VpnConnection

Manages an EC2 VPN connection. These objects can be connected to customer gateways, and allow you to establish tunnels between your network and Amazon.

Note: The CIDR blocks in the arguments tunnel1_inside_cidr and tunnel2_inside_cidr must have a prefix of /30 and be a part of a specific range. Read more about this in the AWS documentation.

Example Usage

EC2 Transit Gateway

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleTransitGateway = new Aws.Ec2TransitGateway.TransitGateway("exampleTransitGateway", new Aws.Ec2TransitGateway.TransitGatewayArgs
        {
        });
        var exampleCustomerGateway = new Aws.Ec2.CustomerGateway("exampleCustomerGateway", new Aws.Ec2.CustomerGatewayArgs
        {
            BgpAsn = "65000",
            IpAddress = "172.0.0.1",
            Type = "ipsec.1",
        });
        var exampleVpnConnection = new Aws.Ec2.VpnConnection("exampleVpnConnection", new Aws.Ec2.VpnConnectionArgs
        {
            CustomerGatewayId = exampleCustomerGateway.Id,
            TransitGatewayId = exampleTransitGateway.Id,
            Type = exampleCustomerGateway.Type,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/ec2"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/ec2transitgateway"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleTransitGateway, err := ec2transitgateway.NewTransitGateway(ctx, "exampleTransitGateway", nil)
		if err != nil {
			return err
		}
		exampleCustomerGateway, err := ec2.NewCustomerGateway(ctx, "exampleCustomerGateway", &ec2.CustomerGatewayArgs{
			BgpAsn:    pulumi.String("65000"),
			IpAddress: pulumi.String("172.0.0.1"),
			Type:      pulumi.String("ipsec.1"),
		})
		if err != nil {
			return err
		}
		_, err = ec2.NewVpnConnection(ctx, "exampleVpnConnection", &ec2.VpnConnectionArgs{
			CustomerGatewayId: exampleCustomerGateway.ID(),
			TransitGatewayId:  exampleTransitGateway.ID(),
			Type:              exampleCustomerGateway.Type,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

example_transit_gateway = aws.ec2transitgateway.TransitGateway("exampleTransitGateway")
example_customer_gateway = aws.ec2.CustomerGateway("exampleCustomerGateway",
    bgp_asn="65000",
    ip_address="172.0.0.1",
    type="ipsec.1")
example_vpn_connection = aws.ec2.VpnConnection("exampleVpnConnection",
    customer_gateway_id=example_customer_gateway.id,
    transit_gateway_id=example_transit_gateway.id,
    type=example_customer_gateway.type)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleTransitGateway = new aws.ec2transitgateway.TransitGateway("exampleTransitGateway", {});
const exampleCustomerGateway = new aws.ec2.CustomerGateway("exampleCustomerGateway", {
    bgpAsn: 65000,
    ipAddress: "172.0.0.1",
    type: "ipsec.1",
});
const exampleVpnConnection = new aws.ec2.VpnConnection("exampleVpnConnection", {
    customerGatewayId: exampleCustomerGateway.id,
    transitGatewayId: exampleTransitGateway.id,
    type: exampleCustomerGateway.type,
});

Virtual Private Gateway

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var vpc = new Aws.Ec2.Vpc("vpc", new Aws.Ec2.VpcArgs
        {
            CidrBlock = "10.0.0.0/16",
        });
        var vpnGateway = new Aws.Ec2.VpnGateway("vpnGateway", new Aws.Ec2.VpnGatewayArgs
        {
            VpcId = vpc.Id,
        });
        var customerGateway = new Aws.Ec2.CustomerGateway("customerGateway", new Aws.Ec2.CustomerGatewayArgs
        {
            BgpAsn = "65000",
            IpAddress = "172.0.0.1",
            Type = "ipsec.1",
        });
        var main = new Aws.Ec2.VpnConnection("main", new Aws.Ec2.VpnConnectionArgs
        {
            VpnGatewayId = vpnGateway.Id,
            CustomerGatewayId = customerGateway.Id,
            Type = "ipsec.1",
            StaticRoutesOnly = true,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		vpc, err := ec2.NewVpc(ctx, "vpc", &ec2.VpcArgs{
			CidrBlock: pulumi.String("10.0.0.0/16"),
		})
		if err != nil {
			return err
		}
		vpnGateway, err := ec2.NewVpnGateway(ctx, "vpnGateway", &ec2.VpnGatewayArgs{
			VpcId: vpc.ID(),
		})
		if err != nil {
			return err
		}
		customerGateway, err := ec2.NewCustomerGateway(ctx, "customerGateway", &ec2.CustomerGatewayArgs{
			BgpAsn:    pulumi.String("65000"),
			IpAddress: pulumi.String("172.0.0.1"),
			Type:      pulumi.String("ipsec.1"),
		})
		if err != nil {
			return err
		}
		_, err = ec2.NewVpnConnection(ctx, "main", &ec2.VpnConnectionArgs{
			VpnGatewayId:      vpnGateway.ID(),
			CustomerGatewayId: customerGateway.ID(),
			Type:              pulumi.String("ipsec.1"),
			StaticRoutesOnly:  pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

vpc = aws.ec2.Vpc("vpc", cidr_block="10.0.0.0/16")
vpn_gateway = aws.ec2.VpnGateway("vpnGateway", vpc_id=vpc.id)
customer_gateway = aws.ec2.CustomerGateway("customerGateway",
    bgp_asn="65000",
    ip_address="172.0.0.1",
    type="ipsec.1")
main = aws.ec2.VpnConnection("main",
    vpn_gateway_id=vpn_gateway.id,
    customer_gateway_id=customer_gateway.id,
    type="ipsec.1",
    static_routes_only=True)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const vpc = new aws.ec2.Vpc("vpc", {cidrBlock: "10.0.0.0/16"});
const vpnGateway = new aws.ec2.VpnGateway("vpnGateway", {vpcId: vpc.id});
const customerGateway = new aws.ec2.CustomerGateway("customerGateway", {
    bgpAsn: 65000,
    ipAddress: "172.0.0.1",
    type: "ipsec.1",
});
const main = new aws.ec2.VpnConnection("main", {
    vpnGatewayId: vpnGateway.id,
    customerGatewayId: customerGateway.id,
    type: "ipsec.1",
    staticRoutesOnly: true,
});

