AWS Amazon EC2 VPN Connection
This page shows how to write Terraform and CloudFormation for Amazon EC2 VPN Connection and write them securely.
aws_vpn_connection (Terraform)
The VPN Connection in Amazon EC2 can be configured in Terraform with the resource name aws_vpn_connection. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_vpn_connection" "west" {
count = var.vpn_enabled
vpn_gateway_id = aws_vpn_gateway.west.id
customer_gateway_id = aws_customer_gateway.gate.id
type = "ipsec.1"
resource "aws_vpn_connection" "A4LTGW_R1" {
customer_gateway_id = aws_customer_gateway.router1.id
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
type = aws_customer_gateway.router1.type
tags = {
resource "aws_vpn_connection" "vpn_connection" {
customer_gateway_id = "dummy-customer-gateway-id"
type = "ipsec.1"
}
resource "aws_vpn_connection" "transit" {
Parameters
-
arnoptional computed - string -
customer_gateway_configurationoptional computed - string -
customer_gateway_idrequired - string -
enable_accelerationoptional computed - bool -
idoptional computed - string -
local_ipv4_network_cidroptional computed - string -
local_ipv6_network_cidroptional computed - string -
remote_ipv4_network_cidroptional computed - string -
remote_ipv6_network_cidroptional computed - string -
routesoptional computed - set of object-
destination_cidr_block- string -
source- string -
state- string
-
-
static_routes_onlyoptional computed - bool -
tagsoptional - map from string to string -
transit_gateway_attachment_idoptional computed - string -
transit_gateway_idoptional - string -
tunnel1_addressoptional computed - string -
tunnel1_bgp_asnoptional computed - string -
tunnel1_bgp_holdtimeoptional computed - number -
tunnel1_cgw_inside_addressoptional computed - string -
tunnel1_dpd_timeout_actionoptional - string -
tunnel1_dpd_timeout_secondsoptional - number -
tunnel1_ike_versionsoptional - set of string -
tunnel1_inside_cidroptional computed - string -
tunnel1_inside_ipv6_cidroptional computed - string -
tunnel1_phase1_dh_group_numbersoptional - set of number -
tunnel1_phase1_encryption_algorithmsoptional - set of string -
tunnel1_phase1_integrity_algorithmsoptional - set of string -
tunnel1_phase1_lifetime_secondsoptional - number -
tunnel1_phase2_dh_group_numbersoptional - set of number -
tunnel1_phase2_encryption_algorithmsoptional - set of string -
tunnel1_phase2_integrity_algorithmsoptional - set of string -
tunnel1_phase2_lifetime_secondsoptional - number -
tunnel1_preshared_keyoptional computed - string -
tunnel1_rekey_fuzz_percentageoptional - number -
tunnel1_rekey_margin_time_secondsoptional - number -
tunnel1_replay_window_sizeoptional - number -
tunnel1_startup_actionoptional - string -
tunnel1_vgw_inside_addressoptional computed - string -
tunnel2_addressoptional computed - string -
tunnel2_bgp_asnoptional computed - string -
tunnel2_bgp_holdtimeoptional computed - number -
tunnel2_cgw_inside_addressoptional computed - string -
tunnel2_dpd_timeout_actionoptional - string -
tunnel2_dpd_timeout_secondsoptional - number -
tunnel2_ike_versionsoptional - set of string -
tunnel2_inside_cidroptional computed - string -
tunnel2_inside_ipv6_cidroptional computed - string -
tunnel2_phase1_dh_group_numbersoptional - set of number -
tunnel2_phase1_encryption_algorithmsoptional - set of string -
tunnel2_phase1_integrity_algorithmsoptional - set of string -
tunnel2_phase1_lifetime_secondsoptional - number -
tunnel2_phase2_dh_group_numbersoptional - set of number -
tunnel2_phase2_encryption_algorithmsoptional - set of string -
tunnel2_phase2_integrity_algorithmsoptional - set of string -
tunnel2_phase2_lifetime_secondsoptional - number -
tunnel2_preshared_keyoptional computed - string -
tunnel2_rekey_fuzz_percentageoptional - number -
tunnel2_rekey_margin_time_secondsoptional - number -
tunnel2_replay_window_sizeoptional - number -
tunnel2_startup_actionoptional - string -
tunnel2_vgw_inside_addressoptional computed - string -
tunnel_inside_ip_versionoptional computed - string -
typerequired - string -
vgw_telemetryoptional computed - set of object-
accepted_route_count- number -
last_status_change- string -
outside_ip_address- string -
status- string -
status_message- string
-
-
vpn_gateway_idoptional - string
Explanation in Terraform Registry
Manages an EC2 VPN connection. These objects can be connected to customer gateways, and allow you to establish tunnels between your network and Amazon.
Note: All arguments including
tunnel1_preshared_keyandtunnel2_preshared_keywill be stored in the raw state as plain-text. Read more about sensitive data in state. Note: The CIDR blocks in the argumentstunnel1_inside_cidrandtunnel2_inside_cidrmust have a prefix of /30 and be a part of a specific range. Read more about this in the AWS documentation.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::VPNConnection (CloudFormation)
The VPNConnection in EC2 can be configured in CloudFormation with the resource name AWS::EC2::VPNConnection. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::VPNConnection
DependsOn: [CustomerGateWay, VirtualPrivateGateWay]
Properties:
Type: ipsec.1
CustomerGatewayId: !Ref CustomerGateWay
VpnGatewayId: !Ref VirtualPrivateGateWay
Type: "AWS::EC2::VPNConnection"
Properties:
Type: ipsec.1
CustomerGatewayId: !Ref CustomerGateway
StaticRoutesOnly: False
VpnGatewayId: !Ref VPNGateway
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: true
CustomerGatewayId: !Ref CustomerGateway
VpnGatewayId: !Ref VPNGateway
Type: AWS::EC2::VPNConnection
Properties:
CustomerGatewayId: !Ref rCustomerGatewayA
TransitGatewayId: !Ref pTransitGatewayId
Tags:
- Key: Name
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: 'true'
CustomerGatewayId: !Ref CustomerGateway
VpnGatewayId: !Ref VPNGateway
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : { "Fn::If" : [ "CreateVPNConnectionRoute", "true", "false" ]},
"VpnGatewayId" : { "Fn::ImportValue" : { "Fn::Sub" : "${VPCStackName}-VPNGateway" }},
"CustomerGatewayId" : { "Fn::ImportValue" : { "Fn::Sub" : "${CustomerGatewayStackName}-CustomerGateway" }},
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "VirtualCGWUS"},
"VpnGatewayId" : {"Ref" : "ProdVPGW"},
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "VirtualCGWUS"},
"VpnGatewayId" : {"Ref" : "ProdVPGW"},
"Type": "AWS::EC2::VPNConnection",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "aip-all-vpn"
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "CustomerGateway"},
"VpnGatewayId" : {"Ref" : "vpnGWId"},
Parameters
-
CustomerGatewayIdrequired - String -
StaticRoutesOnlyoptional - Boolean -
Tagsoptional - List of Tag -
TransitGatewayIdoptional - String -
Typerequired - String -
VpnGatewayIdoptional - String -
VpnTunnelOptionsSpecificationsoptional - List of VpnTunnelOptionsSpecification
Explanation in CloudFormation Registry
Specifies a VPN connection between a virtual private gateway and a VPN customer gateway or a transit gateway and a VPN customer gateway.
To specify a VPN connection between a transit gateway and customer gateway, use the
TransitGatewayIdandCustomerGatewayIdproperties.To specify a VPN connection between a virtual private gateway and customer gateway, use the
VpnGatewayIdandCustomerGatewayIdproperties.For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
Frequently asked questions
What is AWS Amazon EC2 VPN Connection?
AWS Amazon EC2 VPN Connection is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 VPN Connection?
For Terraform, the heldersepu/hs-scripts, pgastinger/terraform-aws-vpn-bgp-demo and infracost/infracost source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the Lorioux/CloudDevopsEngineerAWS, djoreilly/aws-vpn-testing and myshkin5/aws-musings source code examples are useful. See the CloudFormation Example section for further details.
