Description:

Amazon Virtual Private Cloud (Amazon VPC)  is a logically isolated virtual network in the AWS cloud complete control over your virtual networking environment, including a selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

We can also say that VPC is a private sub-section of AWS that you control in which you can place AWS resources (such as EC2 instances and databases). You have full control over who has access to the AWS resources that you place inside your VPC.

VPN creates an encrypted network over the Internet. AWS Virtual Private Network is established secure connections between your on-premises networks, remote offices, client devices, and AWS global network.

AWS VPN is comprised of two services:

  • AWS Site-to-Site VPN

  • AWS Client VPN

 So that We ensure that Amazon VPN tunnels are in working and in used to access the resources.

Through CloudWatch you can check the status of the VPN tunnel 

Rationale:

It helps you to securely and privately access your cloud resources with either an AWS Site-to-Site VPN, Accelerated Site-to-Site VPN, or Client VPN connection.

When you connect an on-premises location to the AWS cloud, it creates encrypted tunneling to connect with your AWS cloud. Accelerated VPN improves the performance of your Site-to-Site VPN connection by reducing the distance over which data is being shared on the internet and leveraging instead the reliability and performance of the AWS global fiver network.

AWS VPN is designed to connect devices to your network. It allows you to choose from OpenVPN-based clients, giving employees the option to use the device of their choice, including Windows, Mac, iOS, Android, and Linux-based devices.

Site-to-Site VPN connection to connect your remote network to a VPC. Each site-to-site VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. when one tunnel becomes unavailable (e.g. down for maintenance), network traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection.

An encrypted link data can pass from the customer network to or from AWS each VPN connection include two VPN  tunnels which you can simultaneously use for high availability

Impact:

  1. AWS Site-to-Site VPN creates encrypted tunnels between your network and your Amazon Virtual Private Clouds or AWS.
  2. AWS Client VPN will authenticate using either Active Directory or certificates. 
  3. AWS Client VPN provides network-based authorization so you can define access control rules that limit access to specific networks, based on Active Directory groups. 
  4. VPN uses the secure TLS VPN tunnel protocol to encrypt the traffic. 
  5. If Tunnel Down means your VPN configuration is not happening or not proper you will not able to connect with your VPN.

Default Value: 

By default, there are no VPN established with VPC when we created and established VPN tunnel AWS Site-to-Site VPN connection has two tunnels and each tunnel supports a maximum throughput of up to 1.25 Gbps. If your VPN connection is to a Virtual Private Gateway. 

Each tunnel supports a maximum of packets per second of up to 140000.

When you create a VPN tunnel by its status is Down

Audit:

Step 1: Sign in to AWS Management Console and go to VPC dashboard https://console.aws.amazon.com/vpc/.

Step 2: Click on Site-to-Site VPN Connection in the left navigation pane

Step 3: Select the VPN connection which you want to audit its tunnel

Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column

Via CLI:

To describe your VPN connection 

aws ec2 describe-vpn-connections


Remediation:

Pre-Requisite:

  • For VPN you create custom VPC

  • You must have a Customer gateway and it contains your public IP

  • For this policy, you already create a Site-to-Site VPN connection 

  • Route propagation is enabled in the routing table.

  • You already created Virtual Private Gateways.

Implementation Steps:

If you use a static VPN:

Step 1: Sign in to AWS Management Console and go to VPC dashboard https://console.aws.amazon.com/vpc/.

Step 2: Click on Site-to-Site VPN Connection in the left navigation pane

Step 3: Select the VPN connection which you want to check the status of the tunnel if the VPN connection is static VPN 


Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column

Step 5:If the tunnel status is UP, choose the view of the Static route. Be sure to specify any private networks on your on-premises firewall.

If the tunnel status is Down, verify that your on-premises firewall is properly configured.

Step 6: Be sure to enable route propagation in your VPC route table

If you use a dynamic VPN with BGP:

Step 1: Sign in to AWS Management Console and go to VPC dashboard https://console.aws.amazon.com/vpc/.

Step 2: Click on Site-to-Site VPN Connection in the left navigation pane

Step 3: Select the VPN connection which you want to check the status of the tunnel if VPN connection is dynamic VPN with BGP 

Step 4: Click on the tunnel details tab in the button panel and verify the state of the VPN tunnels listed within the status column

Step 5: If the tunnel status is UP, verify that the Details column has one or more BGP routes listed.

Step 6: If the tunnel status is Down but the Details column IPSEC is UP, be sure to configure BGP properly on your firewall. Phase2 of Internet Protocol Security (IPSec ) is established, but BGP isn’t established.

Step 7: Be sure to enable route propagation in your VPC route table

Monitor your VPN tunnel using CloudWatch

You can also use Amazon CloudWatch to check the status of the VPN tunnel, be notified when the status of the tunnel changes, and access metric data over time to help evaluate the tunnel’s stability.


Via CLI:

To check the status of VPN using CLI use the describe-vpn-connections AWS CLI command.

aws ec2 describe-vpn-connections --vpn-connection-ids vpn-1a2b3c4d


To describe your virtual private gateways

aws ec2 describe-vpn-gateways


Backout Plan:

As a Backout plan if you have an AWS Direct Connect connection and an AWS classic VPN connection on the same virtual private gateway, and you use the VPN connection as a backup for the AWS Direct Connect connection. In this case, you delete the existing AWS Classic VPN connections on your Virtual Private Gateway. when the AWS Classic VPN connections are in the deleted state, you can then migrate to an AWS VPN connection by creating a new VPN connection on the same virtual private gateway.

Via CLI:

To delete a VPN connection

aws ec2 delete-vpn-connection --vpn-connection-id <vpn_id>


Reference: