Skip to content

lakmal-ya/aws_vpn_connection_tf_module

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
terraform.tfvars
terraform.tfvars
 
 
variable.tf
variable.tf
 
 

Repository files navigation

AWS Site to Site VPN

By default, instances that you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection. Although the term VPN connection is a general term, in this documentation, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.

Site-to-Site VPN limitations

  • A Site-to-Site VPN connection has the following limitations.
  • IPv6 traffic is not supported for VPN connections on a virtual private gateway.
  • An AWS VPN connection does not support Path MTU Discovery.
  • In addition, take the following into consideration when you use Site-to-Site VPN.
  • When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.

Prerequisites

You need the following information to set up and configure the components of a Site-to-Site VPN connection.

Item Information
Customer gateway device The physical or software device on your side of the VPN connection. You need the vendor (for example, Cisco), platform (for example, ISR Series Routers), and software version (for example, IOS 12.4).
Customer gateway

To create the customer gateway resource in AWS, you need the following information:

- The internet-routable IP address for the device's external interface

- The type of routing: static or dynamic

- For dynamic routing, the Border Gateway Protocol (BGP) Autonomous System Number (ASN)

- (Optional) Private certificate from AWS Private Certificate Authority to authenticate your VPN

For more information, see Customer gateway options for your Site-to-Site VPN connection.
(Optional) The ASN for the AWS side of the BGP session You specify this when you create a virtual private gateway or transit gateway. If you do not specify a value, the default ASN applies. For more information, see Virtual private gateway.
VPN connection To create the VPN connection, you need the following information: For static routing, the IP prefixes for your private network. (Optional) Tunnel options for each VPN tunnel. For more information, see Tunnel options for your Site-to-Site VPN connection.

Requirements

Name Version
aws ~> 4.53.0
terraform >= 1.3.7

Providers

Name Version
aws 4.53.0

Resources

Name Type
aws_customer_gateway.customer_gateway resource
aws_vpn_connection.vpn_connection resource
aws_vpn_connection_route.vpn_connection_route resource
aws_vpn_gateway.virtual_private_gateways resource
aws_vpn_gateway_route_propagation.route_propagation resource

