Interface IVpnConnectionConfig

NetworkConfig / CustomerGatewayConfig / VpnConnectionConfig

Site-to-site VPN Connection configuration.

Description

Use this configuration to define the VPN connections that terminate either on a Transit Gateway or virtual private gateway. A VPN connection refers to the connection between your VPC and your own on-premises network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.

IMPORTANT: After initial deployment of your VPN connection with any of the v1.5.0+ options noted below, you can make property changes in one of VpnConnectionConfig or VpnTunnelOptionsSpecificationsConfig, but not both. You may make multiple property changes in one of those configurations if necessary. Trying to modify properties in both configurations will result in a pipeline failure. This is due to the fact that only a single mutating API call can be made at a time for AWS Site-to-Site VPN connections.

Note: you may manually roll back the resulting CloudFormation stack should you encounter this failure. More details on how to skip failed resources in the following reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-continueupdaterollback.html

Example

VPN termination at a Transit Gateway:

- name: accelerator-vpn
  transitGateway: Network-Main
  routeTableAssociations:
    - Network-Main-Core
  routeTablePropagations:
    - Network-Main-Core
  staticRoutesOnly: false
  # Tunnel specifications are optional -- additional tunnel options available in configuration reference
  tunnelSpecifications:
    - tunnelInsideCidr: 169.254.200.0/30
      preSharedKey: Key1-AbcXyz
    - tunnelInsideCidr: 169.254.200.100/30
      preSharedKey: Key1-AbcXyz

VPN termination at a VPC:

- name: accelerator-vpn
  vpc: Inspection-Vpc
  staticRoutesOnly: false
  # Tunnel specifications are optional -- additional tunnel options available in configuration reference
  tunnelSpecifications:
    - tunnelInsideCidr: 169.254.200.0/30
      preSharedKey: Key1-AbcXyz
    - tunnelInsideCidr: 169.254.200.100/30
      preSharedKey: Key1-AbcXyz
interface IVpnConnectionConfig {
    amazonIpv4NetworkCidr?: string;
    customerIpv4NetworkCidr?: string;
    enableVpnAcceleration?: boolean;
    name: string;
    routeTableAssociations?: string[];
    routeTablePropagations?: string[];
    staticRoutesOnly?: boolean;
    tags?: ITag[];
    transitGateway?: string;
    tunnelSpecifications?: IVpnTunnelOptionsSpecificationsConfig[];
    vpc?: string;
}

Properties

amazonIpv4NetworkCidr? customerIpv4NetworkCidr? enableVpnAcceleration? name routeTableAssociations? routeTablePropagations? staticRoutesOnly? tags? transitGateway? tunnelSpecifications? vpc?

Properties

Optional ReadonlyamazonIpv4NetworkCidr

amazonIpv4NetworkCidr?: string

(OPTIONAL) The Amazon-side IPv4 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the Amazon-side CIDR range that can communicate with your local network.

Default - 0.0.0.0/0

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, both of your VPN tunnel endpoints will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Use CIDR notation, i.e. 10.0.0.0/16.

Optional ReadonlycustomerIpv4NetworkCidr

customerIpv4NetworkCidr?: string

(OPTIONAL) The customer-side IPv4 CIDR range that is allowed through the site-to-site VPN tunnel. Configuring this option restricts the local CIDR range that can communicate with your AWS environment.

Default - 0.0.0.0/0

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, both of your VPN tunnel endpoints will become temporarily unavailable. Please see Customer initiated endpoint replacements for additional details.

Use CIDR notation, i.e. 10.0.0.0/16.

Optional ReadonlyenableVpnAcceleration

enableVpnAcceleration?: boolean

(OPTIONAL) Enable Site-to-Site VPN Acceleration. For more information, see Accelerated Site-to-Site VPN connections.

Remarks

CAUTION: if you configure this property on a VPN connection that was deployed prior to v1.5.0, your VPN connection will be recreated. Please be aware that any downstream dependencies may cause this property update to fail. To ensure a clean replacement, we highly recommend deleting the original connection and its downstream dependencies prior to making this change.

If you update this property after deployment, your VPN tunnel will be recreated. VPN acceleration can only be enabled/disabled on initial VPN connection creation.

NOTE: Accelerated VPNs are only supported on VPNs terminating on transit gateways.

Readonlyname

name: string

The name of the VPN Connection.

The value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Optional ReadonlyrouteTableAssociations

routeTableAssociations?: string[]

(OPTIONAL) An array of Transit Gateway route table names to associate the VPN attachment to

Remarks

This is the name property of the Transit Gateway route table

This property should only be defined if creating a VPN connection to a Transit Gateway. Leave undefined for VPN connections to virtual private gateways.

Optional ReadonlyrouteTablePropagations

routeTablePropagations?: string[]

(OPTIONAL) An array of Transit Gateway route table names to propagate the VPN attachment to

Remarks

This is the name property of the Transit Gateway route table

This property should only be defined if creating a VPN connection to a Transit Gateway. Leave undefined for VPN connections to virtual private gateways.

Optional ReadonlystaticRoutesOnly

staticRoutesOnly?: boolean

(OPTIONAL) If creating a VPN connection for a device that doesn't support Border Gateway Protocol (BGP) declare true as a value, otherwise, use false.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Optional Readonlytags

tags?: ITag[]

(OPTIONAL) An array of tags for the VPN Connection.

Optional ReadonlytransitGateway

transitGateway?: string

The logical name of the Transit Gateway that the customer Gateway is attached to so that a VPN connection is established.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Must specify either the Transit Gateway name or the Virtual Private Gateway, not both.

Optional ReadonlytunnelSpecifications

tunnelSpecifications?: IVpnTunnelOptionsSpecificationsConfig[]

(OPTIONAL) Define the optional VPN Tunnel configuration

See

VpnTunnelOptionsSpecificationsConfig

Optional Readonlyvpc

vpc?: string

The logical name of the Virtual Private Cloud that a Virtual Private Gateway is attached to.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPN to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Must specify either the Transit Gateway name or the Virtual Private Gateway, not both.

Settings

Member Visibility

On This Page

Properties