AWS Amazon EC2 VPN Connection
This page shows how to write Terraform and CloudFormation for Amazon EC2 VPN Connection and write them securely.
aws_vpn_connection (Terraform)
The VPN Connection in Amazon EC2 can be configured in Terraform with the resource name aws_vpn_connection
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_vpn_connection" "west" {
count = var.vpn_enabled
vpn_gateway_id = aws_vpn_gateway.west.id
customer_gateway_id = aws_customer_gateway.gate.id
type = "ipsec.1"
resource "aws_vpn_connection" "A4LTGW_R1" {
customer_gateway_id = aws_customer_gateway.router1.id
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
type = aws_customer_gateway.router1.type
tags = {
resource "aws_vpn_connection" "vpn_connection" {
customer_gateway_id = "dummy-customer-gateway-id"
type = "ipsec.1"
}
resource "aws_vpn_connection" "transit" {
Parameters
-
arn
optional computed - string -
customer_gateway_configuration
optional computed - string -
customer_gateway_id
required - string -
enable_acceleration
optional computed - bool -
id
optional computed - string -
local_ipv4_network_cidr
optional computed - string -
local_ipv6_network_cidr
optional computed - string -
remote_ipv4_network_cidr
optional computed - string -
remote_ipv6_network_cidr
optional computed - string -
routes
optional computed - set of object-
destination_cidr_block
- string -
source
- string -
state
- string
-
-
static_routes_only
optional computed - bool -
tags
optional - map from string to string -
transit_gateway_attachment_id
optional computed - string -
transit_gateway_id
optional - string -
tunnel1_address
optional computed - string -
tunnel1_bgp_asn
optional computed - string -
tunnel1_bgp_holdtime
optional computed - number -
tunnel1_cgw_inside_address
optional computed - string -
tunnel1_dpd_timeout_action
optional - string -
tunnel1_dpd_timeout_seconds
optional - number -
tunnel1_ike_versions
optional - set of string -
tunnel1_inside_cidr
optional computed - string -
tunnel1_inside_ipv6_cidr
optional computed - string -
tunnel1_phase1_dh_group_numbers
optional - set of number -
tunnel1_phase1_encryption_algorithms
optional - set of string -
tunnel1_phase1_integrity_algorithms
optional - set of string -
tunnel1_phase1_lifetime_seconds
optional - number -
tunnel1_phase2_dh_group_numbers
optional - set of number -
tunnel1_phase2_encryption_algorithms
optional - set of string -
tunnel1_phase2_integrity_algorithms
optional - set of string -
tunnel1_phase2_lifetime_seconds
optional - number -
tunnel1_preshared_key
optional computed - string -
tunnel1_rekey_fuzz_percentage
optional - number -
tunnel1_rekey_margin_time_seconds
optional - number -
tunnel1_replay_window_size
optional - number -
tunnel1_startup_action
optional - string -
tunnel1_vgw_inside_address
optional computed - string -
tunnel2_address
optional computed - string -
tunnel2_bgp_asn
optional computed - string -
tunnel2_bgp_holdtime
optional computed - number -
tunnel2_cgw_inside_address
optional computed - string -
tunnel2_dpd_timeout_action
optional - string -
tunnel2_dpd_timeout_seconds
optional - number -
tunnel2_ike_versions
optional - set of string -
tunnel2_inside_cidr
optional computed - string -
tunnel2_inside_ipv6_cidr
optional computed - string -
tunnel2_phase1_dh_group_numbers
optional - set of number -
tunnel2_phase1_encryption_algorithms
optional - set of string -
tunnel2_phase1_integrity_algorithms
optional - set of string -
tunnel2_phase1_lifetime_seconds
optional - number -
tunnel2_phase2_dh_group_numbers
optional - set of number -
tunnel2_phase2_encryption_algorithms
optional - set of string -
tunnel2_phase2_integrity_algorithms
optional - set of string -
tunnel2_phase2_lifetime_seconds
optional - number -
tunnel2_preshared_key
optional computed - string -
tunnel2_rekey_fuzz_percentage
optional - number -
tunnel2_rekey_margin_time_seconds
optional - number -
tunnel2_replay_window_size
optional - number -
tunnel2_startup_action
optional - string -
tunnel2_vgw_inside_address
optional computed - string -
tunnel_inside_ip_version
optional computed - string -
type
required - string -
vgw_telemetry
optional computed - set of object-
accepted_route_count
- number -
last_status_change
- string -
outside_ip_address
- string -
status
- string -
status_message
- string
-
-
vpn_gateway_id
optional - string
Explanation in Terraform Registry
Manages an EC2 VPN connection. These objects can be connected to customer gateways, and allow you to establish tunnels between your network and Amazon.
Note: All arguments including
tunnel1_preshared_key
andtunnel2_preshared_key
will be stored in the raw state as plain-text. Read more about sensitive data in state. Note: The CIDR blocks in the argumentstunnel1_inside_cidr
andtunnel2_inside_cidr
must have a prefix of /30 and be a part of a specific range. Read more about this in the AWS documentation.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::VPNConnection (CloudFormation)
The VPNConnection in EC2 can be configured in CloudFormation with the resource name AWS::EC2::VPNConnection
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::VPNConnection
DependsOn: [CustomerGateWay, VirtualPrivateGateWay]
Properties:
Type: ipsec.1
CustomerGatewayId: !Ref CustomerGateWay
VpnGatewayId: !Ref VirtualPrivateGateWay
Type: "AWS::EC2::VPNConnection"
Properties:
Type: ipsec.1
CustomerGatewayId: !Ref CustomerGateway
StaticRoutesOnly: False
VpnGatewayId: !Ref VPNGateway
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: true
CustomerGatewayId: !Ref CustomerGateway
VpnGatewayId: !Ref VPNGateway
Type: AWS::EC2::VPNConnection
Properties:
CustomerGatewayId: !Ref rCustomerGatewayA
TransitGatewayId: !Ref pTransitGatewayId
Tags:
- Key: Name
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: 'true'
CustomerGatewayId: !Ref CustomerGateway
VpnGatewayId: !Ref VPNGateway
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : { "Fn::If" : [ "CreateVPNConnectionRoute", "true", "false" ]},
"VpnGatewayId" : { "Fn::ImportValue" : { "Fn::Sub" : "${VPCStackName}-VPNGateway" }},
"CustomerGatewayId" : { "Fn::ImportValue" : { "Fn::Sub" : "${CustomerGatewayStackName}-CustomerGateway" }},
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "VirtualCGWUS"},
"VpnGatewayId" : {"Ref" : "ProdVPGW"},
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "VirtualCGWUS"},
"VpnGatewayId" : {"Ref" : "ProdVPGW"},
"Type": "AWS::EC2::VPNConnection",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "aip-all-vpn"
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "CustomerGateway"},
"VpnGatewayId" : {"Ref" : "vpnGWId"},
Parameters
-
CustomerGatewayId
required - String -
StaticRoutesOnly
optional - Boolean -
Tags
optional - List of Tag -
TransitGatewayId
optional - String -
Type
required - String -
VpnGatewayId
optional - String -
VpnTunnelOptionsSpecifications
optional - List of VpnTunnelOptionsSpecification
Explanation in CloudFormation Registry
Specifies a VPN connection between a virtual private gateway and a VPN customer gateway or a transit gateway and a VPN customer gateway.
To specify a VPN connection between a transit gateway and customer gateway, use the
TransitGatewayId
andCustomerGatewayId
properties.To specify a VPN connection between a virtual private gateway and customer gateway, use the
VpnGatewayId
andCustomerGatewayId
properties.For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
Frequently asked questions
What is AWS Amazon EC2 VPN Connection?
AWS Amazon EC2 VPN Connection is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 VPN Connection?
For Terraform, the heldersepu/hs-scripts, pgastinger/terraform-aws-vpn-bgp-demo and infracost/infracost source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the Lorioux/CloudDevopsEngineerAWS, djoreilly/aws-vpn-testing and myshkin5/aws-musings source code examples are useful. See the CloudFormation Example section for further details.