Profile Applicability:

  • Level 1

Description:

AWS Site-to-Site VPN connects an on-premises network to an Amazon Virtual Private Cloud (VPC) through an encrypted VPN tunnel. AWS automatically provisions two VPN tunnels for each VPN connection to ensure high availability. This SOP ensures that both VPN tunnels are up and functioning correctly, providing uninterrupted connectivity between your on-premises network and the AWS VPC. Ensuring both tunnels are operational enhances the fault tolerance and resilience of the connection.

Rationale:

Maintaining two active VPN tunnels ensures high availability for the Site-to-Site VPN connection. If one tunnel fails, traffic is automatically routed through the second tunnel, ensuring that the connection remains stable and reliable. This configuration prevents single points of failure and ensures business continuity, especially in environments that require constant and secure communication between on-premises infrastructure and AWS resources.

Impact:

Pros:

  • High Availability: Ensures continuous connectivity between the on-premises network and AWS, even if one tunnel fails.

  • Fault Tolerance: Prevents connection downtime by providing a backup route for VPN traffic.

  • Business Continuity: Reduces the impact of a single VPN tunnel failure, ensuring mission-critical applications remain accessible.

Cons:

  • Complexity: Requires careful monitoring and management of the tunnels to ensure both are operational.

  • Potential Latency: If one tunnel goes down, traffic will be routed through the other tunnel, which might increase latency temporarily.

Default Value:

By default, AWS Site-to-Site VPN connections come with two tunnels (primary and secondary). Both tunnels should be up for optimal performance and availability.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpnConnections

    • ec2:DescribeVpnTunnels

  • AWS CLI installed and configured.

  • Knowledge of AWS Site-to-Site VPN configuration and architecture.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select VPN Connections under VPN.

  4. Find the VPN connection and check the status of both tunnels:

    • Both Tunnel 1 and Tunnel 2 should show as UP.

  5. If either tunnel is down, investigate the issue by checking the tunnel logs and routing configurations.

Using AWS CLI:

To describe the VPN connection and check the status of both tunnels, run the following command:

aws ec2 describe-vpn-connections --vpn-connection-id <vpn-connection-id> --query 'VpnConnections[*].VpnTunnelOptions'

Review the output to ensure that both tunnels are reported as UP. The status of each tunnel should be State: UP.

 Example output:

[
  {
    "Tunnel1State": "UP",

    "Tunnel2State": "UP"
  }
]

If either tunnel is down, further investigation is required to diagnose the cause, such as checking the on-premises VPN configuration or the security settings.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console and navigate to VPC.

  2. In the VPC Dashboard, go to VPN Connections and select the VPN connection you wish to inspect.

  3. Check the Tunnel 1 and Tunnel 2 status in the VPN connection details.

    • Both tunnels should show a status of UP.

  4. If one tunnel is down, identify the issue by reviewing logs and configurations. Common issues might include:

    • IPsec configuration mismatch.

    • VPN gateway issues on the on-premises side.

    • Network ACL or security group misconfiguration.

Using AWS CLI:

Run the following command to verify the status of both VPN tunnels:

aws ec2 describe-vpn-connections --vpn-connection-id <vpn-connection-id> --query 'VpnConnections[*].VpnTunnelOptions'

Ensure the status of both Tunnel 1 and Tunnel 2 shows UP.
If any tunnel is down, check the following:

  • Ensure that the on-premises VPN gateway is operational.

  • Verify that the IPsec configurations match between AWS and the on-premises gateway.

  • Check routing to ensure there are no conflicts or issues with the traffic flow.

Backout Plan:

If troubleshooting and fixing the VPN tunnels causes issues or creates an unwanted impact:

Identify the affected tunnel and check the configuration on both the AWS side and the on-premises side.

If necessary, remove and recreate the VPN connection and its tunnels using the following steps:

Delete the VPN connection:

aws ec2 delete-vpn-connection --vpn-connection-id <vpn-connection-id>

Recreate the VPN connection with the proper configurations.

Reverify that both tunnels are up and operational after the changes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.