Ensure that the state of your Amazon VPN tunnels is UP to ensure network traffic flow over your Virtual Private Network. Cloud Conformity is continuously monitoring your AWS VPN tunnels for downtime and sends alert notifications if these become unavailable (DOWN).
(Optional) you can also create CloudWatch alarms that monitor the state of your VPN tunnels and send email notifications when the tunnels state changes to DOWN. The AWS CloudWatch metric that can be used to detect a VPN tunnel status changes is:
TunnelState – the state of an AWS VPN tunnel. 0 indicates DOWN (offline) and 1 indicates UP (online). Units: Count.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using Cloud Conformity continuous monitoring for your VPN tunnels will help you take immediate actions in the event of a failure, in order to maximize uptime and ensure network traffic flow over your Amazon VPN connections at all times.
Audit
To determine the current state of your AWS Virtual Private Network (VPN) tunnels, perform the following:
Remediation / Resolution
If your AWS VPN connection tunnels are currently DOWN (offline), check your on-premise (local) firewall configuration to ensure that your firewall configuration is allowing the same services in its ACLs and/or firewall policies. If you are unable to resolve the issue, you should contact AWS Support for assistance. To open a technical support case with AWS support, perform the following actions:
Note: Creating an AWS Support case using the AWS API via Command Line Interface (CLI) is not currently supported. Cloud Conformity is continuously monitoring the state of your AWS VPN tunnels and sends alert notifications whenever a VPN tunnel goes offline (status changes to DOWN).
(Optional) You also have the option to create your custom notification system using AWS CloudWatch and AWS SNS. To create your own notification system, perform the following steps:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate AWS CloudWatch alarm is triggered:
Step 2: Create an AWS CloudWatch alarm that will fire and send email notifications whenever the specified Amazon VPN tunnel state is DOWN for 3 consecutive 5-minute periods.
References
- AWS Documentation
- Monitoring Your VPN Connection
- Getting Started with AWS Support
- What information should I include in my AWS Support case?
- Monitoring with Amazon CloudWatch
- Creating Amazon CloudWatch Alarms
- Create or Edit a CloudWatch Alarm
- Create a Topic
- Subscribe to a Topic
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpn-connections
- cloudwatch
- describe-alarms-for-metric
- put-metric-alarm
- sns
- create-topic
- subscribe
- confirm-subscription