Use the Conformity Knowledge Base AI to help improve your Cloud Posture

VPN Tunnel Redundancy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (should be achieved)
Rule ID: VPC-002

Ensure that your AWS VPNs have both tunnels always active as a failover strategy in case of an outage or a planned maintenance.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Using two active tunnels for your AWS VPN (IPsec) connections will ensure redundancy when one of the tunnels becomes unavailable. A common scenario where a redundant configuration is useful is when a maintenance session is required and you need to keep the traffic flowing between the on-premise network and AWS VPC without any downtime.


Audit

To determine if your AWS VPN configuration has two active tunnels, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VPN Connections section, click VPN Connections.

04 Select the VPN connection that you want to examine.

05 Select Tunnel Details tab from the bottom panel and verify the connection tunnels status:

Select Tunnel Details tab from the bottom panel and verify the connection tunnels status

(UP for active, DOWN for inactive). If one of the tunnels is inactive (DOWN) the selected VPN configuration is not redundant.

06 Repeat step no. 4 and 5 for each VPN connection available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-vpn-connections command (OSX/Linux/UNIX) to list the VPN connections available in the selected region and their configuration details:

aws aws ec2 describe-vpn-connections
	--region us-east-1
	--filters "Name=state,Values=available"

02 The command output should return each VPN connection metadata (ID, state, gateway, telemetry, etc). Check the VPN tunnels Status parameter values (highlighted) inside the VgwTelemetry object list. If one of the tunnels status is DOWN (inactive) the selected VPN configuration is not redundant:

{
    "VpnConnections": [
        {
            "VpnConnectionId": "vpn-a9495fc8",
            "Tags": [
                {
                    "Value": "NYOffice-AWS",
                    "Key": "Name"
                }
            ],
            "CustomerGatewayConfiguration": "...",
            "Routes": [
                {
                    "DestinationCidrBlock": "192.168.0.0/24",
                    "State": "available"
                }
            ],
            "VgwTelemetry": [
                {
                    "Status": "UP",
                    "AcceptedRouteCount": 1,
                    "OutsideIpAddress": "52.200.108.223",
                    "LastStatusChange": "2016-04-27T06:51:05.000Z",
                    "StatusMessage": ""
                },
                {
                    "Status": "DOWN",
                    "AcceptedRouteCount": 1,
                    "OutsideIpAddress": "52.200.108.221",
                    "LastStatusChange": "2016-04-27T06:50:00.000Z",
                    "StatusMessage": ""
                }
            ],
            "State": "available",
            "VpnGatewayId": "vgw-5a8d6333",
            "CustomerGatewayId": "cgw-858668ec",
            "Type": "ipsec.1",
            "Options": {
                "StaticRoutesOnly": true
            }
        }
    ]
}

03 Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To create and configure the second VPN IPSec tunnel for the on-premise network customer gateway, perform the following (depending on your customer gateway device some configuration settings might look different within your dashboard):

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VPN Connections section, click VPN Connections.

04 Select the VPN connection that you need to update.

05 Click Download Configuration button from the dashboard top menu.

06 In the Download Configuration dialog box, select your customer gateway vendor type (e.g. Cisco Systems), its platform (e.g. ISR Series Routers) and the software version currently used.

07 Click Yes, Download to download the configuration file for the selected VPN. The file contains the configuration settings and the secret keys that you need to apply to your customer gateway.

08 Log in to your customer gateway dashboard and select VPN.

09 Under IPSec Tunnels section, click Add to add a new tunnel.

10 In the Name field, enter a name for the tunnel.

11 Under Phase 1, enter the necessary values as specified in the configuration file downloaded earlier from AWS:

  1. Encryption: AES-128
  2. Hash Method: SHA-1
  3. DH Group: Group 2
  4. Lifetime: 28800

12 Under Phase 2, enter the necessary values as specified in the configuration file downloaded from AWS:

  1. Encryption: AES-128
  2. Hash Method: SHA-1
  3. DH Group: Group 2
  4. Lifetime: 3600
  5. Enable Perfect Forward Secrecy (PFS).

13 Select Active for Local End.

14 Select Static for Local Address.

15 In the Local Networks field, enter your local subnet CIDR.

16 In the Remote Gateway field, enter the IP address for your AWS VPN Virtual Private Gateway.

17 In the Remote Networks field, enter the remote AWS VPC subnet CIDR.

18 Select Pre Shared Key next to Authentication method.

19 In the Passphrase field, enter the Pre-Shared Key specified in the configuration file and check No to disable Aggressive Mode.

20 Click Save to create the tunnel. Your customer gateway device should connect now automatically to the AWS VPN Virtual Private Gateway, otherwise, make sure the device firewall allows traffic from your local network to the AWS VPC subnet selected.

21 Now go back to your AWS VPC dashboard at https://console.aws.amazon.com/vpc/ and select the VPN connection previously configured.

22 Select Tunnel Details tab from the bottom panel and verify if both VPN tunnels are active by checking the values in the Status column (UP for active, DOWN for inactive) – at this point both tunnels must be active.

References

Publication date Apr 27, 2016