Inputs

Name Description Type Default Required
customer_gateway_bgp_asn The ASN of your customer gateway device. The Border Gateway Protocol (BGP) Autonomous System Number (ASN) in the range of 1 – 2,147,483,647 is supported. number n/a yes
customer_gateway_certificate_arn (Optional) The ARN of a private certificate provisioned in AWS Certificate Manager (ACM). string null no
customer_gateway_device_name (Optional) Enter a name for the customer gateway device. string null no
customer_gateway_ip_address Specify the internet-routable IP address for your gateway's external interface; the address must be static and may be behind a device performing network address translation (NAT). string null no
customer_gateway_type (Required) The type of customer gateway. The only type AWS supports at this time is "ipsec.1". string n/a yes
route_propagation_route_table_ids (Optional)The IDs of the route tables for which routes from the Virtual Private Gateway will be propagated list(string) [] no
tags common tags for vpn resources. map(string) n/a yes
tunnel1_log_options (Optional) Options for logging VPN tunnel activity. 
list(object({
    log_enabled       = bool   # (Optional) Enable or disable VPN tunnel logging feature. The default is false.
    log_group_arn     = string # (Optional) The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
    log_output_format = string # (Optional) Set log format. Default format is json. Possible values are: json and text. The default is json.
  }))
 [] no
tunnel2_log_options (Optional) Options for logging VPN tunnel activity. 
list(object({
    log_enabled       = bool   # (Optional) Enable or disable VPN tunnel logging feature. The default is false.
    log_group_arn     = string # (Optional) The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
    log_output_format = string # (Optional) Set log format. Default format is json. Possible values are: json and text. The default is json.
  }))
 [] no
virtual_private_gateways_amazon_side_asn (Optional) The Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN. number null no
virtual_private_gateways_availability_zone (Optional) The Availability Zone for the virtual private gateway. string null no
virtual_private_gateways_vpc_id (Required) A create a virtual private gateway, you must attach it to your VPC string n/a yes
vpn_connection_enable_acceleration (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway. bool false no
vpn_connection_local_ipv4_network_cidr (Optional, Default 0.0.0.0/0) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. string null no
vpn_connection_local_ipv6_network_cidr (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. string null no
vpn_connection_outside_ip_address_type (Optional, Default PublicIpv4) Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4 string null no
vpn_connection_remote_ipv4_network_cidr (Optional, Default 0.0.0.0/0) The IPv4 CIDR on the AWS side of the VPN connection. string null no
vpn_connection_remote_ipv6_network_cidr (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. string null no
vpn_connection_route_destination_cidr_block (Required) The CIDR block associated with the local subnet of the customer network. list(string) n/a yes
vpn_connection_static_routes_only (Optional, Default false) Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP. bool false no
vpn_connection_transit_gateway_id (Optional) The ID of the EC2 Transit Gateway. string null no
vpn_connection_transport_transit_gateway_attachment_id (Required when outside_ip_address_type is set to PrivateIpv4). The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only. string null no
vpn_connection_tunnel1_dpd_timeout_action (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. string "clear" no
vpn_connection_tunnel1_dpd_timeout_seconds (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30. number null no
vpn_connection_tunnel1_ike_versions (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2. set(string) 
[
  null
]
 no
vpn_connection_tunnel1_inside_cidr (Optional) The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range. string null no
vpn_connection_tunnel1_inside_ipv6_cidr (Optional) The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range. string null no
vpn_connection_tunnel1_phase1_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. set(number) 
[
  2,
  14,
  15,
  16,
  17,
  18,
  19,
  20,
  21,
  22,
  23,
  24
]
 no
vpn_connection_tunnel1_phase1_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. set(string) 
[
  "AES128",
  "AES256",
  "AES128-GCM-16",
  "AES256-GCM-16"
]
 no
vpn_connection_tunnel1_phase1_integrity_algorithms (Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. set(string) 
[
  "SHA1",
  "SHA2-256",
  "SHA2-384",
  "SHA2-512"
]
 no
vpn_connection_tunnel1_phase1_lifetime_seconds (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800. number 28800 no
vpn_connection_tunnel1_phase2_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. set(number) 
[
  2,
  5,
  14,
  15,
  16,
  17,
  18,
  19,
  20,
  21,
  22,
  23,
  24
]
 no
vpn_connection_tunnel1_phase2_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) 
[
  "AES128",
  "AES256",
  "AES128-GCM-16",
  "AES256-GCM-16"
]
 no
vpn_connection_tunnel1_phase2_integrity_algorithms (Optional) List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. list(string) 
[
  "SHA1",
  "SHA2-256",
  "SHA2-384",
  "SHA2-512"
]
 no
vpn_connection_tunnel1_phase2_lifetime_seconds (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600. number 3600 no
vpn_connection_tunnel1_preshared_key (Optional) The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_). string null no
vpn_connection_tunnel1_rekey_fuzz_percentage (Optional, Default 100) The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100. number 100 no
vpn_connection_tunnel1_rekey_margin_time_seconds (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds. number 540 no
vpn_connection_tunnel1_replay_window_size (Optional, Default 1024) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048. number 1024 no
vpn_connection_tunnel1_startup_action (Optional, Default add) The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start. string "add" no
vpn_connection_tunnel2_dpd_timeout_action (Optional, Default clear) The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. string "clear" no
vpn_connection_tunnel2_dpd_timeout_seconds (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30. string null no
vpn_connection_tunnel2_ike_versions (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2. set(string) 
[
  null
]
 no
vpn_connection_tunnel2_inside_cidr (Optional) The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range. string null no
vpn_connection_tunnel2_inside_ipv6_cidr (Optional) The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range. string null no
vpn_connection_tunnel2_phase1_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. set(number) 
[
  2,
  14,
  15,
  16,
  17,
  18,
  19,
  20,
  21,
  22,
  23,
  24
]
 no
vpn_connection_tunnel2_phase1_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. set(string) 
[
  "AES128",
  "AES256",
  "AES128-GCM-16",
  "AES256-GCM-16"
]
 no
vpn_connection_tunnel2_phase1_integrity_algorithms (Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. set(string) 
[
  "SHA1",
  "SHA2-256",
  "SHA2-384",
  "SHA2-512"
]
 no
vpn_connection_tunnel2_phase1_lifetime_seconds (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800. number 28800 no
vpn_connection_tunnel2_phase2_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. set(number) 
[
  2,
  5,
  14,
  15,
  16,
  17,
  18,
  19,
  20,
  21,
  22,
  23,
  24
]
 no
vpn_connection_tunnel2_phase2_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) 
[
  "AES128",
  "AES256",
  "AES128-GCM-16",
  "AES256-GCM-16"
]
 no
vpn_connection_tunnel2_phase2_integrity_algorithms (Optional) List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. list(string) 
[
  "SHA1",
  "SHA2-256",
  "SHA2-384",
  "SHA2-512"
]
 no
vpn_connection_tunnel2_phase2_lifetime_seconds (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600. number 3600 no
vpn_connection_tunnel2_preshared_key (Optional) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_). string null no
vpn_connection_tunnel2_rekey_fuzz_percentage (Optional, Default 100) The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100. number 100 no
vpn_connection_tunnel2_rekey_margin_time_seconds (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds. number 540 no
vpn_connection_tunnel2_replay_window_size (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048. number 1024 no
vpn_connection_tunnel2_startup_action (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start. string "add" no
vpn_connection_tunnel_inside_ip_version (Optional, Default ipv4) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway. string null no

Outputs

Name Description
customer_gateway_id The ID of the customer gateway to which the connection is attached.
tunnel1_address The public IP address of the first VPN tunnel.
tunnel2_address The public IP address of the second VPN tunnel.
vpn_connection_arn Amazon Resource Name (ARN) of the VPN Connection.
vpn_connection_id The amazon-assigned ID of the VPN connection.

Modules

module "aws_vpn_connection" {
  source = "../module"

customer_gateway_bgp_asn    = 65000
customer_gateway_ip_address = "172.83.124.10"
customer_gateway_type       = "ipsec.1" #(Required) The only type AWS supports at this time is ipsec.1
# customer_gateway_certificate_arn = "arn:aws:acm:ap-southeast-1:111111111111:certificate/365ac088-d023-4690-aa8e-6e4831a73332"
customer_gateway_device_name = "demo_customer_gateway"
tags = {
  "Name" = "demo_customer_gateway"
}
virtual_private_gateways_vpc_id = "vpc-0421b67782c4a7158"
# # virtual_private_gateways_amazon_side_asn = 65001
# virtual_private_gateways_availability_zone = "ap-southeast-1a"
route_propagation_route_table_ids       = ["rtb-033562682aace18be"]
vpn_connection_static_routes_only       = true # Static routes must be used for devices that don't support BGP.
vpn_connection_local_ipv4_network_cidr  = "0.0.0.0/0"
vpn_connection_outside_ip_address_type  = "PublicIpv4"
vpn_connection_remote_ipv4_network_cidr = "0.0.0.0/0"

#####EC2 Transit Gateway
vpn_connection_transit_gateway_id       = "tgw-0db1d860e7546e914"
vpn_connection_local_ipv6_network_cidr  = "::/0"
vpn_connection_remote_ipv6_network_cidr = "::/0"
vpn_connection_tunnel1_inside_ipv6_cidr = "fd00::/126"
vpn_connection_tunnel2_inside_ipv6_cidr = "fd00:1::/126"
vpn_connection_enable_acceleration      = true # Supports only EC2 Transit Gateway.
# vpn_connection_transport_transit_gateway_attachment_id = 

##vpn_connection_tunnel
vpn_connection_tunnel_inside_ip_version = "ipv6"
# vpn_connection_tunnel1_inside_cidr = "169.254.253.152/30"
# vpn_connection_tunnel2_inside_cidr = "169.254.116.244/30"
vpn_connection_tunnel1_dpd_timeout_action = "clear"
vpn_connection_tunnel2_dpd_timeout_action = "clear"
vpn_connection_tunnel1_ike_versions       = ["ikev1"]
vpn_connection_tunnel2_ike_versions       = ["ikev2"]
tunnel1_log_options = [{
  log_enabled       = true
  log_group_arn     = "arn:aws:logs:ap-southeast-1:111111111111:log-group:demo_vpn_loggroup:*"
  log_output_format = "text"
}]
tunnel2_log_options = [{
  log_enabled       = true
  log_group_arn     = "arn:aws:logs:ap-southeast-1:111111111111:log-group:demo_vpn_loggroup:*"
  log_output_format = "json"
}]
vpn_connection_tunnel1_phase1_dh_group_numbers      = [2]
vpn_connection_tunnel1_phase1_integrity_algorithms  = ["SHA2-256"]
vpn_connection_tunnel1_phase1_encryption_algorithms = ["AES128"]
vpn_connection_tunnel1_phase2_dh_group_numbers      = ["2"]
vpn_connection_tunnel2_phase1_dh_group_numbers      = [2]
vpn_connection_tunnel2_phase1_integrity_algorithms  = ["SHA2-256"]
vpn_connection_tunnel2_phase1_encryption_algorithms = ["AES128"]
vpn_connection_tunnel1_phase1_lifetime_seconds      = 1000
vpn_connection_tunnel2_phase1_lifetime_seconds      = 1000
vpn_connection_tunnel2_phase2_dh_group_numbers      = ["2"]
vpn_connection_tunnel1_phase2_encryption_algorithms = ["AES128"]
vpn_connection_tunnel2_phase2_encryption_algorithms = ["AES128"]
vpn_connection_tunnel1_phase2_integrity_algorithms  = ["SHA2-256"]
vpn_connection_tunnel2_phase2_integrity_algorithms  = ["SHA2-256"]
vpn_connection_tunnel1_phase2_lifetime_seconds      = 1000
vpn_connection_tunnel2_phase2_lifetime_seconds      = 1000
vpn_connection_tunnel1_rekey_fuzz_percentage        = 100
vpn_connection_tunnel2_rekey_fuzz_percentage        = 100
vpn_connection_tunnel1_rekey_margin_time_seconds    = 60
vpn_connection_tunnel2_rekey_margin_time_seconds    = 60
vpn_connection_tunnel1_replay_window_size           = 64
vpn_connection_tunnel2_replay_window_size           = 64
vpn_connection_tunnel1_startup_action               = "add"
vpn_connection_tunnel2_startup_action               = "add"

# vpn_connection_static_route
vpn_connection_route_destination_cidr_block = ["192.168.10.0/24", "192.168.20.0/24", "192.168.30.0/24"]

}

About

This terraform module configure AWS site tot site VPN.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages