With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages.
Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.
Benefits of Site-to-Site VPN logs
Simplified VPN troubleshooting: Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.
Centralized AWS Site-to-Site VPN visibility: Site-to-Site VPN logs can provide tunnel activity logs for all of the different ways that Site-to-Site VPN is connected: Virtual Gateway, Transit Gateway, and CloudHub, using both internet and AWS Direct Connect as transport. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.
Security and compliance: Site-to-Site VPN logs can be sent to Amazon CloudWatch Logs for retrospective analysis of VPN connection status and activity over time. This can help you meet compliance and regulatory requirements.
Contents of Site-to-Site VPN tunnel activity log
IAM requirements to publish to CloudWatch Logs
VPN tunnel logs can be published directly to CloudWatch Logs. For this to work properly, the IAM policy that's attached to your IAM role must include at least the permissions shown in the following.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "S2SVPNLogging"
},
{
"Sid": "S2SVPNLoggingCWL",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"CloudWatch Logs log group ARN"
],
"Effect": "Allow"
}
]
}
Enable Site-to-Site VPN logs
To enable VPN logging during creation of a new Site-to-Site VPN connection
Follow the procedure Create a Site-to-Site VPN connection. During Step 9 Tunnel Options, you can specify all the options you want to use for both tunnels, including VPN logging options. For more information about these options, see Tunnel options for your Site-to-Site VPN connection.
To enable tunnel logging on an existing Site-to-Site VPN connection
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
In the navigation pane, choose Site-to-Site VPN Connections.
Select the VPN connection that you want to modify from the VPN connections list.
Select Actions, Modify VPN tunnel options.
Select the tunnel that you want to modify by choosing the appropriate IP address from the VPN tunnel outside IP address list.
Under Tunnel activity log, select Enable.
Under Amazon CloudWatch log group, select the Amazon CloudWatch log group where you want the logs to be sent.
(Optional) Under Output format, choose the desired format for the log output, either json or text.
Select Save changes.
(Optional) Repeat steps 4 through 9 for the other tunnel if desired.
Note
When you enable Site-to-Site VPN logs for an existing VPN connection tunnel, your connectivity over that tunnel can be interrupted for several minutes. However, each VPN connection offers two tunnels for high availability, so you can enable logging on one tunnel at a time while maintaining connectivity over the tunnel not being modified. For more information, see Site-to-Site VPN tunnel endpoint replacements.
Disable Site-to-Site VPN logs
To disable tunnel logging on a Site-to-Site VPN connection
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
In the navigation pane, choose Site-to-Site VPN Connections.
Select the VPN connection that you want to modify from the VPN connections list.
Select Actions, Modify VPN tunnel options.
Select the tunnel that you want to modify by choosing the appropriate IP address from the VPN tunnel outside IP address list.
Under Tunnel activity log, clear Enable.
Select Save changes.
(Optional) Repeat steps 4 through 7 for the other tunnel if desired.
Top comments (0)