Ensure that your AWS VPNs have both tunnels always active as a failover strategy in case of an outage or a planned maintenance.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using two active tunnels for your AWS VPN (IPsec) connections will ensure redundancy when one of the tunnels becomes unavailable. A common scenario where a redundant configuration is useful is when a maintenance session is required and you need to keep the traffic flowing between the on-premise network and AWS VPC without any downtime.
Audit
To determine if your AWS VPN configuration has two active tunnels, perform the following:
Remediation / Resolution
To create and configure the second VPN IPSec tunnel for the on-premise network customer gateway, perform the following (depending on your customer gateway device some configuration settings might look different within your dashboard):
References
- AWS Documentation
- Amazon VPC FAQs
- VPN Connections
- Adding a Hardware Virtual Private Gateway to Your VPC
- Welcome
- Your Customer Gateway
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpn-connections