Docs
PackagesTry AWS Native preview for resources not in the classic version.
aws.ec2.VpnConnection
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Manages a Site-to-Site VPN connection. A Site-to-Site VPN connection is an Internet Protocol security (IPsec) VPN connection between a VPC and an on-premises network. Any new Site-to-Site VPN connection that you create is an AWS VPN connection.
Note: The CIDR blocks in the arguments
tunnel1_inside_cidrandtunnel2_inside_cidrmust have a prefix of /30 and be a part of a specific range. Read more about this in the AWS documentation.
Example Usage
EC2 Transit Gateway
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleTransitGateway = new Aws.Ec2TransitGateway.TransitGateway("exampleTransitGateway");
var exampleCustomerGateway = new Aws.Ec2.CustomerGateway("exampleCustomerGateway", new()
{
BgpAsn = "65000",
IpAddress = "172.0.0.1",
Type = "ipsec.1",
});
var exampleVpnConnection = new Aws.Ec2.VpnConnection("exampleVpnConnection", new()
{
CustomerGatewayId = exampleCustomerGateway.Id,
TransitGatewayId = exampleTransitGateway.Id,
Type = exampleCustomerGateway.Type,
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2transitgateway"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleTransitGateway, err := ec2transitgateway.NewTransitGateway(ctx, "exampleTransitGateway", nil)
if err != nil {
return err
}
exampleCustomerGateway, err := ec2.NewCustomerGateway(ctx, "exampleCustomerGateway", &ec2.CustomerGatewayArgs{
BgpAsn: pulumi.String("65000"),
IpAddress: pulumi.String("172.0.0.1"),
Type: pulumi.String("ipsec.1"),
})
if err != nil {
return err
}
_, err = ec2.NewVpnConnection(ctx, "exampleVpnConnection", &ec2.VpnConnectionArgs{
CustomerGatewayId: exampleCustomerGateway.ID(),
TransitGatewayId: exampleTransitGateway.ID(),
Type: exampleCustomerGateway.Type,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2transitgateway.TransitGateway;
import com.pulumi.aws.ec2.CustomerGateway;
import com.pulumi.aws.ec2.CustomerGatewayArgs;
import com.pulumi.aws.ec2.VpnConnection;
import com.pulumi.aws.ec2.VpnConnectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleTransitGateway = new TransitGateway("exampleTransitGateway");
var exampleCustomerGateway = new CustomerGateway("exampleCustomerGateway", CustomerGatewayArgs.builder()
.bgpAsn(65000)
.ipAddress("172.0.0.1")
.type("ipsec.1")
.build());
var exampleVpnConnection = new VpnConnection("exampleVpnConnection", VpnConnectionArgs.builder()
.customerGatewayId(exampleCustomerGateway.id())
.transitGatewayId(exampleTransitGateway.id())
.type(exampleCustomerGateway.type())
.build());
}
}
import pulumi
import pulumi_aws as aws
example_transit_gateway = aws.ec2transitgateway.TransitGateway("exampleTransitGateway")
example_customer_gateway = aws.ec2.CustomerGateway("exampleCustomerGateway",
bgp_asn="65000",
ip_address="172.0.0.1",
type="ipsec.1")
example_vpn_connection = aws.ec2.VpnConnection("exampleVpnConnection",
customer_gateway_id=example_customer_gateway.id,
transit_gateway_id=example_transit_gateway.id,
type=example_customer_gateway.type)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleTransitGateway = new aws.ec2transitgateway.TransitGateway("exampleTransitGateway", {});
const exampleCustomerGateway = new aws.ec2.CustomerGateway("exampleCustomerGateway", {
bgpAsn: "65000",
ipAddress: "172.0.0.1",
type: "ipsec.1",
});
const exampleVpnConnection = new aws.ec2.VpnConnection("exampleVpnConnection", {
customerGatewayId: exampleCustomerGateway.id,
transitGatewayId: exampleTransitGateway.id,
type: exampleCustomerGateway.type,
});
resources:
exampleTransitGateway:
type: aws:ec2transitgateway:TransitGateway
exampleCustomerGateway:
type: aws:ec2:CustomerGateway
properties:
bgpAsn: 65000
ipAddress: 172.0.0.1
type: ipsec.1
exampleVpnConnection:
type: aws:ec2:VpnConnection
properties:
customerGatewayId: ${exampleCustomerGateway.id}
transitGatewayId: ${exampleTransitGateway.id}
type: ${exampleCustomerGateway.type}
Virtual Private Gateway
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var vpc = new Aws.Ec2.Vpc("vpc", new()
{
CidrBlock = "10.0.0.0/16",
});
var vpnGateway = new Aws.Ec2.VpnGateway("vpnGateway", new()
{
VpcId = vpc.Id,
});
var customerGateway = new Aws.Ec2.CustomerGateway("customerGateway", new()
{
BgpAsn = "65000",
IpAddress = "172.0.0.1",
Type = "ipsec.1",
});
var main = new Aws.Ec2.VpnConnection("main", new()
{
VpnGatewayId = vpnGateway.Id,
CustomerGatewayId = customerGateway.Id,
Type = "ipsec.1",
StaticRoutesOnly = true,
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
vpc, err := ec2.NewVpc(ctx, "vpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.0.0.0/16"),
})
if err != nil {
return err
}
vpnGateway, err := ec2.NewVpnGateway(ctx, "vpnGateway", &ec2.VpnGatewayArgs{
VpcId: vpc.ID(),
})
if err != nil {
return err
}
customerGateway, err := ec2.NewCustomerGateway(ctx, "customerGateway", &ec2.CustomerGatewayArgs{
BgpAsn: pulumi.String("65000"),
IpAddress: pulumi.String("172.0.0.1"),
Type: pulumi.String("ipsec.1"),
})
if err != nil {
return err
}
_, err = ec2.NewVpnConnection(ctx, "main", &ec2.VpnConnectionArgs{
VpnGatewayId: vpnGateway.ID(),
CustomerGatewayId: customerGateway.ID(),
Type: pulumi.String("ipsec.1"),
StaticRoutesOnly: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.Vpc;
import com.pulumi.aws.ec2.VpcArgs;
import com.pulumi.aws.ec2.VpnGateway;
import com.pulumi.aws.ec2.VpnGatewayArgs;
import com.pulumi.aws.ec2.CustomerGateway;
import com.pulumi.aws.ec2.CustomerGatewayArgs;
import com.pulumi.aws.ec2.VpnConnection;
import com.pulumi.aws.ec2.VpnConnectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var vpc = new Vpc("vpc", VpcArgs.builder()
.cidrBlock("10.0.0.0/16")
.build());
var vpnGateway = new VpnGateway("vpnGateway", VpnGatewayArgs.builder()
.vpcId(vpc.id())
.build());
var customerGateway = new CustomerGateway("customerGateway", CustomerGatewayArgs.builder()
.bgpAsn(65000)
.ipAddress("172.0.0.1")
.type("ipsec.1")
.build());
var main = new VpnConnection("main", VpnConnectionArgs.builder()
.vpnGatewayId(vpnGateway.id())
.customerGatewayId(customerGateway.id())
.type("ipsec.1")
.staticRoutesOnly(true)
.build());
}
}
import pulumi
import pulumi_aws as aws
vpc = aws.ec2.Vpc("vpc", cidr_block="10.0.0.0/16")
vpn_gateway = aws.ec2.VpnGateway("vpnGateway", vpc_id=vpc.id)
customer_gateway = aws.ec2.CustomerGateway("customerGateway",
bgp_asn="65000",
ip_address="172.0.0.1",
type="ipsec.1")
main = aws.ec2.VpnConnection("main",
vpn_gateway_id=vpn_gateway.id,
customer_gateway_id=customer_gateway.id,
type="ipsec.1",
static_routes_only=True)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const vpc = new aws.ec2.Vpc("vpc", {cidrBlock: "10.0.0.0/16"});
const vpnGateway = new aws.ec2.VpnGateway("vpnGateway", {vpcId: vpc.id});
const customerGateway = new aws.ec2.CustomerGateway("customerGateway", {
bgpAsn: "65000",
ipAddress: "172.0.0.1",
type: "ipsec.1",
});
const main = new aws.ec2.VpnConnection("main", {
vpnGatewayId: vpnGateway.id,
customerGatewayId: customerGateway.id,
type: "ipsec.1",
staticRoutesOnly: true,
});
resources:
vpc:
type: aws:ec2:Vpc
properties:
cidrBlock: 10.0.0.0/16
vpnGateway:
type: aws:ec2:VpnGateway
properties:
vpcId: ${vpc.id}
customerGateway:
type: aws:ec2:CustomerGateway
properties:
bgpAsn: 65000
ipAddress: 172.0.0.1
type: ipsec.1
main:
type: aws:ec2:VpnConnection
properties:
vpnGatewayId: ${vpnGateway.id}
customerGatewayId: ${customerGateway.id}
type: ipsec.1
staticRoutesOnly: true
AWS Site to Site Private VPN
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleGateway = new Aws.DirectConnect.Gateway("exampleGateway", new()
{
AmazonSideAsn = "64512",
});
var exampleTransitGateway = new Aws.Ec2TransitGateway.TransitGateway("exampleTransitGateway", new()
{
AmazonSideAsn = 64513,
Description = "example_ipsec_vpn_example",
TransitGatewayCidrBlocks = new[]
{
"10.0.0.0/24",
},
});
var exampleCustomerGateway = new Aws.Ec2.CustomerGateway("exampleCustomerGateway", new()
{
BgpAsn = "64514",
IpAddress = "10.0.0.1",
Type = "ipsec.1",
Tags =
{
{ "Name", "example_ipsec_vpn_example" },
},
});
var exampleGatewayAssociation = new Aws.DirectConnect.GatewayAssociation("exampleGatewayAssociation", new()
{
DxGatewayId = exampleGateway.Id,
AssociatedGatewayId = exampleTransitGateway.Id,
AllowedPrefixes = new[]
{
"10.0.0.0/8",
},
});
var exampleDirectConnectGatewayAttachment = Aws.Ec2TransitGateway.GetDirectConnectGatewayAttachment.Invoke(new()
{
TransitGatewayId = exampleTransitGateway.Id,
DxGatewayId = exampleGateway.Id,
});
var exampleVpnConnection = new Aws.Ec2.VpnConnection("exampleVpnConnection", new()
{
CustomerGatewayId = exampleCustomerGateway.Id,
OutsideIpAddressType = "PrivateIpv4",
TransitGatewayId = exampleTransitGateway.Id,
TransportTransitGatewayAttachmentId = exampleDirectConnectGatewayAttachment.Apply(getDirectConnectGatewayAttachmentResult => getDirectConnectGatewayAttachmentResult.Id),
Type = "ipsec.1",
Tags =
{
{ "Name", "example_ipsec_vpn_example" },
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/directconnect"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2transitgateway"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleGateway, err := directconnect.NewGateway(ctx, "exampleGateway", &directconnect.GatewayArgs{
AmazonSideAsn: pulumi.String("64512"),
})
if err != nil {
return err
}
exampleTransitGateway, err := ec2transitgateway.NewTransitGateway(ctx, "exampleTransitGateway", &ec2transitgateway.TransitGatewayArgs{
AmazonSideAsn: pulumi.Int(64513),
Description: pulumi.String("example_ipsec_vpn_example"),
TransitGatewayCidrBlocks: pulumi.StringArray{
pulumi.String("10.0.0.0/24"),
},
})
if err != nil {
return err
}
exampleCustomerGateway, err := ec2.NewCustomerGateway(ctx, "exampleCustomerGateway", &ec2.CustomerGatewayArgs{
BgpAsn: pulumi.String("64514"),
IpAddress: pulumi.String("10.0.0.1"),
Type: pulumi.String("ipsec.1"),
Tags: pulumi.StringMap{
"Name": pulumi.String("example_ipsec_vpn_example"),
},
})
if err != nil {
return err
}
_, err = directconnect.NewGatewayAssociation(ctx, "exampleGatewayAssociation", &directconnect.GatewayAssociationArgs{
DxGatewayId: exampleGateway.ID(),
AssociatedGatewayId: exampleTransitGateway.ID(),
AllowedPrefixes: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
})
if err != nil {
return err
}
exampleDirectConnectGatewayAttachment := ec2transitgateway.GetDirectConnectGatewayAttachmentOutput(ctx, ec2transitgateway.GetDirectConnectGatewayAttachmentOutputArgs{
TransitGatewayId: exampleTransitGateway.ID(),
DxGatewayId: exampleGateway.ID(),
}, nil)
_, err = ec2.NewVpnConnection(ctx, "exampleVpnConnection", &ec2.VpnConnectionArgs{
CustomerGatewayId: exampleCustomerGateway.ID(),
OutsideIpAddressType: pulumi.String("PrivateIpv4"),
TransitGatewayId: exampleTransitGateway.ID(),
TransportTransitGatewayAttachmentId: exampleDirectConnectGatewayAttachment.ApplyT(func(exampleDirectConnectGatewayAttachment ec2transitgateway.GetDirectConnectGatewayAttachmentResult) (*string, error) {
return &exampleDirectConnectGatewayAttachment.Id, nil
}).(pulumi.StringPtrOutput),
Type: pulumi.String("ipsec.1"),
Tags: pulumi.StringMap{
"Name": pulumi.String("example_ipsec_vpn_example"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.directconnect.Gateway;
import com.pulumi.aws.directconnect.GatewayArgs;
import com.pulumi.aws.ec2transitgateway.TransitGateway;
import com.pulumi.aws.ec2transitgateway.TransitGatewayArgs;
import com.pulumi.aws.ec2.CustomerGateway;
import com.pulumi.aws.ec2.CustomerGatewayArgs;
import com.pulumi.aws.directconnect.GatewayAssociation;
import com.pulumi.aws.directconnect.GatewayAssociationArgs;
import com.pulumi.aws.ec2transitgateway.Ec2transitgatewayFunctions;
import com.pulumi.aws.ec2transitgateway.inputs.GetDirectConnectGatewayAttachmentArgs;
import com.pulumi.aws.ec2.VpnConnection;
import com.pulumi.aws.ec2.VpnConnectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleGateway = new Gateway("exampleGateway", GatewayArgs.builder()
.amazonSideAsn("64512")
.build());
var exampleTransitGateway = new TransitGateway("exampleTransitGateway", TransitGatewayArgs.builder()
.amazonSideAsn("64513")
.description("example_ipsec_vpn_example")
.transitGatewayCidrBlocks("10.0.0.0/24")
.build());
var exampleCustomerGateway = new CustomerGateway("exampleCustomerGateway", CustomerGatewayArgs.builder()
.bgpAsn(64514)
.ipAddress("10.0.0.1")
.type("ipsec.1")
.tags(Map.of("Name", "example_ipsec_vpn_example"))
.build());
var exampleGatewayAssociation = new GatewayAssociation("exampleGatewayAssociation", GatewayAssociationArgs.builder()
.dxGatewayId(exampleGateway.id())
.associatedGatewayId(exampleTransitGateway.id())
.allowedPrefixes("10.0.0.0/8")
.build());
final var exampleDirectConnectGatewayAttachment = Ec2transitgatewayFunctions.getDirectConnectGatewayAttachment(GetDirectConnectGatewayAttachmentArgs.builder()
.transitGatewayId(exampleTransitGateway.id())
.dxGatewayId(exampleGateway.id())
.build());
var exampleVpnConnection = new VpnConnection("exampleVpnConnection", VpnConnectionArgs.builder()
.customerGatewayId(exampleCustomerGateway.id())
.outsideIpAddressType("PrivateIpv4")
.transitGatewayId(exampleTransitGateway.id())
.transportTransitGatewayAttachmentId(exampleDirectConnectGatewayAttachment.applyValue(getDirectConnectGatewayAttachmentResult -> getDirectConnectGatewayAttachmentResult).applyValue(exampleDirectConnectGatewayAttachment -> exampleDirectConnectGatewayAttachment.applyValue(getDirectConnectGatewayAttachmentResult -> getDirectConnectGatewayAttachmentResult.id())))
.type("ipsec.1")
.tags(Map.of("Name", "example_ipsec_vpn_example"))
.build());
}
}
import pulumi
import pulumi_aws as aws
example_gateway = aws.directconnect.Gateway("exampleGateway", amazon_side_asn="64512")
example_transit_gateway = aws.ec2transitgateway.TransitGateway("exampleTransitGateway",
amazon_side_asn=64513,
description="example_ipsec_vpn_example",
transit_gateway_cidr_blocks=["10.0.0.0/24"])
example_customer_gateway = aws.ec2.CustomerGateway("exampleCustomerGateway",
bgp_asn="64514",
ip_address="10.0.0.1",
type="ipsec.1",
tags={
"Name": "example_ipsec_vpn_example",
})
example_gateway_association = aws.directconnect.GatewayAssociation("exampleGatewayAssociation",
dx_gateway_id=example_gateway.id,
associated_gateway_id=example_transit_gateway.id,
allowed_prefixes=["10.0.0.0/8"])
example_direct_connect_gateway_attachment = aws.ec2transitgateway.get_direct_connect_gateway_attachment_output(transit_gateway_id=example_transit_gateway.id,
dx_gateway_id=example_gateway.id)
example_vpn_connection = aws.ec2.VpnConnection("exampleVpnConnection",
customer_gateway_id=example_customer_gateway.id,
outside_ip_address_type="PrivateIpv4",
transit_gateway_id=example_transit_gateway.id,
transport_transit_gateway_attachment_id=example_direct_connect_gateway_attachment.id,
type="ipsec.1",
tags={
"Name": "example_ipsec_vpn_example",
})
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleGateway = new aws.directconnect.Gateway("exampleGateway", {amazonSideAsn: "64512"});
const exampleTransitGateway = new aws.ec2transitgateway.TransitGateway("exampleTransitGateway", {
amazonSideAsn: 64513,
description: "example_ipsec_vpn_example",
transitGatewayCidrBlocks: ["10.0.0.0/24"],
});
const exampleCustomerGateway = new aws.ec2.CustomerGateway("exampleCustomerGateway", {
bgpAsn: "64514",
ipAddress: "10.0.0.1",
type: "ipsec.1",
tags: {
Name: "example_ipsec_vpn_example",
},
});
const exampleGatewayAssociation = new aws.directconnect.GatewayAssociation("exampleGatewayAssociation", {
dxGatewayId: exampleGateway.id,
associatedGatewayId: exampleTransitGateway.id,
allowedPrefixes: ["10.0.0.0/8"],
});
const exampleDirectConnectGatewayAttachment = aws.ec2transitgateway.getDirectConnectGatewayAttachmentOutput({
transitGatewayId: exampleTransitGateway.id,
dxGatewayId: exampleGateway.id,
});
const exampleVpnConnection = new aws.ec2.VpnConnection("exampleVpnConnection", {
customerGatewayId: exampleCustomerGateway.id,
outsideIpAddressType: "PrivateIpv4",
transitGatewayId: exampleTransitGateway.id,
transportTransitGatewayAttachmentId: exampleDirectConnectGatewayAttachment.apply(exampleDirectConnectGatewayAttachment => exampleDirectConnectGatewayAttachment.id),
type: "ipsec.1",
tags: {
Name: "example_ipsec_vpn_example",
},
});
resources:
exampleGateway:
type: aws:directconnect:Gateway
properties:
amazonSideAsn: '64512'
exampleTransitGateway:
type: aws:ec2transitgateway:TransitGateway
properties:
amazonSideAsn: '64513'
description: example_ipsec_vpn_example
transitGatewayCidrBlocks:
- 10.0.0.0/24
exampleCustomerGateway:
type: aws:ec2:CustomerGateway
properties:
bgpAsn: 64514
ipAddress: 10.0.0.1
type: ipsec.1
tags:
Name: example_ipsec_vpn_example
exampleGatewayAssociation:
type: aws:directconnect:GatewayAssociation
properties:
dxGatewayId: ${exampleGateway.id}
associatedGatewayId: ${exampleTransitGateway.id}
allowedPrefixes:
- 10.0.0.0/8
exampleVpnConnection:
type: aws:ec2:VpnConnection
properties:
customerGatewayId: ${exampleCustomerGateway.id}
outsideIpAddressType: PrivateIpv4
transitGatewayId: ${exampleTransitGateway.id}
transportTransitGatewayAttachmentId: ${exampleDirectConnectGatewayAttachment.id}
type: ipsec.1
tags:
Name: example_ipsec_vpn_example
variables:
exampleDirectConnectGatewayAttachment:
fn::invoke:
Function: aws:ec2transitgateway:getDirectConnectGatewayAttachment
Arguments:
transitGatewayId: ${exampleTransitGateway.id}
dxGatewayId: ${exampleGateway.id}
Create VpnConnection Resource
new VpnConnection(name: string, args: VpnConnectionArgs, opts?: CustomResourceOptions);@overload
def VpnConnection(resource_name: str,
opts: Optional[ResourceOptions] = None,
customer_gateway_id: Optional[str] = None,
enable_acceleration: Optional[bool] = None,
local_ipv4_network_cidr: Optional[str] = None,
local_ipv6_network_cidr: Optional[str] = None,
outside_ip_address_type: Optional[str] = None,
remote_ipv4_network_cidr: Optional[str] = None,
remote_ipv6_network_cidr: Optional[str] = None,
static_routes_only: Optional[bool] = None,
tags: Optional[Mapping[str, str]] = None,
transit_gateway_id: Optional[str] = None,
transport_transit_gateway_attachment_id: Optional[str] = None,
tunnel1_dpd_timeout_action: Optional[str] = None,
tunnel1_dpd_timeout_seconds: Optional[int] = None,
tunnel1_enable_tunnel_lifecycle_control: Optional[bool] = None,
tunnel1_ike_versions: Optional[Sequence[str]] = None,
tunnel1_inside_cidr: Optional[str] = None,
tunnel1_inside_ipv6_cidr: Optional[str] = None,
tunnel1_log_options: Optional[VpnConnectionTunnel1LogOptionsArgs] = None,
tunnel1_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel1_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase1_lifetime_seconds: Optional[int] = None,
tunnel1_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel1_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase2_lifetime_seconds: Optional[int] = None,
tunnel1_preshared_key: Optional[str] = None,
tunnel1_rekey_fuzz_percentage: Optional[int] = None,
tunnel1_rekey_margin_time_seconds: Optional[int] = None,
tunnel1_replay_window_size: Optional[int] = None,
tunnel1_startup_action: Optional[str] = None,
tunnel2_dpd_timeout_action: Optional[str] = None,
tunnel2_dpd_timeout_seconds: Optional[int] = None,
tunnel2_enable_tunnel_lifecycle_control: Optional[bool] = None,
tunnel2_ike_versions: Optional[Sequence[str]] = None,
tunnel2_inside_cidr: Optional[str] = None,
tunnel2_inside_ipv6_cidr: Optional[str] = None,
tunnel2_log_options: Optional[VpnConnectionTunnel2LogOptionsArgs] = None,
tunnel2_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel2_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase1_lifetime_seconds: Optional[int] = None,
tunnel2_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel2_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase2_lifetime_seconds: Optional[int] = None,
tunnel2_preshared_key: Optional[str] = None,
tunnel2_rekey_fuzz_percentage: Optional[int] = None,
tunnel2_rekey_margin_time_seconds: Optional[int] = None,
tunnel2_replay_window_size: Optional[int] = None,
tunnel2_startup_action: Optional[str] = None,
tunnel_inside_ip_version: Optional[str] = None,
type: Optional[str] = None,
vpn_gateway_id: Optional[str] = None)
@overload
def VpnConnection(resource_name: str,
args: VpnConnectionArgs,
opts: Optional[ResourceOptions] = None)func NewVpnConnection(ctx *Context, name string, args VpnConnectionArgs, opts ...ResourceOption) (*VpnConnection, error)public VpnConnection(string name, VpnConnectionArgs args, CustomResourceOptions? opts = null)
public VpnConnection(String name, VpnConnectionArgs args)
public VpnConnection(String name, VpnConnectionArgs args, CustomResourceOptions options)
type: aws:ec2:VpnConnection
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args VpnConnectionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args VpnConnectionArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args VpnConnectionArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args VpnConnectionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args VpnConnectionArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
VpnConnection Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The VpnConnection resource accepts the following input properties:
- Customer
Gateway stringId The ID of the customer gateway.
- Type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- Enable
Acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- Local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- Remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- Remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Static
Routes boolOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Dictionary<string, string>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Transit
Gateway stringId The ID of the EC2 Transit Gateway.
- Transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- Tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel1Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- Tunnel1Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- Tunnel1Ike
Versions List<string> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel1Phase1Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase1Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase1Integrity
Algorithms List<string> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel1Phase2Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase2Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase2Integrity
Algorithms List<string> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel1Rekey
Fuzz intPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel1Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- Tunnel1Replay
Window intSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- Tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel2Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- Tunnel2Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- Tunnel2Ike
Versions List<string> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel2Phase1Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase1Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase1Integrity
Algorithms List<string> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel2Phase2Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase2Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase2Integrity
Algorithms List<string> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel2Rekey
Fuzz intPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel2Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- Tunnel2Replay
Window intSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- Tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- Vpn
Gateway stringId The ID of the Virtual Private Gateway.
- Customer
Gateway stringId The ID of the customer gateway.
- Type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- Enable
Acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- Local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- Remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- Remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Static
Routes boolOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- map[string]string
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Transit
Gateway stringId The ID of the EC2 Transit Gateway.
- Transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- Tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel1Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- Tunnel1Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- Tunnel1Ike
Versions []string The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel1Log
Options VpnConnection Tunnel1Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel1Phase1Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase1Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase1Integrity
Algorithms []string One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel1Phase2Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase2Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase2Integrity
Algorithms []string List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel1Rekey
Fuzz intPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel1Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- Tunnel1Replay
Window intSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- Tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel2Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- Tunnel2Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- Tunnel2Ike
Versions []string The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel2Log
Options VpnConnection Tunnel2Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel2Phase1Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase1Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase1Integrity
Algorithms []string One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel2Phase2Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase2Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase2Integrity
Algorithms []string List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel2Rekey
Fuzz intPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel2Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- Tunnel2Replay
Window intSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- Tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- Vpn
Gateway stringId The ID of the Virtual Private Gateway.
- customer
Gateway StringId The ID of the customer gateway.
- type String
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- enable
Acceleration Boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network StringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip StringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network StringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- static
Routes BooleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Map<String,String>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- transit
Gateway StringId The ID of the EC2 Transit Gateway.
- transport
Transit StringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Dpd
Timeout StringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout IntegerSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions List<String> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr String The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr String The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds Integer The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds Integer The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz IntegerPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin IntegerTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window IntegerSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action String The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Dpd
Timeout StringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout IntegerSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions List<String> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr String The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr String The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds Integer The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds Integer The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz IntegerPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin IntegerTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window IntegerSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action String The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel
Inside StringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- vpn
Gateway StringId The ID of the Virtual Private Gateway.
- customer
Gateway stringId The ID of the customer gateway.
- type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- enable
Acceleration boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- static
Routes booleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- {[key: string]: string}
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- transit
Gateway stringId The ID of the EC2 Transit Gateway.
- transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout numberSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel booleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions string[] The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms string[] One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds number The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms string[] List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds number The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz numberPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin numberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window numberSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout numberSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel booleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions string[] The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms string[] One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds number The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms string[] List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds number The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz numberPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin numberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window numberSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- vpn
Gateway stringId The ID of the Virtual Private Gateway.
- customer_
gateway_ strid The ID of the customer gateway.
- type str
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- enable_
acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local_
ipv4_ strnetwork_ cidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local_
ipv6_ strnetwork_ cidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside_
ip_ straddress_ type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote_
ipv4_ strnetwork_ cidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote_
ipv6_ strnetwork_ cidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- static_
routes_ boolonly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Mapping[str, str]
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- transit_
gateway_ strid The ID of the EC2 Transit Gateway.
- transport_
transit_ strgateway_ attachment_ id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1_
dpd_ strtimeout_ action The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1_
dpd_ inttimeout_ seconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1_
enable_ booltunnel_ lifecycle_ control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1_
ike_ Sequence[str]versions The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1_
inside_ strcidr The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1_
inside_ stripv6_ cidr The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1_
log_ Vpnoptions Connection Tunnel1Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1_
phase1_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1_
phase1_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1_
phase1_ Sequence[str]integrity_ algorithms One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1_
phase1_ intlifetime_ seconds The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1_
phase2_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1_
phase2_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1_
phase2_ Sequence[str]integrity_ algorithms List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1_
phase2_ intlifetime_ seconds The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- str
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1_
rekey_ intfuzz_ percentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1_
rekey_ intmargin_ time_ seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1_
replay_ intwindow_ size The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1_
startup_ straction The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2_
dpd_ strtimeout_ action The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2_
dpd_ inttimeout_ seconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2_
enable_ booltunnel_ lifecycle_ control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2_
ike_ Sequence[str]versions The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2_
inside_ strcidr The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2_
inside_ stripv6_ cidr The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2_
log_ Vpnoptions Connection Tunnel2Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2_
phase1_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2_
phase1_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2_
phase1_ Sequence[str]integrity_ algorithms One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2_
phase1_ intlifetime_ seconds The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2_
phase2_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2_
phase2_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2_
phase2_ Sequence[str]integrity_ algorithms List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2_
phase2_ intlifetime_ seconds The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- str
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2_
rekey_ intfuzz_ percentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2_
rekey_ intmargin_ time_ seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2_
replay_ intwindow_ size The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2_
startup_ straction The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel_
inside_ strip_ version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- vpn_
gateway_ strid The ID of the Virtual Private Gateway.
- customer
Gateway StringId The ID of the customer gateway.
- type String
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- enable
Acceleration Boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network StringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip StringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network StringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- static
Routes BooleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Map<String>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- transit
Gateway StringId The ID of the EC2 Transit Gateway.
- transport
Transit StringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Dpd
Timeout StringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout NumberSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions List<String> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr String The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr String The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options Property Map Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds Number The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds Number The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz NumberPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin NumberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window NumberSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action String The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Dpd
Timeout StringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout NumberSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions List<String> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr String The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr String The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options Property Map Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds Number The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds Number The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz NumberPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin NumberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window NumberSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action String The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel
Inside StringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- vpn
Gateway StringId The ID of the Virtual Private Gateway.
Outputs
All input properties are implicitly available as output properties. Additionally, the VpnConnection resource produces the following output properties:
- Arn string
Amazon Resource Name (ARN) of the VPN Connection.
- Core
Network stringArn The ARN of the core network.
- Core
Network stringAttachment Arn The ARN of the core network attachment.
- Customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- Id string
The provider-assigned unique ID for this managed resource.
- Routes
List<Vpn
Connection Route> The static routes associated with the VPN connection. Detailed below.
- Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- Transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- Tunnel1Address string
The public IP address of the first VPN tunnel.
- Tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- Tunnel1Bgp
Holdtime int The bgp holdtime of the first VPN tunnel.
- Tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- Tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- Tunnel2Address string
The public IP address of the second VPN tunnel.
- Tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- Tunnel2Bgp
Holdtime int The bgp holdtime of the second VPN tunnel.
- Tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- Tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- Vgw
Telemetries List<VpnConnection Vgw Telemetry> Telemetry for the VPN tunnels. Detailed below.
- Arn string
Amazon Resource Name (ARN) of the VPN Connection.
- Core
Network stringArn The ARN of the core network.
- Core
Network stringAttachment Arn The ARN of the core network attachment.
- Customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- Id string
The provider-assigned unique ID for this managed resource.
- Routes
[]Vpn
Connection Route Type The static routes associated with the VPN connection. Detailed below.
- map[string]string
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- Transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- Tunnel1Address string
The public IP address of the first VPN tunnel.
- Tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- Tunnel1Bgp
Holdtime int The bgp holdtime of the first VPN tunnel.
- Tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- Tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- Tunnel2Address string
The public IP address of the second VPN tunnel.
- Tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- Tunnel2Bgp
Holdtime int The bgp holdtime of the second VPN tunnel.
- Tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- Tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- Vgw
Telemetries []VpnConnection Vgw Telemetry Telemetry for the VPN tunnels. Detailed below.
- arn String
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network StringArn The ARN of the core network.
- core
Network StringAttachment Arn The ARN of the core network attachment.
- customer
Gateway StringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- id String
The provider-assigned unique ID for this managed resource.
- routes
List<Vpn
Connection Route> The static routes associated with the VPN connection. Detailed below.
- Map<String,String>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway StringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- tunnel1Address String
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn String The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime Integer The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Vgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address String
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn String The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime Integer The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Vgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- vgw
Telemetries List<VpnConnection Vgw Telemetry> Telemetry for the VPN tunnels. Detailed below.
- arn string
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network stringArn The ARN of the core network.
- core
Network stringAttachment Arn The ARN of the core network attachment.
- customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- id string
The provider-assigned unique ID for this managed resource.
- routes
Vpn
Connection Route[] The static routes associated with the VPN connection. Detailed below.
- {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- tunnel1Address string
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime number The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address string
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime number The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- vgw
Telemetries VpnConnection Vgw Telemetry[] Telemetry for the VPN tunnels. Detailed below.
- arn str
Amazon Resource Name (ARN) of the VPN Connection.
- core_
network_ strarn The ARN of the core network.
- core_
network_ strattachment_ arn The ARN of the core network attachment.
- customer_
gateway_ strconfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- id str
The provider-assigned unique ID for this managed resource.
- routes
Sequence[Vpn
Connection Route] The static routes associated with the VPN connection. Detailed below.
- Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit_
gateway_ strattachment_ id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- tunnel1_
address str The public IP address of the first VPN tunnel.
- tunnel1_
bgp_ strasn The bgp asn number of the first VPN tunnel.
- tunnel1_
bgp_ intholdtime The bgp holdtime of the first VPN tunnel.
- tunnel1_
cgw_ strinside_ address The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1_
vgw_ strinside_ address The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2_
address str The public IP address of the second VPN tunnel.
- tunnel2_
bgp_ strasn The bgp asn number of the second VPN tunnel.
- tunnel2_
bgp_ intholdtime The bgp holdtime of the second VPN tunnel.
- tunnel2_
cgw_ strinside_ address The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2_
vgw_ strinside_ address The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- vgw_
telemetries Sequence[VpnConnection Vgw Telemetry] Telemetry for the VPN tunnels. Detailed below.
- arn String
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network StringArn The ARN of the core network.
- core
Network StringAttachment Arn The ARN of the core network attachment.
- customer
Gateway StringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- id String
The provider-assigned unique ID for this managed resource.
- routes List<Property Map>
The static routes associated with the VPN connection. Detailed below.
- Map<String>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway StringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- tunnel1Address String
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn String The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime Number The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Vgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address String
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn String The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime Number The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Vgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- vgw
Telemetries List<Property Map> Telemetry for the VPN tunnels. Detailed below.
Look up Existing VpnConnection Resource
Get an existing VpnConnection resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: VpnConnectionState, opts?: CustomResourceOptions): VpnConnection@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
core_network_arn: Optional[str] = None,
core_network_attachment_arn: Optional[str] = None,
customer_gateway_configuration: Optional[str] = None,
customer_gateway_id: Optional[str] = None,
enable_acceleration: Optional[bool] = None,
local_ipv4_network_cidr: Optional[str] = None,
local_ipv6_network_cidr: Optional[str] = None,
outside_ip_address_type: Optional[str] = None,
remote_ipv4_network_cidr: Optional[str] = None,
remote_ipv6_network_cidr: Optional[str] = None,
routes: Optional[Sequence[VpnConnectionRouteArgs]] = None,
static_routes_only: Optional[bool] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
transit_gateway_attachment_id: Optional[str] = None,
transit_gateway_id: Optional[str] = None,
transport_transit_gateway_attachment_id: Optional[str] = None,
tunnel1_address: Optional[str] = None,
tunnel1_bgp_asn: Optional[str] = None,
tunnel1_bgp_holdtime: Optional[int] = None,
tunnel1_cgw_inside_address: Optional[str] = None,
tunnel1_dpd_timeout_action: Optional[str] = None,
tunnel1_dpd_timeout_seconds: Optional[int] = None,
tunnel1_enable_tunnel_lifecycle_control: Optional[bool] = None,
tunnel1_ike_versions: Optional[Sequence[str]] = None,
tunnel1_inside_cidr: Optional[str] = None,
tunnel1_inside_ipv6_cidr: Optional[str] = None,
tunnel1_log_options: Optional[VpnConnectionTunnel1LogOptionsArgs] = None,
tunnel1_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel1_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase1_lifetime_seconds: Optional[int] = None,
tunnel1_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel1_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel1_phase2_lifetime_seconds: Optional[int] = None,
tunnel1_preshared_key: Optional[str] = None,
tunnel1_rekey_fuzz_percentage: Optional[int] = None,
tunnel1_rekey_margin_time_seconds: Optional[int] = None,
tunnel1_replay_window_size: Optional[int] = None,
tunnel1_startup_action: Optional[str] = None,
tunnel1_vgw_inside_address: Optional[str] = None,
tunnel2_address: Optional[str] = None,
tunnel2_bgp_asn: Optional[str] = None,
tunnel2_bgp_holdtime: Optional[int] = None,
tunnel2_cgw_inside_address: Optional[str] = None,
tunnel2_dpd_timeout_action: Optional[str] = None,
tunnel2_dpd_timeout_seconds: Optional[int] = None,
tunnel2_enable_tunnel_lifecycle_control: Optional[bool] = None,
tunnel2_ike_versions: Optional[Sequence[str]] = None,
tunnel2_inside_cidr: Optional[str] = None,
tunnel2_inside_ipv6_cidr: Optional[str] = None,
tunnel2_log_options: Optional[VpnConnectionTunnel2LogOptionsArgs] = None,
tunnel2_phase1_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel2_phase1_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase1_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase1_lifetime_seconds: Optional[int] = None,
tunnel2_phase2_dh_group_numbers: Optional[Sequence[int]] = None,
tunnel2_phase2_encryption_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase2_integrity_algorithms: Optional[Sequence[str]] = None,
tunnel2_phase2_lifetime_seconds: Optional[int] = None,
tunnel2_preshared_key: Optional[str] = None,
tunnel2_rekey_fuzz_percentage: Optional[int] = None,
tunnel2_rekey_margin_time_seconds: Optional[int] = None,
tunnel2_replay_window_size: Optional[int] = None,
tunnel2_startup_action: Optional[str] = None,
tunnel2_vgw_inside_address: Optional[str] = None,
tunnel_inside_ip_version: Optional[str] = None,
type: Optional[str] = None,
vgw_telemetries: Optional[Sequence[VpnConnectionVgwTelemetryArgs]] = None,
vpn_gateway_id: Optional[str] = None) -> VpnConnectionfunc GetVpnConnection(ctx *Context, name string, id IDInput, state *VpnConnectionState, opts ...ResourceOption) (*VpnConnection, error)public static VpnConnection Get(string name, Input<string> id, VpnConnectionState? state, CustomResourceOptions? opts = null)public static VpnConnection get(String name, Output<String> id, VpnConnectionState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
Amazon Resource Name (ARN) of the VPN Connection.
- Core
Network stringArn The ARN of the core network.
- Core
Network stringAttachment Arn The ARN of the core network attachment.
- Customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- Customer
Gateway stringId The ID of the customer gateway.
- Enable
Acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- Local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- Remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- Remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Routes
List<Vpn
Connection Route> The static routes associated with the VPN connection. Detailed below.
- Static
Routes boolOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Dictionary<string, string>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- Transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- Transit
Gateway stringId The ID of the EC2 Transit Gateway.
- Transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- Tunnel1Address string
The public IP address of the first VPN tunnel.
- Tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- Tunnel1Bgp
Holdtime int The bgp holdtime of the first VPN tunnel.
- Tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- Tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel1Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- Tunnel1Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- Tunnel1Ike
Versions List<string> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel1Phase1Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase1Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase1Integrity
Algorithms List<string> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel1Phase2Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase2Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase2Integrity
Algorithms List<string> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel1Rekey
Fuzz intPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel1Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- Tunnel1Replay
Window intSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- Tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- Tunnel2Address string
The public IP address of the second VPN tunnel.
- Tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- Tunnel2Bgp
Holdtime int The bgp holdtime of the second VPN tunnel.
- Tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- Tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel2Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- Tunnel2Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- Tunnel2Ike
Versions List<string> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel2Phase1Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase1Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase1Integrity
Algorithms List<string> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel2Phase2Dh
Group List<int>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase2Encryption
Algorithms List<string> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase2Integrity
Algorithms List<string> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel2Rekey
Fuzz intPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel2Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- Tunnel2Replay
Window intSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- Tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- Tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- Type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- Vgw
Telemetries List<VpnConnection Vgw Telemetry> Telemetry for the VPN tunnels. Detailed below.
- Vpn
Gateway stringId The ID of the Virtual Private Gateway.
- Arn string
Amazon Resource Name (ARN) of the VPN Connection.
- Core
Network stringArn The ARN of the core network.
- Core
Network stringAttachment Arn The ARN of the core network attachment.
- Customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- Customer
Gateway stringId The ID of the customer gateway.
- Enable
Acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- Local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- Remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- Remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- Routes
[]Vpn
Connection Route Type Args The static routes associated with the VPN connection. Detailed below.
- Static
Routes boolOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- map[string]string
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- map[string]string
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- Transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- Transit
Gateway stringId The ID of the EC2 Transit Gateway.
- Transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- Tunnel1Address string
The public IP address of the first VPN tunnel.
- Tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- Tunnel1Bgp
Holdtime int The bgp holdtime of the first VPN tunnel.
- Tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- Tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel1Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- Tunnel1Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- Tunnel1Ike
Versions []string The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel1Log
Options VpnConnection Tunnel1Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel1Phase1Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase1Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase1Integrity
Algorithms []string One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel1Phase2Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel1Phase2Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel1Phase2Integrity
Algorithms []string List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel1Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel1Rekey
Fuzz intPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel1Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- Tunnel1Replay
Window intSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- Tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- Tunnel2Address string
The public IP address of the second VPN tunnel.
- Tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- Tunnel2Bgp
Holdtime int The bgp holdtime of the second VPN tunnel.
- Tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- Tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- Tunnel2Dpd
Timeout intSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- Tunnel2Enable
Tunnel boolLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- Tunnel2Ike
Versions []string The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- Tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- Tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- Tunnel2Log
Options VpnConnection Tunnel2Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- Tunnel2Phase1Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase1Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase1Integrity
Algorithms []string One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase1Lifetime
Seconds int The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- Tunnel2Phase2Dh
Group []intNumbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- Tunnel2Phase2Encryption
Algorithms []string List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- Tunnel2Phase2Integrity
Algorithms []string List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- Tunnel2Phase2Lifetime
Seconds int The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- Tunnel2Rekey
Fuzz intPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- Tunnel2Rekey
Margin intTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- Tunnel2Replay
Window intSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- Tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- Tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- Tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- Type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- Vgw
Telemetries []VpnConnection Vgw Telemetry Args Telemetry for the VPN tunnels. Detailed below.
- Vpn
Gateway stringId The ID of the Virtual Private Gateway.
- arn String
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network StringArn The ARN of the core network.
- core
Network StringAttachment Arn The ARN of the core network attachment.
- customer
Gateway StringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- customer
Gateway StringId The ID of the customer gateway.
- enable
Acceleration Boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network StringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip StringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network StringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- routes
List<Vpn
Connection Route> The static routes associated with the VPN connection. Detailed below.
- static
Routes BooleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Map<String,String>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String,String>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway StringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- transit
Gateway StringId The ID of the EC2 Transit Gateway.
- transport
Transit StringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Address String
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn String The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime Integer The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Dpd
Timeout StringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout IntegerSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions List<String> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr String The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr String The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds Integer The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds Integer The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz IntegerPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin IntegerTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window IntegerSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action String The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel1Vgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address String
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn String The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime Integer The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Dpd
Timeout StringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout IntegerSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions List<String> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr String The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr String The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds Integer The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group List<Integer>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds Integer The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz IntegerPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin IntegerTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window IntegerSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action String The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Vgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- tunnel
Inside StringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- type String
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- vgw
Telemetries List<VpnConnection Vgw Telemetry> Telemetry for the VPN tunnels. Detailed below.
- vpn
Gateway StringId The ID of the Virtual Private Gateway.
- arn string
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network stringArn The ARN of the core network.
- core
Network stringAttachment Arn The ARN of the core network attachment.
- customer
Gateway stringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- customer
Gateway stringId The ID of the customer gateway.
- enable
Acceleration boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network stringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip stringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network stringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network stringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- routes
Vpn
Connection Route[] The static routes associated with the VPN connection. Detailed below.
- static
Routes booleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- {[key: string]: string}
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway stringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- transit
Gateway stringId The ID of the EC2 Transit Gateway.
- transport
Transit stringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Address string
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn string The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime number The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Dpd
Timeout stringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout numberSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel booleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions string[] The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr string The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr string The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options VpnConnection Tunnel1Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms string[] One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds number The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms string[] List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds number The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz numberPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin numberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window numberSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action string The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel1Vgw
Inside stringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address string
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn string The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime number The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Dpd
Timeout stringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout numberSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel booleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions string[] The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr string The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr string The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options VpnConnection Tunnel2Log Options Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms string[] One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds number The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group number[]Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms string[] List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms string[] List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds number The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- string
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz numberPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin numberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window numberSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action string The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Vgw
Inside stringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- tunnel
Inside stringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- type string
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- vgw
Telemetries VpnConnection Vgw Telemetry[] Telemetry for the VPN tunnels. Detailed below.
- vpn
Gateway stringId The ID of the Virtual Private Gateway.
- arn str
Amazon Resource Name (ARN) of the VPN Connection.
- core_
network_ strarn The ARN of the core network.
- core_
network_ strattachment_ arn The ARN of the core network attachment.
- customer_
gateway_ strconfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- customer_
gateway_ strid The ID of the customer gateway.
- enable_
acceleration bool Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local_
ipv4_ strnetwork_ cidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local_
ipv6_ strnetwork_ cidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside_
ip_ straddress_ type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote_
ipv4_ strnetwork_ cidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote_
ipv6_ strnetwork_ cidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- routes
Sequence[Vpn
Connection Route Args] The static routes associated with the VPN connection. Detailed below.
- static_
routes_ boolonly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Mapping[str, str]
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit_
gateway_ strattachment_ id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- transit_
gateway_ strid The ID of the EC2 Transit Gateway.
- transport_
transit_ strgateway_ attachment_ id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1_
address str The public IP address of the first VPN tunnel.
- tunnel1_
bgp_ strasn The bgp asn number of the first VPN tunnel.
- tunnel1_
bgp_ intholdtime The bgp holdtime of the first VPN tunnel.
- tunnel1_
cgw_ strinside_ address The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1_
dpd_ strtimeout_ action The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1_
dpd_ inttimeout_ seconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1_
enable_ booltunnel_ lifecycle_ control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1_
ike_ Sequence[str]versions The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1_
inside_ strcidr The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1_
inside_ stripv6_ cidr The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1_
log_ Vpnoptions Connection Tunnel1Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1_
phase1_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1_
phase1_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1_
phase1_ Sequence[str]integrity_ algorithms One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1_
phase1_ intlifetime_ seconds The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1_
phase2_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1_
phase2_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1_
phase2_ Sequence[str]integrity_ algorithms List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1_
phase2_ intlifetime_ seconds The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- str
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1_
rekey_ intfuzz_ percentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1_
rekey_ intmargin_ time_ seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1_
replay_ intwindow_ size The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1_
startup_ straction The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel1_
vgw_ strinside_ address The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2_
address str The public IP address of the second VPN tunnel.
- tunnel2_
bgp_ strasn The bgp asn number of the second VPN tunnel.
- tunnel2_
bgp_ intholdtime The bgp holdtime of the second VPN tunnel.
- tunnel2_
cgw_ strinside_ address The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2_
dpd_ strtimeout_ action The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2_
dpd_ inttimeout_ seconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2_
enable_ booltunnel_ lifecycle_ control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2_
ike_ Sequence[str]versions The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2_
inside_ strcidr The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2_
inside_ stripv6_ cidr The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2_
log_ Vpnoptions Connection Tunnel2Log Options Args Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2_
phase1_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2_
phase1_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2_
phase1_ Sequence[str]integrity_ algorithms One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2_
phase1_ intlifetime_ seconds The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2_
phase2_ Sequence[int]dh_ group_ numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2_
phase2_ Sequence[str]encryption_ algorithms List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2_
phase2_ Sequence[str]integrity_ algorithms List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2_
phase2_ intlifetime_ seconds The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- str
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2_
rekey_ intfuzz_ percentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2_
rekey_ intmargin_ time_ seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2_
replay_ intwindow_ size The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2_
startup_ straction The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2_
vgw_ strinside_ address The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- tunnel_
inside_ strip_ version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- type str
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- vgw_
telemetries Sequence[VpnConnection Vgw Telemetry Args] Telemetry for the VPN tunnels. Detailed below.
- vpn_
gateway_ strid The ID of the Virtual Private Gateway.
- arn String
Amazon Resource Name (ARN) of the VPN Connection.
- core
Network StringArn The ARN of the core network.
- core
Network StringAttachment Arn The ARN of the core network attachment.
- customer
Gateway StringConfiguration The configuration information for the VPN connection's customer gateway (in the native XML format).
- customer
Gateway StringId The ID of the customer gateway.
- enable
Acceleration Boolean Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
- local
Ipv4Network StringCidr The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
- local
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- outside
Ip StringAddress Type Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are
PublicIpv4 | PrivateIpv4- remote
Ipv4Network StringCidr The IPv4 CIDR on the AWS side of the VPN connection.
- remote
Ipv6Network StringCidr The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
- routes List<Property Map>
The static routes associated with the VPN connection. Detailed below.
- static
Routes BooleanOnly Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
- Map<String>
Tags to apply to the connection. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String>
A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.- transit
Gateway StringAttachment Id When associated with an EC2 Transit Gateway (
transit_gateway_idargument), the attachment ID. See also theaws.ec2.Tagresource for tagging the EC2 Transit Gateway VPN Attachment.- transit
Gateway StringId The ID of the EC2 Transit Gateway.
- transport
Transit StringGateway Attachment Id . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
- tunnel1Address String
The public IP address of the first VPN tunnel.
- tunnel1Bgp
Asn String The bgp asn number of the first VPN tunnel.
- tunnel1Bgp
Holdtime Number The bgp holdtime of the first VPN tunnel.
- tunnel1Cgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
- tunnel1Dpd
Timeout StringAction The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel1Dpd
Timeout NumberSeconds The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than
30.- tunnel1Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are
true | false.- tunnel1Ike
Versions List<String> The IKE versions that are permitted for the first VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel1Inside
Cidr String The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel1Inside
Ipv6Cidr String The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel1Log
Options Property Map Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel1Phase1Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase1Lifetime
Seconds Number The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel1Phase2Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel1Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel1Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel1Phase2Lifetime
Seconds Number The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel1Rekey
Fuzz NumberPercentage The percentage of the rekey window for the first VPN tunnel (determined by
tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel1Rekey
Margin NumberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel1_rekey_fuzz_percentage. Valid value is between60and half oftunnel1_phase2_lifetime_seconds.- tunnel1Replay
Window NumberSize The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between
64and2048.- tunnel1Startup
Action String The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel1Vgw
Inside StringAddress The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
- tunnel2Address String
The public IP address of the second VPN tunnel.
