 - 169.254.4.0/30 - 169.254.5.0/30 - 169.254.169.252/30
Readonly
tunnel(OPTIONAL) Enable tunnel endpoint lifecycle control. This feature provides control over the schedule of endpoint replacements. For more information, see Tunnel Endpoint Lifecycle Control.
CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.
If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.
Generated using TypeDoc
NetworkConfig / CustomerGatewayConfig / VpnConnectionConfig / VpnTunnelOptionsSpecificationsConfig
VPN tunnel options specification configuration. Use this configuration to define optional tunnel configurations for a site-to-site VPN connection.
IMPORTANT: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can only make property changes to one VPN tunnel per core pipeline run. You may make multiple property changes in that one VPN tunnel if necessary. Trying to modify properties in both tunnels will result in a pipeline failure. This is due to the fact that only a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.
Note: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html
Example
Versions v1.5.0 and up:
Versions prior to v1.5.0: