This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::EC2::VPNConnection Specifies a VPN connection between a virtual private gateway and a VPN customer gateway or a transit gateway and a VPN customer gateway. To specify a VPN connection between a transit gateway and customer gateway, use the `TransitGatewayId` and `CustomerGatewayId` properties. To specify a VPN connection between a virtual private gateway and customer gateway, use the `VpnGatewayId` and `CustomerGatewayId` properties. For more information, see [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) in the *AWS Site-to-Site VPN User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::EC2::VPNConnection", "Properties" : { "[CustomerGatewayId](#cfn-ec2-vpnconnection-customergatewayid)" : String, "[EnableAcceleration](#cfn-ec2-vpnconnection-enableacceleration)" : Boolean, "[LocalIpv4NetworkCidr](#cfn-ec2-vpnconnection-localipv4networkcidr)" : String, "[LocalIpv6NetworkCidr](#cfn-ec2-vpnconnection-localipv6networkcidr)" : String, "[OutsideIpAddressType](#cfn-ec2-vpnconnection-outsideipaddresstype)" : String, "[PreSharedKeyStorage](#cfn-ec2-vpnconnection-presharedkeystorage)" : String, "[RemoteIpv4NetworkCidr](#cfn-ec2-vpnconnection-remoteipv4networkcidr)" : String, "[RemoteIpv6NetworkCidr](#cfn-ec2-vpnconnection-remoteipv6networkcidr)" : String, "[StaticRoutesOnly](#cfn-ec2-vpnconnection-staticroutesonly)" : Boolean, "[Tags](#cfn-ec2-vpnconnection-tags)" : [ Tag, ... ], "[TransitGatewayId](#cfn-ec2-vpnconnection-transitgatewayid)" : String, "[TransportTransitGatewayAttachmentId](#cfn-ec2-vpnconnection-transporttransitgatewayattachmentid)" : String, "[TunnelBandwidth](#cfn-ec2-vpnconnection-tunnelbandwidth)" : String, "[TunnelInsideIpVersion](#cfn-ec2-vpnconnection-tunnelinsideipversion)" : String, "[Type](#cfn-ec2-vpnconnection-type)" : String, "[VpnConcentratorId](#cfn-ec2-vpnconnection-vpnconcentratorid)" : String, "[VpnGatewayId](#cfn-ec2-vpnconnection-vpngatewayid)" : String, "[VpnTunnelOptionsSpecifications](#cfn-ec2-vpnconnection-vpntunneloptionsspecifications)" : [ VpnTunnelOptionsSpecification, ... ] } } ``` ### YAML ``` Type: AWS::EC2::VPNConnection Properties: [CustomerGatewayId](#cfn-ec2-vpnconnection-customergatewayid): String [EnableAcceleration](#cfn-ec2-vpnconnection-enableacceleration): Boolean [LocalIpv4NetworkCidr](#cfn-ec2-vpnconnection-localipv4networkcidr): String [LocalIpv6NetworkCidr](#cfn-ec2-vpnconnection-localipv6networkcidr): String [OutsideIpAddressType](#cfn-ec2-vpnconnection-outsideipaddresstype): String [PreSharedKeyStorage](#cfn-ec2-vpnconnection-presharedkeystorage): String [RemoteIpv4NetworkCidr](#cfn-ec2-vpnconnection-remoteipv4networkcidr): String [RemoteIpv6NetworkCidr](#cfn-ec2-vpnconnection-remoteipv6networkcidr): String [StaticRoutesOnly](#cfn-ec2-vpnconnection-staticroutesonly): Boolean [Tags](#cfn-ec2-vpnconnection-tags): - Tag [TransitGatewayId](#cfn-ec2-vpnconnection-transitgatewayid): String [TransportTransitGatewayAttachmentId](#cfn-ec2-vpnconnection-transporttransitgatewayattachmentid): String [TunnelBandwidth](#cfn-ec2-vpnconnection-tunnelbandwidth): String [TunnelInsideIpVersion](#cfn-ec2-vpnconnection-tunnelinsideipversion): String [Type](#cfn-ec2-vpnconnection-type): String [VpnConcentratorId](#cfn-ec2-vpnconnection-vpnconcentratorid): String [VpnGatewayId](#cfn-ec2-vpnconnection-vpngatewayid): String [VpnTunnelOptionsSpecifications](#cfn-ec2-vpnconnection-vpntunneloptionsspecifications): - VpnTunnelOptionsSpecification ``` ## Properties `CustomerGatewayId` The ID of the customer gateway at your end of the VPN connection. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnableAcceleration` Indicate whether to enable acceleration for the VPN connection. Default: `false` *Required*: No *Type*: Boolean *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LocalIpv4NetworkCidr` The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: `0.0.0.0/0` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LocalIpv6NetworkCidr` The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: `::/0` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `OutsideIpAddressType` The type of IP address assigned to the outside interface of the customer gateway device. Valid values: `PrivateIpv4` \$1 `PublicIpv4` \$1 `Ipv6` Default: `PublicIpv4` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PreSharedKeyStorage` Describes the storage location for an instance store-backed AMI. *Required*: No *Type*: String *Allowed values*: `Standard | SecretsManager` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RemoteIpv4NetworkCidr` The IPv4 CIDR on the AWS side of the VPN connection. Default: `0.0.0.0/0` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RemoteIpv6NetworkCidr` The IPv6 CIDR on the AWS side of the VPN connection. Default: `::/0` *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `StaticRoutesOnly` Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify `true`. *Required*: No *Type*: Boolean *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` Any tags assigned to the VPN connection. *Required*: No *Type*: Array of [Tag](aws-properties-ec2-vpnconnection-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitGatewayId` The ID of the transit gateway associated with the VPN connection. You must specify either `TransitGatewayId` or `VpnGatewayId`, but not both. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransportTransitGatewayAttachmentId` The transit gateway attachment ID to use for the VPN tunnel. Required if `OutsideIpAddressType` is set to `PrivateIpv4`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TunnelBandwidth` The desired bandwidth specification for the VPN tunnel, used when creating or modifying VPN connection options to set the tunnel's throughput capacity. `standard` supports up to 1.25 Gbps per tunnel, while `large` supports up to 5 Gbps per tunnel. The default value is `standard`. Existing VPN connections without a bandwidth setting will automatically default to `standard`. *Required*: No *Type*: String *Allowed values*: `standard | large` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `TunnelInsideIpVersion` Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: `ipv4` *Required*: No *Type*: String *Allowed values*: `ipv4 | ipv6` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Type` The type of VPN connection. *Required*: Yes *Type*: String *Allowed values*: `ipsec.1` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `VpnConcentratorId` The ID of the VPN concentrator to associate with the VPN connection. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `VpnGatewayId` The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either `TransitGatewayId` or `VpnGatewayId`, but not both. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VpnTunnelOptionsSpecifications` The tunnel options for the VPN connection. *Required*: No *Type*: Array of [VpnTunnelOptionsSpecification](aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the VPN connection. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `VpnConnectionId` The ID of the VPN connection. ## Examples ### VPN connection The following example specifies a VPN connection between myVPNGateway and MyCustomerGateway. #### JSON ``` "myVPNConnection" : { "Type" : "AWS::EC2::VPNConnection", "Properties" : { "Type" : "ipsec.1", "StaticRoutesOnly" : "true", "CustomerGatewayId" : {"Ref" : "myCustomerGateway"}, "VpnGatewayId" : {"Ref" : "myVPNGateway"} } } ``` #### YAML ``` myVPNConnection: Type: AWS::EC2::VPNConnection Properties: Type: ipsec.1 StaticRoutesOnly: true CustomerGatewayId: !Ref myCustomerGateway VpnGatewayId: !Ref myVPNGateway ``` ## See also + [VPNConnection](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnConnection.html) in the *Amazon EC2 API Reference* # AWS::EC2::VPNConnection CloudwatchLogOptionsSpecification Options for sending VPN tunnel logs to CloudWatch. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BgpLogEnabled](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgplogenabled)" : Boolean, "[BgpLogGroupArn](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgploggrouparn)" : String, "[BgpLogOutputFormat](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgplogoutputformat)" : String, "[LogEnabled](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logenabled)" : Boolean, "[LogGroupArn](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-loggrouparn)" : String, "[LogOutputFormat](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logoutputformat)" : String } ``` ### YAML ``` [BgpLogEnabled](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgplogenabled): Boolean [BgpLogGroupArn](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgploggrouparn): String [BgpLogOutputFormat](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-bgplogoutputformat): String [LogEnabled](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logenabled): Boolean [LogGroupArn](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-loggrouparn): String [LogOutputFormat](#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logoutputformat): String ``` ## Properties `BgpLogEnabled` Specifies whether to enable BGP logging for the VPN connection. Default value is `False`. Valid values: `True` \$1 `False` *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BgpLogGroupArn` The Amazon Resource Name (ARN) of the CloudWatch log group where BGP logs will be sent. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `BgpLogOutputFormat` The desired output format for BGP logs to be sent to CloudWatch. Default format is `json`. Valid values: `json` \$1 `text` *Required*: No *Type*: String *Allowed values*: `json | text` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LogEnabled` Enable or disable VPN tunnel logging feature. Default value is `False`. Valid values: `True` \$1 `False` *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LogGroupArn` The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LogOutputFormat` Set log format. Default format is `json`. Valid values: `json` \$1 `text` *Required*: No *Type*: String *Allowed values*: `json | text` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection IKEVersionsRequestListValue The IKE version that is permitted for the VPN tunnel. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-ikeversionsrequestlistvalue-value)" : String } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-ikeversionsrequestlistvalue-value): String ``` ## Properties `Value` The IKE version. *Required*: No *Type*: String *Allowed values*: `ikev1 | ikev2` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase1DHGroupNumbersRequestListValue Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue-value)" : Integer } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue-value): Integer ``` ## Properties `Value` The Diffie-Hellmann group number. *Required*: No *Type*: Integer *Allowed values*: `2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase1EncryptionAlgorithmsRequestListValue Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue-value)" : String } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue-value): String ``` ## Properties `Value` The value for the encryption algorithm. *Required*: No *Type*: String *Allowed values*: `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase1IntegrityAlgorithmsRequestListValue Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue-value)" : String } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue-value): String ``` ## Properties `Value` The value for the integrity algorithm. *Required*: No *Type*: String *Allowed values*: `SHA1 | SHA2-256 | SHA2-384 | SHA2-512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase2DHGroupNumbersRequestListValue Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue-value)" : Integer } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue-value): Integer ``` ## Properties `Value` The Diffie-Hellmann group number. *Required*: No *Type*: Integer *Allowed values*: `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase2EncryptionAlgorithmsRequestListValue Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue-value)" : String } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue-value): String ``` ## Properties `Value` The encryption algorithm. *Required*: No *Type*: String *Allowed values*: `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Phase2IntegrityAlgorithmsRequestListValue Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue-value)" : String } ``` ### YAML ``` [Value](#cfn-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue-value): String ``` ## Properties `Value` The integrity algorithm. *Required*: No *Type*: String *Allowed values*: `SHA1 | SHA2-256 | SHA2-384 | SHA2-512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection Tag Specifies a tag. For more information, see [Resource tags](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ec2-vpnconnection-tag-key)" : String, "[Value](#cfn-ec2-vpnconnection-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ec2-vpnconnection-tag-key): String [Value](#cfn-ec2-vpnconnection-tag-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### This example specifies two tags for the VPN connection. #### JSON ``` "Tags" : [ { "Key" : "key1", "Value" : "value1" }, { "Key" : "key2", "Value" : "value2" } ] ``` #### YAML ``` Tags: - Key: "key1" Value: "value1" - Key: "key2" Value: "value2" ``` # AWS::EC2::VPNConnection VpnTunnelLogOptionsSpecification Options for logging VPN tunnel activity. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CloudwatchLogOptions](#cfn-ec2-vpnconnection-vpntunnellogoptionsspecification-cloudwatchlogoptions)" : CloudwatchLogOptionsSpecification } ``` ### YAML ``` [CloudwatchLogOptions](#cfn-ec2-vpnconnection-vpntunnellogoptionsspecification-cloudwatchlogoptions): CloudwatchLogOptionsSpecification ``` ## Properties `CloudwatchLogOptions` Options for sending VPN tunnel logs to CloudWatch. *Required*: No *Type*: [CloudwatchLogOptionsSpecification](aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::EC2::VPNConnection VpnTunnelOptionsSpecification The tunnel options for a single VPN tunnel. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DPDTimeoutAction](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutaction)" : String, "[DPDTimeoutSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutseconds)" : Integer, "[EnableTunnelLifecycleControl](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-enabletunnellifecyclecontrol)" : Boolean, "[IKEVersions](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-ikeversions)" : [ IKEVersionsRequestListValue, ... ], "[LogOptions](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-logoptions)" : VpnTunnelLogOptionsSpecification, "[Phase1DHGroupNumbers](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1dhgroupnumbers)" : [ Phase1DHGroupNumbersRequestListValue, ... ], "[Phase1EncryptionAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1encryptionalgorithms)" : [ Phase1EncryptionAlgorithmsRequestListValue, ... ], "[Phase1IntegrityAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1integrityalgorithms)" : [ Phase1IntegrityAlgorithmsRequestListValue, ... ], "[Phase1LifetimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1lifetimeseconds)" : Integer, "[Phase2DHGroupNumbers](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2dhgroupnumbers)" : [ Phase2DHGroupNumbersRequestListValue, ... ], "[Phase2EncryptionAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2encryptionalgorithms)" : [ Phase2EncryptionAlgorithmsRequestListValue, ... ], "[Phase2IntegrityAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2integrityalgorithms)" : [ Phase2IntegrityAlgorithmsRequestListValue, ... ], "[Phase2LifetimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2lifetimeseconds)" : Integer, "[PreSharedKey](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-presharedkey)" : String, "[RekeyFuzzPercentage](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeyfuzzpercentage)" : Integer, "[RekeyMarginTimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeymargintimeseconds)" : Integer, "[ReplayWindowSize](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-replaywindowsize)" : Integer, "[StartupAction](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-startupaction)" : String, "[TunnelInsideCidr](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-tunnelinsidecidr)" : String, "[TunnelInsideIpv6Cidr](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-tunnelinsideipv6cidr)" : String } ``` ### YAML ``` [DPDTimeoutAction](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutaction): String [DPDTimeoutSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutseconds): Integer [EnableTunnelLifecycleControl](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-enabletunnellifecyclecontrol): Boolean [IKEVersions](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-ikeversions): - IKEVersionsRequestListValue [LogOptions](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-logoptions): VpnTunnelLogOptionsSpecification [Phase1DHGroupNumbers](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1dhgroupnumbers): - Phase1DHGroupNumbersRequestListValue [Phase1EncryptionAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1encryptionalgorithms): - Phase1EncryptionAlgorithmsRequestListValue [Phase1IntegrityAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1integrityalgorithms): - Phase1IntegrityAlgorithmsRequestListValue [Phase1LifetimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1lifetimeseconds): Integer [Phase2DHGroupNumbers](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2dhgroupnumbers): - Phase2DHGroupNumbersRequestListValue [Phase2EncryptionAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2encryptionalgorithms): - Phase2EncryptionAlgorithmsRequestListValue [Phase2IntegrityAlgorithms](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2integrityalgorithms): - Phase2IntegrityAlgorithmsRequestListValue [Phase2LifetimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2lifetimeseconds): Integer [PreSharedKey](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-presharedkey): String [RekeyFuzzPercentage](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeyfuzzpercentage): Integer [RekeyMarginTimeSeconds](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeymargintimeseconds): Integer [ReplayWindowSize](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-replaywindowsize): Integer [StartupAction](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-startupaction): String [TunnelInsideCidr](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-tunnelinsidecidr): String [TunnelInsideIpv6Cidr](#cfn-ec2-vpnconnection-vpntunneloptionsspecification-tunnelinsideipv6cidr): String ``` ## Properties `DPDTimeoutAction` The action to take after DPD timeout occurs. Specify `restart` to restart the IKE initiation. Specify `clear` to end the IKE session. Valid Values: `clear` \$1 `none` \$1 `restart` Default: `clear` *Required*: No *Type*: String *Allowed values*: `clear | none | restart` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DPDTimeoutSeconds` The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: `30` *Required*: No *Type*: Integer *Minimum*: `30` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnableTunnelLifecycleControl` Turn on or off tunnel endpoint lifecycle control feature. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IKEVersions` The IKE versions that are permitted for the VPN tunnel. Valid values: `ikev1` \$1 `ikev2` *Required*: No *Type*: Array of [IKEVersionsRequestListValue](aws-properties-ec2-vpnconnection-ikeversionsrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LogOptions` Options for logging VPN tunnel activity. *Required*: No *Type*: [VpnTunnelLogOptionsSpecification](aws-properties-ec2-vpnconnection-vpntunnellogoptionsspecification.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase1DHGroupNumbers` One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: `2` \$1 `14` \$1 `15` \$1 `16` \$1 `17` \$1 `18` \$1 `19` \$1 `20` \$1 `21` \$1 `22` \$1 `23` \$1 `24` *Required*: No *Type*: Array of [Phase1DHGroupNumbersRequestListValue](aws-properties-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase1EncryptionAlgorithms` One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: `AES128` \$1 `AES256` \$1 `AES128-GCM-16` \$1 `AES256-GCM-16` *Required*: No *Type*: Array of [Phase1EncryptionAlgorithmsRequestListValue](aws-properties-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase1IntegrityAlgorithms` One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: `SHA1` \$1 `SHA2-256` \$1 `SHA2-384` \$1 `SHA2-512` *Required*: No *Type*: Array of [Phase1IntegrityAlgorithmsRequestListValue](aws-properties-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase1LifetimeSeconds` The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: `28800` *Required*: No *Type*: Integer *Minimum*: `900` *Maximum*: `28800` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase2DHGroupNumbers` One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: `2` \$1 `5` \$1 `14` \$1 `15` \$1 `16` \$1 `17` \$1 `18` \$1 `19` \$1 `20` \$1 `21` \$1 `22` \$1 `23` \$1 `24` *Required*: No *Type*: Array of [Phase2DHGroupNumbersRequestListValue](aws-properties-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase2EncryptionAlgorithms` One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: `AES128` \$1 `AES256` \$1 `AES128-GCM-16` \$1 `AES256-GCM-16` *Required*: No *Type*: Array of [Phase2EncryptionAlgorithmsRequestListValue](aws-properties-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase2IntegrityAlgorithms` One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: `SHA1` \$1 `SHA2-256` \$1 `SHA2-384` \$1 `SHA2-512` *Required*: No *Type*: Array of [Phase2IntegrityAlgorithmsRequestListValue](aws-properties-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Phase2LifetimeSeconds` The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for `Phase1LifetimeSeconds`. Default: `3600` *Required*: No *Type*: Integer *Minimum*: `900` *Maximum*: `3600` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PreSharedKey` The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (\$1). Must be between 8 and 64 characters in length and cannot start with zero (0). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RekeyFuzzPercentage` The percentage of the rekey window (determined by `RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: `100` *Required*: No *Type*: Integer *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RekeyMarginTimeSeconds` The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `RekeyFuzzPercentage`. Constraints: A value between 60 and half of `Phase2LifetimeSeconds`. Default: `270` *Required*: No *Type*: Integer *Minimum*: `60` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplayWindowSize` The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: `1024` *Required*: No *Type*: Integer *Minimum*: `64` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StartupAction` The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify `start` for AWS to initiate the IKE negotiation. Valid Values: `add` \$1 `start` Default: `add` *Required*: No *Type*: String *Allowed values*: `add | start` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TunnelInsideCidr` The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the `169.254.0.0/16` range. The following CIDR blocks are reserved and cannot be used: + `169.254.0.0/30` + `169.254.1.0/30` + `169.254.2.0/30` + `169.254.3.0/30` + `169.254.4.0/30` + `169.254.5.0/30` + `169.254.169.252/30` *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TunnelInsideIpv6Cidr` The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local `fd00::/8` range. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)