Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS VPN Tunnel State

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VPC-009

Ensure that the state of your Amazon VPN tunnels is UP to ensure network traffic flow over your Virtual Private Network. Cloud Conformity is continuously monitoring your AWS VPN tunnels for downtime and sends alert notifications if these become unavailable (DOWN).
(Optional) you can also create CloudWatch alarms that monitor the state of your VPN tunnels and send email notifications when the tunnels state changes to DOWN. The AWS CloudWatch metric that can be used to detect a VPN tunnel status changes is:
TunnelState – the state of an AWS VPN tunnel. 0 indicates DOWN (offline) and 1 indicates UP (online). Units: Count.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Using Cloud Conformity continuous monitoring for your VPN tunnels will help you take immediate actions in the event of a failure, in order to maximize uptime and ensure network traffic flow over your Amazon VPN connections at all times.


Audit

To determine the current state of your AWS Virtual Private Network (VPN) tunnels, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VPN Connections section, choose VPN Connections.

04 Select the VPN connection that you want to examine.

05 Select Tunnel Details tab from the bottom panel and verify the state of the VPN tunnels listed within the Status column:

VPN tunnels

(UP for online, DOWN for offline). If the current status is set to DOWN, the VPN tunnels are offline, therefore there is no network traffic over the selected AWS Virtual Private Network connection.

06 Repeat step no. 4 and 5 for each Amazon VPN connection available within the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-vpn-connections command (OSX/Linux/UNIX) with custom query filters to list the identifiers (IDs) of all active VPN connections available in the selected AWS region:

aws ec2 describe-vpn-connections
	--region us-east-1
	--filters "Name=state,Values=available"
	--query 'VpnConnections[*].VpnConnectionId'

02 The command output should return the requested ID(s):

[
    "vpn-85adbde4"
]

03 Run again describe-vpn-connections command (OSX/Linux/UNIX) using the ID of the VPN connection returned at the previous step as identifier and custom filtering to describe the state of the tunnels associated with the selected AWS VPN connection:

aws ec2 describe-vpn-connections
	--region us-east-1
	--vpn-connection-ids vpn-85adbde4
	--query 'VpnConnections[*].VgwTelemetry[*].Status[]'

04 The command output should return the current status (UP for online, DOWN for offline) for the selected VPN tunnels:

[
    "DOWN",
    "DOWN"
]

05 Repeat step no. 3 and 4 for each Amazon VPN connection available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

If your AWS VPN connection tunnels are currently DOWN (offline), check your on-premise (local) firewall configuration to ensure that your firewall configuration is allowing the same services in its ACLs and/or firewall policies. If you are unable to resolve the issue, you should contact AWS Support for assistance. To open a technical support case with AWS support, perform the following actions:

Note: Creating an AWS Support case using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at https://console.aws.amazon.com/support/.

03 In the left navigation panel, under Dashboard, click Create Case to initiate the process.

04 On the Create Case support page, perform the following:

  1. Under Regarding section, select Technical Support.
  2. Select Virtual Private Cloud (VPC) from the Service dropdown list.
  3. Select the issue category from the Category dropdown list.
  4. In the VPC ID(s), enter the ID of the VPC that manages your VPN connection.
  5. Select the severity level from the Severity dropdown list.
  6. In the Subject box, provide a subject for your support case, e.g. "VPN tunnels DOWN".
  7. In the Description textbox, describe your use case so that AWS Support can evaluate your request faster and understand better the issue. You can also provide helpful screenshots by using the Add attachment button to add your images.
  8. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  9. Click Submit to send the request. A customer support representative will contact you shortly, depending on the severity level that you chose earlier.

Cloud Conformity is continuously monitoring the state of your AWS VPN tunnels and sends alert notifications whenever a VPN tunnel goes offline (status changes to DOWN).

(Optional) You also have the option to create your custom notification system using AWS CloudWatch and AWS SNS. To create your own notification system, perform the following steps:

Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate AWS CloudWatch alarm is triggered:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN):

Amazon Resource Name (ARN)

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the CloudWatch alert notifications then click Create Subscription to create the required subscription.

09 Use your favorite email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new email subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever the necessary AWS CloudWatch alarm is triggered:

aws sns create-topic
	--name VPNTunnelStateAlarmSNSTopic

02 The command output should return the Amazon Resource Name (ARN) for the newly created AWS SNS topic:

{
 "TopicArn": "arn:aws:sns:us-east-1:12345678901:VPNTunnelStateAlarmSNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:VPNTunnelStateAlarmSNSTopic
	--protocol email
	--notification-endpoint no-reply@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:VPNTunnelStateAlarmSNSTopic
	--token b47c0192f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da71e1c7d90

Step 2: Create an AWS CloudWatch alarm that will fire and send email notifications whenever the specified Amazon VPN tunnel state is DOWN for 3 consecutive 5-minute periods.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel select Alarms.

04 Click the Create Alarm button from the CloudWatch dashboard top menu to initiate the setup process.

05 In the Create Alarm dialog box, perform the following actions:

  1. Select EC2 from the Browse Metrics dropdown list.
  2. Type TunnelState in the Search Metrics search box and press Enter.
  3. Select the AWS VPN tunnel (identified by an IP address) that you want to monitor with AWS CloudWatch from the VPN > VPN Tunnel Metrics list, then click Next to continue the process.
  4. Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new Amazon CloudWatch alarm.
  5. Under Whenever: <Metric Name>, select <= (less than or equal to) from the is dropdown list and enter 0 (0 indicates DOWN) in the box next to the dropdown list to trigger the alarm every time the state of the selected VPN tunnel changes to 0 (DOWN).
  6. Within the for: consecutive period(s) box, enter 3 as the threshold value for the number of consecutive periods that must be reached to fire the current CloudWatch alarm.
  7. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 1 from Send notification to dropdown list.
  8. In the Alarm Preview section, select 5 Minutes from the Period dropdown list and choose Standard and Average from the Statistic category.
  9. Review the CloudWatch alarm configuration details then click Create Alarm. Once the VPN tunnel status data is loaded, the State (status) of the new CloudWatch alarm will change from INSUFFICIENT_DATA to OK.

06 Repeat steps no. 3 - 5 to set up CloudWatch alarms for other AWS VPN tunnels provisioned within the current region.

07 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that fires whenever the selected Amazon VPN tunnel state is DOWN for 3 consecutive 5-minute periods. The following command example creates an Amazon CloudWatch alarm named VPNTunnelDownAlarm that send notifications to an AWS SNS topic named VPNTunnelStateAlarmSNSTopic when the state of the VPN tunnel identified by the IP address 34.226.130.200 changes to DOWN (the command does not return an output):

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name VPNTunnelDownAlarm
	--alarm-description "Triggered by VPN tunnel DOWN state"
	--metric-name TunnelState
	--namespace AWS/VPN
	--dimensions "Name=TunnelIpAddress,Value=34.226.130.200"
	--statistic Average
	--comparison-operator LessThanOrEqualToThreshold
	--evaluation-periods 3
	--period 300
	--threshold 0
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:VPNTunnelStateAlarmSNSTopic

02 Repeat step no. 1 to install and configure CloudWatch alarms for other AWS VPN tunnels available in the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the process for other regions.

References

Publication date Jun 22, 2017