Create a VpnConnection Resource

new VpnConnection(name: string, args: VpnConnectionArgs, opts?: CustomResourceOptions);
@overload
def VpnConnection(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  customer_gateway_id: Optional[str] = None,
                  enable_acceleration: Optional[bool] = None,
                  local_ipv4_network_cidr: Optional[str] = None,
                  local_ipv6_network_cidr: Optional[str] = None,
                  remote_ipv4_network_cidr: Optional[str] = None,
                  remote_ipv6_network_cidr: Optional[str] = None,
                  static_routes_only: Optional[bool] = None,
                  tags: Optional[Mapping[str, str]] = None,
                  tags_all: Optional[Mapping[str, str]] = None,
                  transit_gateway_id: Optional[str] = None,
                  tunnel1_dpd_timeout_action: Optional[str] = None,
                  tunnel1_dpd_timeout_seconds: Optional[int] = None,
                  tunnel1_ike_versions: Optional[Sequence[str]] = None,
                  tunnel1_inside_cidr: Optional[str] = None,
                  tunnel1_inside_ipv6_cidr: Optional[str] = None,
                  tunnel1_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
                  tunnel1_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
                  tunnel1_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
                  tunnel1_phase1_lifetime_seconds: Optional[int] = None,
                  tunnel1_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
                  tunnel1_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
                  tunnel1_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
                  tunnel1_phase2_lifetime_seconds: Optional[int] = None,
                  tunnel1_preshared_key: Optional[str] = None,
                  tunnel1_rekey_fuzz_percentage: Optional[int] = None,
                  tunnel1_rekey_margin_time_seconds: Optional[int] = None,
                  tunnel1_replay_window_size: Optional[int] = None,
                  tunnel1_startup_action: Optional[str] = None,
                  tunnel2_dpd_timeout_action: Optional[str] = None,
                  tunnel2_dpd_timeout_seconds: Optional[int] = None,
                  tunnel2_ike_versions: Optional[Sequence[str]] = None,
                  tunnel2_inside_cidr: Optional[str] = None,
                  tunnel2_inside_ipv6_cidr: Optional[str] = None,
                  tunnel2_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
                  tunnel2_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
                  tunnel2_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
                  tunnel2_phase1_lifetime_seconds: Optional[int] = None,
                  tunnel2_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
                  tunnel2_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
                  tunnel2_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
                  tunnel2_phase2_lifetime_seconds: Optional[int] = None,
                  tunnel2_preshared_key: Optional[str] = None,
                  tunnel2_rekey_fuzz_percentage: Optional[int] = None,
                  tunnel2_rekey_margin_time_seconds: Optional[int] = None,
                  tunnel2_replay_window_size: Optional[int] = None,
                  tunnel2_startup_action: Optional[str] = None,
                  tunnel_inside_ip_version: Optional[str] = None,
                  type: Optional[str] = None,
                  vpn_gateway_id: Optional[str] = None)
@overload
def VpnConnection(resource_name: str,
                  args: VpnConnectionArgs,
                  opts: Optional[ResourceOptions] = None)
func NewVpnConnection(ctx *Context, name string, args VpnConnectionArgs, opts ...ResourceOption) (*VpnConnection, error)
public VpnConnection(string name, VpnConnectionArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args VpnConnectionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args VpnConnectionArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args VpnConnectionArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args VpnConnectionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

VpnConnection Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The VpnConnection resource accepts the following input properties:

CustomerGatewayId string
The ID of the customer gateway.
Type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
StaticRoutesOnly bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
Tags Dictionary<string, string>
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider.
TransitGatewayId string
The ID of the EC2 Transit Gateway.
Tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel1DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
Tunnel1IkeVersions List<string>
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel1Phase1DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase1EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase1IntegrityAlgorithms List<string>
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel1Phase2DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase2EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase2IntegrityAlgorithms List<string>
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel1RekeyFuzzPercentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel1RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
Tunnel1ReplayWindowSize int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
Tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel2DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
Tunnel2IkeVersions List<string>
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel2Phase1DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase1EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase1IntegrityAlgorithms List<string>
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel2Phase2DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase2EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase2IntegrityAlgorithms List<string>
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel2RekeyFuzzPercentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel2RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
Tunnel2ReplayWindowSize int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
Tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
VpnGatewayId string
The ID of the Virtual Private Gateway.
CustomerGatewayId string
The ID of the customer gateway.
Type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
StaticRoutesOnly bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
Tags map[string]string
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider.
TransitGatewayId string
The ID of the EC2 Transit Gateway.
Tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel1DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
Tunnel1IkeVersions []string
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel1Phase1DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase1EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase1IntegrityAlgorithms []string
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel1Phase2DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase2EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase2IntegrityAlgorithms []string
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel1RekeyFuzzPercentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel1RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
Tunnel1ReplayWindowSize int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
Tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel2DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
Tunnel2IkeVersions []string
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel2Phase1DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase1EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase1IntegrityAlgorithms []string
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel2Phase2DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase2EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase2IntegrityAlgorithms []string
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel2RekeyFuzzPercentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel2RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
Tunnel2ReplayWindowSize int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
Tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
VpnGatewayId string
The ID of the Virtual Private Gateway.
customerGatewayId string
The ID of the customer gateway.
type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
enableAcceleration boolean
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
localIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
localIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
remoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
remoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
staticRoutesOnly boolean
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
tags {[key: string]: string}
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider.
transitGatewayId string
The ID of the EC2 Transit Gateway.
tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel1DpdTimeoutSeconds number
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
tunnel1IkeVersions string[]
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel1Phase1DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1Phase1EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1Phase1IntegrityAlgorithms string[]
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1Phase1LifetimeSeconds number
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel1Phase2DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1Phase2EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1Phase2IntegrityAlgorithms string[]
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1Phase2LifetimeSeconds number
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel1RekeyFuzzPercentage number
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel1RekeyMarginTimeSeconds number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
tunnel1ReplayWindowSize number
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel2DpdTimeoutSeconds number
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
tunnel2IkeVersions string[]
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel2Phase1DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2Phase1EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2Phase1IntegrityAlgorithms string[]
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2Phase1LifetimeSeconds number
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel2Phase2DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2Phase2EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2Phase2IntegrityAlgorithms string[]
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2Phase2LifetimeSeconds number
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel2RekeyFuzzPercentage number
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel2RekeyMarginTimeSeconds number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
tunnel2ReplayWindowSize number
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
vpnGatewayId string
The ID of the Virtual Private Gateway.
customer_gateway_id str
The ID of the customer gateway.
type str
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
enable_acceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
local_ipv4_network_cidr str
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
local_ipv6_network_cidr str
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
remote_ipv4_network_cidr str
The IPv4 CIDR on the AWS side of the VPN connection.
remote_ipv6_network_cidr str
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
static_routes_only bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
tags Mapping[str, str]
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider.
transit_gateway_id str
The ID of the EC2 Transit Gateway.
tunnel1_dpd_timeout_action str
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel1_dpd_timeout_seconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
tunnel1_ike_versions Sequence[str]
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
tunnel1_inside_cidr str
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel1_inside_ipv6_cidr str
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel1_phase1_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1_phase1_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1_phase1_integrity_algorithms Sequence[str]
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1_phase1_lifetime_seconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel1_phase2_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1_phase2_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1_phase2_integrity_algorithms Sequence[str]
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1_phase2_lifetime_seconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel1_preshared_key str
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel1_rekey_fuzz_percentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel1_rekey_margin_time_seconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
tunnel1_replay_window_size int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
tunnel1_startup_action str
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel2_dpd_timeout_action str
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel2_dpd_timeout_seconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
tunnel2_ike_versions Sequence[str]
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
tunnel2_inside_cidr str
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel2_inside_ipv6_cidr str
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel2_phase1_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2_phase1_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2_phase1_integrity_algorithms Sequence[str]
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2_phase1_lifetime_seconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel2_phase2_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2_phase2_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2_phase2_integrity_algorithms Sequence[str]
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2_phase2_lifetime_seconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel2_preshared_key str
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel2_rekey_fuzz_percentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel2_rekey_margin_time_seconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
tunnel2_replay_window_size int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
tunnel2_startup_action str
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel_inside_ip_version str
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
vpn_gateway_id str
The ID of the Virtual Private Gateway.

Outputs

All input properties are implicitly available as output properties. Additionally, the VpnConnection resource produces the following output properties:

Arn string
Amazon Resource Name (ARN) of the VPN Connection.
CustomerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
Id string
The provider-assigned unique ID for this managed resource.
Routes List<VpnConnectionRoute>
TransitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
Tunnel1Address string
The public IP address of the first VPN tunnel.
Tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
Tunnel1BgpHoldtime int
The bgp holdtime of the first VPN tunnel.
Tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
Tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
Tunnel2Address string
The public IP address of the second VPN tunnel.
Tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
Tunnel2BgpHoldtime int
The bgp holdtime of the second VPN tunnel.
Tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
Tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
VgwTelemetries List<VpnConnectionVgwTelemetry>
Arn string
Amazon Resource Name (ARN) of the VPN Connection.
CustomerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
Id string
The provider-assigned unique ID for this managed resource.
Routes []VpnConnectionRouteType
TransitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
Tunnel1Address string
The public IP address of the first VPN tunnel.
Tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
Tunnel1BgpHoldtime int
The bgp holdtime of the first VPN tunnel.
Tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
Tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
Tunnel2Address string
The public IP address of the second VPN tunnel.
Tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
Tunnel2BgpHoldtime int
The bgp holdtime of the second VPN tunnel.
Tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
Tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
VgwTelemetries []VpnConnectionVgwTelemetry
arn string
Amazon Resource Name (ARN) of the VPN Connection.
customerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
id string
The provider-assigned unique ID for this managed resource.
routes VpnConnectionRoute[]
transitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
tunnel1Address string
The public IP address of the first VPN tunnel.
tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
tunnel1BgpHoldtime number
The bgp holdtime of the first VPN tunnel.
tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
tunnel2Address string
The public IP address of the second VPN tunnel.
tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
tunnel2BgpHoldtime number
The bgp holdtime of the second VPN tunnel.
tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
vgwTelemetries VpnConnectionVgwTelemetry[]
arn str
Amazon Resource Name (ARN) of the VPN Connection.
customer_gateway_configuration str
The configuration information for the VPN connection’s customer gateway (in the native XML format).
id str
The provider-assigned unique ID for this managed resource.
routes Sequence[VpnConnectionRoute]
transit_gateway_attachment_id str
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
tunnel1_address str
The public IP address of the first VPN tunnel.
tunnel1_bgp_asn str
The bgp asn number of the first VPN tunnel.
tunnel1_bgp_holdtime int
The bgp holdtime of the first VPN tunnel.
tunnel1_cgw_inside_address str
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
tunnel1_vgw_inside_address str
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
tunnel2_address str
The public IP address of the second VPN tunnel.
tunnel2_bgp_asn str
The bgp asn number of the second VPN tunnel.
tunnel2_bgp_holdtime int
The bgp holdtime of the second VPN tunnel.
tunnel2_cgw_inside_address str
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
tunnel2_vgw_inside_address str
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
vgw_telemetries Sequence[VpnConnectionVgwTelemetry]

Look up an Existing VpnConnection Resource

Get an existing VpnConnection resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: VpnConnectionState, opts?: CustomResourceOptions): VpnConnection
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        customer_gateway_configuration: Optional[str] = None,
        customer_gateway_id: Optional[str] = None,
        enable_acceleration: Optional[bool] = None,
        local_ipv4_network_cidr: Optional[str] = None,
        local_ipv6_network_cidr: Optional[str] = None,
        remote_ipv4_network_cidr: Optional[str] = None,
        remote_ipv6_network_cidr: Optional[str] = None,
        routes: Optional[Sequence[VpnConnectionRouteArgs]] = None,
        static_routes_only: Optional[bool] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        transit_gateway_attachment_id: Optional[str] = None,
        transit_gateway_id: Optional[str] = None,
        tunnel1_address: Optional[str] = None,
        tunnel1_bgp_asn: Optional[str] = None,
        tunnel1_bgp_holdtime: Optional[int] = None,
        tunnel1_cgw_inside_address: Optional[str] = None,
        tunnel1_dpd_timeout_action: Optional[str] = None,
        tunnel1_dpd_timeout_seconds: Optional[int] = None,
        tunnel1_ike_versions: Optional[Sequence[str]] = None,
        tunnel1_inside_cidr: Optional[str] = None,
        tunnel1_inside_ipv6_cidr: Optional[str] = None,
        tunnel1_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
        tunnel1_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
        tunnel1_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
        tunnel1_phase1_lifetime_seconds: Optional[int] = None,
        tunnel1_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
        tunnel1_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
        tunnel1_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
        tunnel1_phase2_lifetime_seconds: Optional[int] = None,
        tunnel1_preshared_key: Optional[str] = None,
        tunnel1_rekey_fuzz_percentage: Optional[int] = None,
        tunnel1_rekey_margin_time_seconds: Optional[int] = None,
        tunnel1_replay_window_size: Optional[int] = None,
        tunnel1_startup_action: Optional[str] = None,
        tunnel1_vgw_inside_address: Optional[str] = None,
        tunnel2_address: Optional[str] = None,
        tunnel2_bgp_asn: Optional[str] = None,
        tunnel2_bgp_holdtime: Optional[int] = None,
        tunnel2_cgw_inside_address: Optional[str] = None,
        tunnel2_dpd_timeout_action: Optional[str] = None,
        tunnel2_dpd_timeout_seconds: Optional[int] = None,
        tunnel2_ike_versions: Optional[Sequence[str]] = None,
        tunnel2_inside_cidr: Optional[str] = None,
        tunnel2_inside_ipv6_cidr: Optional[str] = None,
        tunnel2_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
        tunnel2_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
        tunnel2_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
        tunnel2_phase1_lifetime_seconds: Optional[int] = None,
        tunnel2_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
        tunnel2_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
        tunnel2_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
        tunnel2_phase2_lifetime_seconds: Optional[int] = None,
        tunnel2_preshared_key: Optional[str] = None,
        tunnel2_rekey_fuzz_percentage: Optional[int] = None,
        tunnel2_rekey_margin_time_seconds: Optional[int] = None,
        tunnel2_replay_window_size: Optional[int] = None,
        tunnel2_startup_action: Optional[str] = None,
        tunnel2_vgw_inside_address: Optional[str] = None,
        tunnel_inside_ip_version: Optional[str] = None,
        type: Optional[str] = None,
        vgw_telemetries: Optional[Sequence[VpnConnectionVgwTelemetryArgs]] = None,
        vpn_gateway_id: Optional[str] = None) -> VpnConnection
func GetVpnConnection(ctx *Context, name string, id IDInput, state *VpnConnectionState, opts ...ResourceOption) (*VpnConnection, error)
public static VpnConnection Get(string name, Input<string> id, VpnConnectionState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string
Amazon Resource Name (ARN) of the VPN Connection.
CustomerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
CustomerGatewayId string
The ID of the customer gateway.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
Routes List<VpnConnectionRouteArgs>
StaticRoutesOnly bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
Tags Dictionary<string, string>
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider.
TransitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
TransitGatewayId string
The ID of the EC2 Transit Gateway.
Tunnel1Address string
The public IP address of the first VPN tunnel.
Tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
Tunnel1BgpHoldtime int
The bgp holdtime of the first VPN tunnel.
Tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
Tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel1DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
Tunnel1IkeVersions List<string>
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel1Phase1DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase1EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase1IntegrityAlgorithms List<string>
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel1Phase2DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase2EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase2IntegrityAlgorithms List<string>
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel1RekeyFuzzPercentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel1RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
Tunnel1ReplayWindowSize int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
Tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
Tunnel2Address string
The public IP address of the second VPN tunnel.
Tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
Tunnel2BgpHoldtime int
The bgp holdtime of the second VPN tunnel.
Tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
Tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel2DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
Tunnel2IkeVersions List<string>
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel2Phase1DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase1EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase1IntegrityAlgorithms List<string>
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel2Phase2DhGroupNumbers List<int>
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase2EncryptionAlgorithms List<string>
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase2IntegrityAlgorithms List<string>
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel2RekeyFuzzPercentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel2RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
Tunnel2ReplayWindowSize int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
Tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
Type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
VgwTelemetries List<VpnConnectionVgwTelemetryArgs>
VpnGatewayId string
The ID of the Virtual Private Gateway.
Arn string
Amazon Resource Name (ARN) of the VPN Connection.
CustomerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
CustomerGatewayId string
The ID of the customer gateway.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
Routes []VpnConnectionRouteType
StaticRoutesOnly bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
Tags map[string]string
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider.
TransitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
TransitGatewayId string
The ID of the EC2 Transit Gateway.
Tunnel1Address string
The public IP address of the first VPN tunnel.
Tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
Tunnel1BgpHoldtime int
The bgp holdtime of the first VPN tunnel.
Tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
Tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel1DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
Tunnel1IkeVersions []string
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel1Phase1DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase1EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase1IntegrityAlgorithms []string
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel1Phase2DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel1Phase2EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel1Phase2IntegrityAlgorithms []string
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel1Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel1RekeyFuzzPercentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel1RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
Tunnel1ReplayWindowSize int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
Tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
Tunnel2Address string
The public IP address of the second VPN tunnel.
Tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
Tunnel2BgpHoldtime int
The bgp holdtime of the second VPN tunnel.
Tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
Tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
Tunnel2DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
Tunnel2IkeVersions []string
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
Tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
Tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
Tunnel2Phase1DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase1EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase1IntegrityAlgorithms []string
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
Tunnel2Phase2DhGroupNumbers []int
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
Tunnel2Phase2EncryptionAlgorithms []string
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
Tunnel2Phase2IntegrityAlgorithms []string
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
Tunnel2Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
Tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
Tunnel2RekeyFuzzPercentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
Tunnel2RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
Tunnel2ReplayWindowSize int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
Tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
Tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
Type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
VgwTelemetries []VpnConnectionVgwTelemetry
VpnGatewayId string
The ID of the Virtual Private Gateway.
arn string
Amazon Resource Name (ARN) of the VPN Connection.
customerGatewayConfiguration string
The configuration information for the VPN connection’s customer gateway (in the native XML format).
customerGatewayId string
The ID of the customer gateway.
enableAcceleration boolean
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
localIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
localIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
remoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection.
remoteIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
routes VpnConnectionRouteArgs[]
staticRoutesOnly boolean
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
tags {[key: string]: string}
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider.
transitGatewayAttachmentId string
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
transitGatewayId string
The ID of the EC2 Transit Gateway.
tunnel1Address string
The public IP address of the first VPN tunnel.
tunnel1BgpAsn string
The bgp asn number of the first VPN tunnel.
tunnel1BgpHoldtime number
The bgp holdtime of the first VPN tunnel.
tunnel1CgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
tunnel1DpdTimeoutAction string
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel1DpdTimeoutSeconds number
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
tunnel1IkeVersions string[]
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
tunnel1InsideCidr string
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel1InsideIpv6Cidr string
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel1Phase1DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1Phase1EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1Phase1IntegrityAlgorithms string[]
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1Phase1LifetimeSeconds number
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel1Phase2DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1Phase2EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1Phase2IntegrityAlgorithms string[]
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1Phase2LifetimeSeconds number
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel1PresharedKey string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel1RekeyFuzzPercentage number
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel1RekeyMarginTimeSeconds number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
tunnel1ReplayWindowSize number
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
tunnel1StartupAction string
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel1VgwInsideAddress string
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
tunnel2Address string
The public IP address of the second VPN tunnel.
tunnel2BgpAsn string
The bgp asn number of the second VPN tunnel.
tunnel2BgpHoldtime number
The bgp holdtime of the second VPN tunnel.
tunnel2CgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
tunnel2DpdTimeoutAction string
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel2DpdTimeoutSeconds number
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
tunnel2IkeVersions string[]
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
tunnel2InsideCidr string
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel2InsideIpv6Cidr string
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel2Phase1DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2Phase1EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2Phase1IntegrityAlgorithms string[]
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2Phase1LifetimeSeconds number
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel2Phase2DhGroupNumbers number[]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2Phase2EncryptionAlgorithms string[]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2Phase2IntegrityAlgorithms string[]
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2Phase2LifetimeSeconds number
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel2PresharedKey string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel2RekeyFuzzPercentage number
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel2RekeyMarginTimeSeconds number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
tunnel2ReplayWindowSize number
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
tunnel2StartupAction string
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel2VgwInsideAddress string
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
tunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
type string
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
vgwTelemetries VpnConnectionVgwTelemetryArgs[]
vpnGatewayId string
The ID of the Virtual Private Gateway.
arn str
Amazon Resource Name (ARN) of the VPN Connection.
customer_gateway_configuration str
The configuration information for the VPN connection’s customer gateway (in the native XML format).
customer_gateway_id str
The ID of the customer gateway.
enable_acceleration bool
Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
local_ipv4_network_cidr str
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
local_ipv6_network_cidr str
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
remote_ipv4_network_cidr str
The IPv4 CIDR on the AWS side of the VPN connection.
remote_ipv6_network_cidr str
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
routes Sequence[VpnConnectionRouteArgs]
static_routes_only bool
Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don’t support BGP.
tags Mapping[str, str]
Tags to apply to the connection. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider.
transit_gateway_attachment_id str
When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws.ec2.Tag for tagging the EC2 Transit Gateway VPN Attachment.
transit_gateway_id str
The ID of the EC2 Transit Gateway.
tunnel1_address str
The public IP address of the first VPN tunnel.
tunnel1_bgp_asn str
The bgp asn number of the first VPN tunnel.
tunnel1_bgp_holdtime int
The bgp holdtime of the first VPN tunnel.
tunnel1_cgw_inside_address str
The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
tunnel1_dpd_timeout_action str
The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel1_dpd_timeout_seconds int
The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
tunnel1_ike_versions Sequence[str]
The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
tunnel1_inside_cidr str
The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel1_inside_ipv6_cidr str
The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel1_phase1_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1_phase1_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1_phase1_integrity_algorithms Sequence[str]
One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1_phase1_lifetime_seconds int
The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel1_phase2_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel1_phase2_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel1_phase2_integrity_algorithms Sequence[str]
List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel1_phase2_lifetime_seconds int
The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel1_preshared_key str
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel1_rekey_fuzz_percentage int
The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel1_rekey_margin_time_seconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
tunnel1_replay_window_size int
The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
tunnel1_startup_action str
The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel1_vgw_inside_address str
The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
tunnel2_address str
The public IP address of the second VPN tunnel.
tunnel2_bgp_asn str
The bgp asn number of the second VPN tunnel.
tunnel2_bgp_holdtime int
The bgp holdtime of the second VPN tunnel.
tunnel2_cgw_inside_address str
The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
tunnel2_dpd_timeout_action str
The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
tunnel2_dpd_timeout_seconds int
The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
tunnel2_ike_versions Sequence[str]
The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
tunnel2_inside_cidr str
The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
tunnel2_inside_ipv6_cidr str
The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
tunnel2_phase1_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2_phase1_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2_phase1_integrity_algorithms Sequence[str]
One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2_phase1_lifetime_seconds int
The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
tunnel2_phase2_dh_group_numbers Sequence[int]
List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
tunnel2_phase2_encryption_algorithms Sequence[str]
List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
tunnel2_phase2_integrity_algorithms Sequence[str]
List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
tunnel2_phase2_lifetime_seconds int
The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
tunnel2_preshared_key str
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
tunnel2_rekey_fuzz_percentage int
The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
tunnel2_rekey_margin_time_seconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
tunnel2_replay_window_size int
The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
tunnel2_startup_action str
The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
tunnel2_vgw_inside_address str
The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
tunnel_inside_ip_version str
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
type str
The type of VPN connection. The only type AWS supports at this time is “ipsec.1”.
vgw_telemetries Sequence[VpnConnectionVgwTelemetryArgs]
vpn_gateway_id str
The ID of the Virtual Private Gateway.

Supporting Types

VpnConnectionRoute

DestinationCidrBlock string
Source string
State string
DestinationCidrBlock string
Source string
State string
destinationCidrBlock string
source string
state string

VpnConnectionVgwTelemetry

Import

VPN Connections can be imported using the vpn connection id, e.g.

 $ pulumi import aws:ec2/vpnConnection:VpnConnection testvpnconnection vpn-40f41529

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.