Skip to content

Resource: awsVpnConnection

Manages a Site-to-Site VPN connection. A Site-to-Site VPN connection is an Internet Protocol security (IPsec) VPN connection between a VPC and an on-premises network. Any new Site-to-Site VPN connection that you create is an AWS VPN connection.

\~> Note: All arguments including tunnel1PresharedKey and tunnel2PresharedKey will be stored in the raw state as plain-text. Read more about sensitive data in state.

\~> Note: The CIDR blocks in the arguments tunnel1InsideCidr and tunnel2InsideCidr must have a prefix of /30 and be a part of a specific range. Read more about this in the AWS documentation.

Example Usage

EC2 Transit Gateway

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCustomerGatewayExample = new aws.customerGateway.CustomerGateway(
  this,
  "example",
  {
    bgpAsn: 65000,
    ipAddress: "172.0.0.1",
    type: "ipsec.1",
  }
);
const awsEc2TransitGatewayExample = new aws.ec2TransitGateway.Ec2TransitGateway(
  this,
  "example_1",
  {}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsEc2TransitGatewayExample.overrideLogicalId("example");
const awsVpnConnectionExample = new aws.vpnConnection.VpnConnection(
  this,
  "example_2",
  {
    customerGatewayId: awsCustomerGatewayExample.id,
    transitGatewayId: awsEc2TransitGatewayExample.id,
    type: awsCustomerGatewayExample.type,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsVpnConnectionExample.overrideLogicalId("example");

Virtual Private Gateway

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCustomerGatewayCustomerGateway =
  new aws.customerGateway.CustomerGateway(this, "customer_gateway", {
    bgpAsn: 65000,
    ipAddress: "172.0.0.1",
    type: "ipsec.1",
  });
const awsVpcVpc = new aws.vpc.Vpc(this, "vpc", {
  cidrBlock: "10.0.0.0/16",
});
const awsVpnGatewayVpnGateway = new aws.vpnGateway.VpnGateway(
  this,
  "vpn_gateway",
  {
    vpcId: awsVpcVpc.id,
  }
);
new aws.vpnConnection.VpnConnection(this, "main", {
  customerGatewayId: awsCustomerGatewayCustomerGateway.id,
  staticRoutesOnly: true,
  type: "ipsec.1",
  vpnGatewayId: awsVpnGatewayVpnGateway.id,
});