- tunnel2Bgp
Asn String The bgp asn number of the second VPN tunnel.
- tunnel2Bgp
Holdtime Number The bgp holdtime of the second VPN tunnel.
- tunnel2Cgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
- tunnel2Dpd
Timeout StringAction The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are
clear | none | restart.- tunnel2Dpd
Timeout NumberSeconds The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than
30.- tunnel2Enable
Tunnel BooleanLifecycle Control Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are
true | false.- tunnel2Ike
Versions List<String> The IKE versions that are permitted for the second VPN tunnel. Valid values are
ikev1 | ikev2.- tunnel2Inside
Cidr String The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
- tunnel2Inside
Ipv6Cidr String The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
- tunnel2Log
Options Property Map Options for logging VPN tunnel activity. See Log Options below for more details.
- tunnel2Phase1Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase1Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase1Integrity
Algorithms List<String> One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase1Lifetime
Seconds Number The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and28800.- tunnel2Phase2Dh
Group List<Number>Numbers List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.- tunnel2Phase2Encryption
Algorithms List<String> List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.- tunnel2Phase2Integrity
Algorithms List<String> List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are
SHA1 | SHA2-256 | SHA2-384 | SHA2-512.- tunnel2Phase2Lifetime
Seconds Number The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between
900and3600.- String
The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
- tunnel2Rekey
Fuzz NumberPercentage The percentage of the rekey window for the second VPN tunnel (determined by
tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100.- tunnel2Rekey
Margin NumberTime Seconds The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for
tunnel2_rekey_fuzz_percentage. Valid value is between60and half oftunnel2_phase2_lifetime_seconds.- tunnel2Replay
Window NumberSize The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between
64and2048.- tunnel2Startup
Action String The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are
add | start.- tunnel2Vgw
Inside StringAddress The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
- tunnel
Inside StringIp Version Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are
ipv4 | ipv6.ipv6Supports only EC2 Transit Gateway.- type String
The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
- vgw
Telemetries List<Property Map> Telemetry for the VPN tunnels. Detailed below.
- vpn
Gateway StringId The ID of the Virtual Private Gateway.
Supporting Types
VpnConnectionRoute, VpnConnectionRouteArgs
- Destination
Cidr stringBlock The CIDR block associated with the local subnet of the customer data center.
- Source string
Indicates how the routes were provided.
- State string
The current state of the static route.
- Destination
Cidr stringBlock The CIDR block associated with the local subnet of the customer data center.
- Source string
Indicates how the routes were provided.
- State string
The current state of the static route.
- destination
Cidr StringBlock The CIDR block associated with the local subnet of the customer data center.
- source String
Indicates how the routes were provided.
- state String
The current state of the static route.
- destination
Cidr stringBlock The CIDR block associated with the local subnet of the customer data center.
- source string
Indicates how the routes were provided.
- state string
The current state of the static route.
- destination_
cidr_ strblock The CIDR block associated with the local subnet of the customer data center.
- source str
Indicates how the routes were provided.
- state str
The current state of the static route.
- destination
Cidr StringBlock The CIDR block associated with the local subnet of the customer data center.
- source String
Indicates how the routes were provided.
- state String
The current state of the static route.
VpnConnectionTunnel1LogOptions, VpnConnectionTunnel1LogOptionsArgs
- Cloudwatch
Log VpnOptions Connection Tunnel1Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- Cloudwatch
Log VpnOptions Connection Tunnel1Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log VpnOptions Connection Tunnel1Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log VpnOptions Connection Tunnel1Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch_
log_ Vpnoptions Connection Tunnel1Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log Property MapOptions Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
VpnConnectionTunnel1LogOptionsCloudwatchLogOptions, VpnConnectionTunnel1LogOptionsCloudwatchLogOptionsArgs
- Log
Enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- Log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- Log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- Log
Enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- Log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- Log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled Boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group StringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output StringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log_
enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- log_
group_ strarn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log_
output_ strformat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled Boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group StringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output StringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
VpnConnectionTunnel2LogOptions, VpnConnectionTunnel2LogOptionsArgs
- Cloudwatch
Log VpnOptions Connection Tunnel2Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- Cloudwatch
Log VpnOptions Connection Tunnel2Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log VpnOptions Connection Tunnel2Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log VpnOptions Connection Tunnel2Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch_
log_ Vpnoptions Connection Tunnel2Log Options Cloudwatch Log Options Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
- cloudwatch
Log Property MapOptions Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
VpnConnectionTunnel2LogOptionsCloudwatchLogOptions, VpnConnectionTunnel2LogOptionsCloudwatchLogOptionsArgs
- Log
Enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- Log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- Log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- Log
Enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- Log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- Log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled Boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group StringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output StringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group stringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output stringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log_
enabled bool Enable or disable VPN tunnel logging feature. The default is
false.- log_
group_ strarn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log_
output_ strformat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
- log
Enabled Boolean Enable or disable VPN tunnel logging feature. The default is
false.- log
Group StringArn The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
- log
Output StringFormat Set log format. Default format is json. Possible values are:
jsonandtext. The default isjson.
VpnConnectionVgwTelemetry, VpnConnectionVgwTelemetryArgs
- Accepted
Route intCount The number of accepted routes.
- Certificate
Arn string The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- Last
Status stringChange The date and time of the last change in status.
- Outside
Ip stringAddress The Internet-routable IP address of the virtual private gateway's outside interface.
- Status string
The status of the VPN tunnel.
- Status
Message string If an error occurs, a description of the error.
- Accepted
Route intCount The number of accepted routes.
- Certificate
Arn string The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- Last
Status stringChange The date and time of the last change in status.
- Outside
Ip stringAddress The Internet-routable IP address of the virtual private gateway's outside interface.
- Status string
The status of the VPN tunnel.
- Status
Message string If an error occurs, a description of the error.
- accepted
Route IntegerCount The number of accepted routes.
- certificate
Arn String The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- last
Status StringChange The date and time of the last change in status.
- outside
Ip StringAddress The Internet-routable IP address of the virtual private gateway's outside interface.
- status String
The status of the VPN tunnel.
- status
Message String If an error occurs, a description of the error.
- accepted
Route numberCount The number of accepted routes.
- certificate
Arn string The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- last
Status stringChange The date and time of the last change in status.
- outside
Ip stringAddress The Internet-routable IP address of the virtual private gateway's outside interface.
- status string
The status of the VPN tunnel.
- status
Message string If an error occurs, a description of the error.
- accepted_
route_ intcount The number of accepted routes.
- certificate_
arn str The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- last_
status_ strchange The date and time of the last change in status.
- outside_
ip_ straddress The Internet-routable IP address of the virtual private gateway's outside interface.
- status str
The status of the VPN tunnel.
- status_
message str If an error occurs, a description of the error.
- accepted
Route NumberCount The number of accepted routes.
- certificate
Arn String The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
- last
Status StringChange The date and time of the last change in status.
- outside
Ip StringAddress The Internet-routable IP address of the virtual private gateway's outside interface.
- status String
The status of the VPN tunnel.
- status
Message String If an error occurs, a description of the error.
Import
Using pulumi import, import VPN Connections using the VPN connection id. For example:
$ pulumi import aws:ec2/vpnConnection:VpnConnection testvpnconnection vpn-40f41529
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.