Description:
Amazon Virtual Private Cloud (Amazon VPC) is a logically isolated virtual network in the AWS cloud that gives you complete control over your virtual networking environment, including a selection of your own IP address range, the creation of subnets, and the configuration of route tables and network gateways.
We can also say that VPC is a private sub-section of AWS that you control and in which you can place AWS resources (such as EC2 instances and databases). You have full control over who has access to the AWS resources that you place inside your VPC.
VPNs create an encrypted network over the Internet. AWS Virtual Private Network establishes secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.
AWS VPN is comprised of two services:
AWS Site-to-Site VPN
AWS Client VPN
so that we can ensure that Amazon VPN tunnels are working and being used to access the resources.
Through CloudWatch you can check the status of the VPN tunnel
Rationale:
It helps you securely and privately access your cloud resources with either an AWS site-to-site VPN, an accelerated site-to-site VPN, or a client VPN connection.
When you connect an on-premises location to the AWS cloud, it creates encrypted tunneling to connect with your AWS cloud. Accelerated VPN improves the performance of your site-to-site VPN connection by reducing the distance over which data is being shared on the internet and leveraging the reliability and performance of the AWS global fiver network.
AWS VPN is designed to connect devices to your network. It allows you to choose from OpenVPN-based clients, giving employees the option to use the device of their choice, including Windows, Mac, iOS, Android, and Linux-based devices.
site-to-site VPN connection to connect your remote network to a VPC. Each site-to-site VPN connection has two tunnels, with each tunnel using a unique virtual private gateway's public IP address. When one tunnel becomes unavailable (e.g., down for maintenance), network traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection.
An encrypted link data can pass from the customer network to or from AWS each VPN connection include two VPN tunnels which you can simultaneously use for high availability
Impact:
- AWS Site-to-Site VPN creates encrypted tunnels between your network and your Amazon Virtual Private Clouds or AWS.
- AWS Client VPN will authenticate using either Active Directory or certificates.
- AWS Client VPN provides network-based authorization so you can define access control rules that limit access to specific networks, based on Active Directory groups.
- VPN uses the secure TLS VPN tunnel protocol to encrypt the traffic.
- If Tunnel Down means your VPN configuration is not happening or not proper you will not able to connect with your VPN.
Default Value:
By default, there are no VPNs established with VPC. When we create and establish a VPN tunnel, an AWS site-to-site VPN connection has two tunnels, and each tunnel supports a maximum throughput of up to 1.25 Gbps. If your VPN connection is to a Virtual Private Gateway,
Each tunnel supports a maximum number of packets per second of up to 140000.
When you create a VPN tunnel by its status is Down
Audit:
Step 1: Sign in to the AWS Management Console and go to the VPC dashboard https://console.aws.amazon.com/vpc/.
Step 2: Click on Site-to-Site VPN Connection in the left navigation pane
Step 3: Select the VPN connection which you want to audit its tunnel.
Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column
Via CLI:
To describe your VPN connection
aws ec2 describe-vpn-connections
Remediation:
Pre-Requisite:
For VPN you create custom VPC
You must have a Customer gateway and it contains your public IP
For this policy, you already create a Site-to-Site VPN connection
Route propagation is enabled in the routing table.
You already created Virtual Private Gateways.
Implementation Steps:
If you use a static VPN,
Step 1: Sign in to the AWS Management Console and go to the VPC dashboard https://console.aws.amazon.com/vpc/.
Step 2: Click on Site-to-Site VPN Connection in the left navigation pane
Step 3: Select the VPN connection which you want to check the status of the tunnel if the VPN connection is static VPN
Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column
Step 5:If the tunnel status is UP, choose the view of the Static route. Be sure to specify any private networks on your on-premises firewall.
If the tunnel status is down, verify that your on-premises firewall is properly configured.
Step 6: Be sure to enable route propagation in your VPC route table
If you use a dynamic VPN with BGP,
Step 1: Sign in to the AWS Management Console and go to the VPC dashboard https://console.aws.amazon.com/vpc/.
Step 2: Click on Site-to-Site VPN Connection in the left navigation pane.
Step 3: Select the VPN connection which you want to check the status of the tunnel if VPN connection is dynamic VPN with BGP
Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column
Step 5: If the tunnel status is UP, verify that the Details column has one or more BGP routes listed.
Step 6: If the tunnel status is Down but the Details column IPSEC is UP, be sure to configure BGP properly on your firewall. Phase2 of Internet Protocol Security (IPSec ) is established, but BGP isn’t established.
Step 7: Be sure to enable route propagation in your VPC route table
Monitor your VPN tunnel using CloudWatch
You can also use Amazon CloudWatch to check the status of the VPN tunnel, be notified when the status of the tunnel changes, and access metric data over time to help evaluate the tunnel’s stability.
Via CLI:
To check the status of VPNs using the CLI, use the describe-vpn-connections AWS CLI command.
aws ec2 describe-vpn-connections --vpn-connection-ids vpn-1a2b3c4d
To describe your virtual private gateways
aws ec2 describe-vpn-gateways
As a backup plan if you have an AWS Direct Connect connection and an AWS classic VPN connection on the same virtual private gateway, and you use the VPN connection as a backup for the AWS Direct Connect connection. In this case, you delete the existing AWS Classic VPN connections on your Virtual Private Gateway. When the AWS Classic VPN connections are in the deleted state, you can then migrate to an AWS VPN connection by creating a new VPN connection on the same virtual private gateway.
AWS Console Process
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Site-to-Site VPN Connections.
- Select the Site-to-Site VPN connection and choose Actions, Delete.
- Choose Delete.
Via CLI:
To delete a VPN connection
aws ec2 delete-vpn-connection --vpn-connection-id <vpn_id>
Reference: