AWS Site-to-Site VPN logs - AWS Site-to-Site VPN

AWS Site-to-Site VPN logs

AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages.

Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

Benefits of Site-to-Site VPN logs

  • Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.

  • Centralized AWS Site-to-Site VPN visibility: Site-to-Site VPN logs can provide tunnel activity logs for all of the different ways that Site-to-Site VPN is connected: Virtual Gateway, Transit Gateway, and CloudHub, using both internet and AWS Direct Connect as transport. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

  • Security and compliance: Site-to-Site VPN logs can be sent to Amazon CloudWatch Logs for retrospective analysis of VPN connection status and activity over time. This can help you meet compliance and regulatory requirements.

Contents of Site-to-Site VPN logs

The following information is included in the Site-to-Site VPN tunnel activity log.

Field Description

VpnLogCreationTimestamp

Log creation timestamp in human readable format.

VpnConnectionId

The VPN connection identifier.

TunnelOutsideIPAddress

The external IP of the VPN tunnel that generated the log entry.

TunnelDPDEnabled

Dead Peer Detection Protocol Enabled Status (True/False).

TunnelCGWNATTDetectionStatus

NAT-T detected on customer gateway device (True/False).

TunnelIKEPhase1State

IKE Phase 1 Protocol State (Established | Rekeying | Negotiating | Down).
TunnelIKEPhase2State IKE Phase 2 Protocol State (Established | Rekeying | Negotiating | Down).
VpnLogDetail Verbose messages for IPsec, IKE and DPD protocols.

IAM requirements to publish to CloudWatch Logs

VPN tunnel logs can be published directly to CloudWatch Logs. For this to work properly, the IAM policy that's attached to your IAM role must include at least the permissions shown in the following.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "S2SVPNLogging" }, { "Sid": "S2SVPNLoggingCWL", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "CloudWatch Logs log group ARN" ], "Effect": "Allow" } ] }

View Site-to-Site VPN logs configuration

To view current tunnel logging settings

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN Connections.

  3. Select the VPN connection that you want to view from the VPN connections list.

  4. Choose the Tunnel details tab.

  5. Expand the Tunnel 1 options and Tunnel 2 options sections to view all tunnel configuration details.

  6. You can view the current status of the logging feature under Tunnel VPN log, and the currently configured CloudWatch log group (if any) under CloudWatch log group.

To view current tunnel logging settings on a Site-to-Site VPN connection using the AWS command line or API

Enable Site-to-Site VPN logs

Note

When you enable Site-to-Site VPN logs for an existing VPN connection tunnel, your connectivity over that tunnel can be interrupted for several minutes. However, each VPN connection offers two tunnels for high availability, so you can enable logging on one tunnel at a time while maintaining connectivity over the tunnel not being modified. For more information, see Site-to-Site VPN tunnel endpoint replacements.

To enable VPN logging during creation of a new Site-to-Site VPN connection

Follow the procedure Create a Site-to-Site VPN connection. During Step 9 Tunnel Options, you can specify all the options you want to use for both tunnels, including VPN logging options. For more information about these options, see Tunnel options for your Site-to-Site VPN connection.

To enable tunnel logging on a new Site-to-Site VPN connection using the AWS command line or API

To enable tunnel logging on an existing Site-to-Site VPN connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN Connections.

  3. Select the VPN connection that you want to modify from the VPN connections list.

  4. Select Actions, Modify VPN tunnel options.

  5. Select the tunnel that you want to modify by choosing the appropriate IP address from the VPN tunnel outside IP address list.

  6. Under Tunnel activity log, select Enable.

  7. Under Amazon CloudWatch log group, select the Amazon CloudWatch log group where you want the logs to be sent.

  8. (Optional) Under Output format, choose the desired format for the log output, either json or text.

  9. Select Save changes.

  10. (Optional) Repeat steps 4 through 9 for the other tunnel if desired.

To enable tunnel logging on a Site-to-Site VPN connection using the AWS command line or API

Disable Site-to-Site VPN logs

To disable tunnel logging on a Site-to-Site VPN connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN Connections.

  3. Select the VPN connection that you want to modify from the VPN connections list.

  4. Select Actions, Modify VPN tunnel options.

  5. Select the tunnel that you want to modify by choosing the appropriate IP address from the VPN tunnel outside IP address list.

  6. Under Tunnel activity log, clear Enable.

  7. Select Save changes.

  8. (Optional) Repeat steps 4 through 7 for the other tunnel if desired.

To disable tunnel logging on a Site-to-Site VPN connection using the AWS command line or API