Class VpnTunnelOptionsSpecificationsConfig

NetworkConfig / CustomerGatewayConfig / VpnConnectionConfig / VpnTunnelOptionsSpecificationsConfig

VPN tunnel options specification configuration. Use this configuration to define optional tunnel configurations for a site-to-site VPN connection.

IMPORTANT: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can only make property changes to one VPN tunnel per core pipeline run. You may make multiple property changes in that one VPN tunnel if necessary. Trying to modify properties in both tunnels will result in a pipeline failure. This is due to the fact that only a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.

Note: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html

Example

Versions v1.5.0 and up:

- dpdTimeoutAction: restart
  dpdTimeoutSeconds: 60
  ikeVersions: [2]
  logging:
    enable: true
  phase1:
    dhGroups: [14]
    encryptionAlgorithms: [AES256]
    integrityAlgorithms: [SHA2-256]
  phase2:
    dhGroups: [14]
    encryptionAlgorithms: [AES256]
    integrityAlgorithms: [SHA2-256]
  tunnelInsideCidr: 169.254.200.0/30
  preSharedKey: Key1-AbcXyz
- dpdTimeoutAction: restart
  dpdTimeoutSeconds: 60
  ikeVersions: [2]
  logging:
    enable: true
  phase1:
    dhGroups: [14]
    encryptionAlgorithms: [AES256]
    integrityAlgorithms: [SHA2-256]
  phase2:
    dhGroups: [14]
    encryptionAlgorithms: [AES256]
    integrityAlgorithms: [SHA2-256]
  tunnelInsideCidr: 169.254.200.100/30
  preSharedKey: Key1-AbcXyz

Versions prior to v1.5.0:

- tunnelInsideCidr: 169.254.200.0/30
  preSharedKey: Key1-AbcXyz
- tunnelInsideCidr: 169.254.200.100/30
  preSharedKey: Key1-AbcXyz

Hierarchy

  • VpnTunnelOptionsSpecificationsConfig

Implements

Constructors

constructor

Properties

dpdTimeoutAction dpdTimeoutSeconds ikeVersions logging phase1 phase2 preSharedKey rekeyFuzzPercentage rekeyMarginTimeSeconds replayWindowSize startupAction tunnelInsideCidr tunnelLifecycleControl

Constructors

constructor

Properties

Readonly dpdTimeoutAction

dpdTimeoutAction: undefined | "none" | "restart" | "clear" = undefined

(OPTIONAL) Dead Peer Detection (DPD) timeout action. You can specify the action to take after DPD timeout occurs.

Default - clear

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Available actions:

  • clear: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
  • none: Take no action when DPD timeout occurs
  • restart: Restart the IKE session when DPD timeout occurs

Readonly dpdTimeoutSeconds

dpdTimeoutSeconds: undefined | number = undefined

(OPTIONAL) The duration, in seconds, after which Dead Peer Detection (DPD) timeout occurs.

Default - 30

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

The value must be 30 seconds or higher.

Readonly ikeVersions

ikeVersions: undefined | (2 | 1)[] = undefined

(OPTIONAL) The Internet Key Exchange (IKE) versions that are permitted on the tunnel.

Default - ikev1,ikev2

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Only include one or both versions of IKE in the array.

Readonly logging

logging: undefined | VpnLoggingConfig = undefined

(OPTIONAL) Site-to-Site VPN CloudWatch logging configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Readonly phase1

phase1: undefined | Phase1Config = undefined

(OPTIONAL) Internet Key Exchange (IKE) phase 1 configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Readonly phase2

phase2: undefined | Phase2Config = undefined

(OPTIONAL) Internet Key Exchange (IKE) phase 2 configuration.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Readonly preSharedKey

preSharedKey: undefined | string = undefined

(OPTIONAL): The Secrets Manager name that stores the pre-shared key (PSK), that exists in the same account and region that the VPN Connection will be created in.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Include the random hash suffix value in the Secrets Manager name. This can be found using the following procedure:

  1. Navigate to the Secrets Manager console.
  2. Select the region you stored the secret in.
  3. Click on the name of the secret.
  4. Under Secret details, the Secret ARN contains the full name of the secret, including the random hash suffix. This is the value after secret: in the ARN.

NOTE: The preSharedKey (PSK) parameter is optional. If a PSK is not provided, Amazon will generate a PSK for you.

Readonly rekeyFuzzPercentage

rekeyFuzzPercentage: undefined | number = undefined

(OPTIONAL) The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.

Default - 100

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a percentage value between 0 and 100.

Readonly rekeyMarginTimeSeconds

rekeyMarginTimeSeconds: undefined | number = undefined

(OPTIONAL) The margin time in seconds before the phase 1 and phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.

Default - 270 (4.5 minutes)

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a number between 60 and half of the value of the phase 2 lifetime. The exact time of the rekey is randomly selected based on the value for rekey fuzz.

Readonly replayWindowSize

replayWindowSize: undefined | number = undefined

(OPTIONAL) The number of packets in an IKE replay window.

Default - 1024

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

You can specify a value between 64 and 2048.

Readonly startupAction

startupAction: undefined | "add" | "start" = undefined

(OPTIONAL) The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.

Default - add

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

Readonly tunnelInsideCidr

tunnelInsideCidr: undefined | string = undefined

(OPTIONAL): The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

The following CIDR blocks are reserved and cannot be used: - 169.254.0.0/30 - 169.254.1.0/30 - 169.254.2.0/30 - 169.254.3.0/30 - 169.254.4.0/30 - 169.254.5.0/30 - 169.254.169.252/30

Readonly tunnelLifecycleControl

tunnelLifecycleControl: undefined | boolean = undefined

(OPTIONAL) Enable tunnel endpoint lifecycle control. This feature provides control over the schedule of endpoint replacements. For more information, see Tunnel Endpoint Lifecycle Control.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Settings

Member Visibility

Theme

Generated using TypeDoc