AWS Site to Site Private VPN

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCustomerGatewayExample = new aws.customerGateway.CustomerGateway(
  this,
  "example",
  {
    bgpAsn: 64514,
    ipAddress: "10.0.0.1",
    tags: {
      Name: "terraform_ipsec_vpn_example",
    },
    type: "ipsec.1",
  }
);
const awsDxGatewayExample = new aws.dxGateway.DxGateway(this, "example_1", {
  amazonSideAsn: "64512",
  name: "terraform_ipsec_vpn_example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsDxGatewayExample.overrideLogicalId("example");
const awsEc2TransitGatewayExample = new aws.ec2TransitGateway.Ec2TransitGateway(
  this,
  "example_2",
  {
    amazonSideAsn: "64513",
    description: "terraform_ipsec_vpn_example",
    transitGatewayCidrBlocks: ["10.0.0.0/24"],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsEc2TransitGatewayExample.overrideLogicalId("example");
const awsDxGatewayAssociationExample =
  new aws.dxGatewayAssociation.DxGatewayAssociation(this, "example_3", {
    allowedPrefixes: ["10.0.0.0/8"],
    associatedGatewayId: awsEc2TransitGatewayExample.id,
    dxGatewayId: awsDxGatewayExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsDxGatewayAssociationExample.overrideLogicalId("example");
const dataAwsEc2TransitGatewayDxGatewayAttachmentExample =
  new aws.dataAwsEc2TransitGatewayDxGatewayAttachment.DataAwsEc2TransitGatewayDxGatewayAttachment(
    this,
    "example_4",
    {
      depends_on: [`\${${awsDxGatewayAssociationExample.fqn}}`],
      dxGatewayId: awsDxGatewayExample.id,
      transitGatewayId: awsEc2TransitGatewayExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsEc2TransitGatewayDxGatewayAttachmentExample.overrideLogicalId("example");
const awsVpnConnectionExample = new aws.vpnConnection.VpnConnection(
  this,
  "example_5",
  {
    customerGatewayId: awsCustomerGatewayExample.id,
    outsideIpAddressType: "PrivateIpv4",
    tags: {
      Name: "terraform_ipsec_vpn_example",
    },
    transitGatewayId: awsEc2TransitGatewayExample.id,
    transportTransitGatewayAttachmentId:
      dataAwsEc2TransitGatewayDxGatewayAttachmentExample.id,
    type: "ipsec.1",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsVpnConnectionExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • customerGatewayId - (Required) The ID of the customer gateway.
  • type - (Required) The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
  • transitGatewayId - (Optional) The ID of the EC2 Transit Gateway.
  • vpnGatewayId - (Optional) The ID of the Virtual Private Gateway.
  • staticRoutesOnly - (Optional, Default false) Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
  • enableAcceleration - (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
  • tags - (Optional) Tags to apply to the connection. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • localIpv4NetworkCidr - (Optional, Default 0000/0) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
  • localIpv6NetworkCidr - (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
  • outsideIpAddressType - (Optional, Default publicIpv4) Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are publicIpv4 |PrivateIpv4
  • remoteIpv4NetworkCidr - (Optional, Default 0000/0) The IPv4 CIDR on the AWS side of the VPN connection.
  • remoteIpv6NetworkCidr - (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
  • transportTransitGatewayAttachmentId - (Required when outside_ip_address_type is set to privateIpv4). The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
  • tunnelInsideIpVersion - (Optional, Default ipv4) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 |Ipv6. ipv6 Supports only EC2 Transit Gateway.
  • tunnel1InsideCidr - (Optional) The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
  • tunnel2InsideCidr - (Optional) The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
  • tunnel1InsideIpv6Cidr - (Optional) The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
  • tunnel2InsideIpv6Cidr - (Optional) The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
  • tunnel1PresharedKey - (Optional) The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
  • tunnel2PresharedKey - (Optional) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
  • tunnel1DpdTimeoutAction - (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear |None |Restart.
  • tunnel2DpdTimeoutAction - (Optional, Default clear) The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear |None |Restart.
  • tunnel1DpdTimeoutSeconds - (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
  • tunnel2DpdTimeoutSeconds - (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
  • tunnel1IkeVersions - (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 |Ikev2.
  • tunnel2IkeVersions - (Optional) The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 |Ikev2.
  • tunnel1LogOptions - (Optional) Options for logging VPN tunnel activity. See Log Options below for more details.
  • tunnel2LogOptions - (Optional) Options for logging VPN tunnel activity. See Log Options below for more details.
  • tunnel1Phase1DhGroupNumbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 |14 |15 |16 |17 |18 |19 |20 |21 |22 |23 |24.
  • tunnel2Phase1DhGroupNumbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 |14 |15 |16 |17 |18 |19 |20 |21 |22 |23 |24.
  • tunnel1Phase1EncryptionAlgorithms - (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are aes128 |Aes256 |Aes128Gcm16 |Aes256Gcm16.
  • tunnel2Phase1EncryptionAlgorithms - (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are aes128 |Aes256 |Aes128Gcm16 |Aes256Gcm16.
  • tunnel1Phase1IntegrityAlgorithms - (Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are sha1 |Sha2256 |Sha2384 |Sha2512.
  • tunnel2Phase1IntegrityAlgorithms - (Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are sha1 |Sha2256 |Sha2384 |Sha2512.
  • tunnel1Phase1LifetimeSeconds - (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
  • tunnel2Phase1LifetimeSeconds - (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
  • tunnel1Phase2DhGroupNumbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 |5 |14 |15 |16 |17 |18 |19 |20 |21 |22 |23 |24.
  • tunnel2Phase2DhGroupNumbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 |5 |14 |15 |16 |17 |18 |19 |20 |21 |22 |23 |24.
  • tunnel1Phase2EncryptionAlgorithms - (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are aes128 |Aes256 |Aes128Gcm16 |Aes256Gcm16.
  • tunnel2Phase2EncryptionAlgorithms - (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are aes128 |Aes256 |Aes128Gcm16 |Aes256Gcm16.
  • tunnel1Phase2IntegrityAlgorithms - (Optional) List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are sha1 |Sha2256 |Sha2384 |Sha2512.
  • tunnel2Phase2IntegrityAlgorithms - (Optional) List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are sha1 |Sha2256 |Sha2384 |Sha2512.
  • tunnel1Phase2LifetimeSeconds - (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
  • tunnel2Phase2LifetimeSeconds - (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
  • tunnel1RekeyFuzzPercentage - (Optional, Default 100) The percentage of the rekey window for the first VPN tunnel (determined by tunnel1RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
  • tunnel2RekeyFuzzPercentage - (Optional, Default 100) The percentage of the rekey window for the second VPN tunnel (determined by tunnel2RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
  • tunnel1RekeyMarginTimeSeconds - (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1RekeyFuzzPercentage. Valid value is between 60 and half of tunnel1Phase2LifetimeSeconds.
  • tunnel2RekeyMarginTimeSeconds - (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2RekeyFuzzPercentage. Valid value is between 60 and half of tunnel2Phase2LifetimeSeconds.
  • tunnel1ReplayWindowSize - (Optional, Default 1024) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
  • tunnel2ReplayWindowSize - (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
  • tunnel1StartupAction - (Optional, Default add) The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add |Start.
  • tunnel2StartupAction - (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add |Start.

Log Options

The tunnel1LogOptions and tunnel2LogOptions block supports the following arguments:

  • cloudwatchLogOptions - (Optional) Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.

CloudWatch Log Options

The cloudwatchLogOptions blocks supports the following arguments:

  • logEnabled - (Optional) Enable or disable VPN tunnel logging feature. The default is false.
  • logGroupArn - (Optional) The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
  • logOutputFormat - (Optional) Set log format. Default format is json. Possible values are: json and text. The default is json.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the VPN Connection.
  • id - The amazon-assigned ID of the VPN connection.
  • coreNetworkArn - The ARN of the core network.
  • coreNetworkAttachmentArn - The ARN of the core network attachment.
  • customerGatewayConfiguration - The configuration information for the VPN connection's customer gateway (in the native XML format).
  • customerGatewayId - The ID of the customer gateway to which the connection is attached.
  • routes - The static routes associated with the VPN connection. Detailed below.
  • staticRoutesOnly - Whether the VPN connection uses static routes exclusively.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.
  • transitGatewayAttachmentId - When associated with an EC2 Transit Gateway (transitGatewayId argument), the attachment ID. See also the awsEc2Tag resource for tagging the EC2 Transit Gateway VPN Attachment.
  • tunnel1Address - The public IP address of the first VPN tunnel.
  • tunnel1CgwInsideAddress - The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
  • tunnel1VgwInsideAddress - The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
  • tunnel1PresharedKey - The preshared key of the first VPN tunnel.
  • tunnel1BgpAsn - The bgp asn number of the first VPN tunnel.
  • tunnel1BgpHoldtime - The bgp holdtime of the first VPN tunnel.
  • tunnel2Address - The public IP address of the second VPN tunnel.
  • tunnel2CgwInsideAddress - The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
  • tunnel2VgwInsideAddress - The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
  • tunnel2PresharedKey - The preshared key of the second VPN tunnel.
  • tunnel2BgpAsn - The bgp asn number of the second VPN tunnel.
  • tunnel2BgpHoldtime - The bgp holdtime of the second VPN tunnel.
  • vgwTelemetry - Telemetry for the VPN tunnels. Detailed below.
  • vpnGatewayId - The ID of the virtual private gateway to which the connection is attached.

routes

  • destinationCidrBlock - The CIDR block associated with the local subnet of the customer data center.
  • source - Indicates how the routes were provided.
  • state - The current state of the static route.

vgwTelemetry

  • acceptedRouteCount - The number of accepted routes.
  • certificateArn - The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
  • lastStatusChange - The date and time of the last change in status.
  • outsideIpAddress - The Internet-routable IP address of the virtual private gateway's outside interface.
  • status - The status of the VPN tunnel.
  • statusMessage - If an error occurs, a description of the error.

Import

VPN Connections can be imported using the vpnConnectionId, e.g.,

$ terraform import aws_vpn_connection.testvpnconnection vpn-40f41529