Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. ec2
  5. VpnConnection

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi
pulumi/pulumi-aws-native

aws-native.ec2.VpnConnection

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi
pulumi/pulumi-aws-native

Specifies a VPN connection between a virtual private gateway and a VPN customer gateway or a transit gateway and a VPN customer gateway. To specify a VPN connection between a transit gateway and customer gateway, use the TransitGatewayId and CustomerGatewayId properties. To specify a VPN connection between a virtual private gateway and customer gateway, use the VpnGatewayId and CustomerGatewayId properties. For more information, see in the User Guide.

Create VpnConnection Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new VpnConnection(name: string, args: VpnConnectionArgs, opts?: CustomResourceOptions);
@overload
def VpnConnection(resource_name: str,
                  args: VpnConnectionArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def VpnConnection(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  customer_gateway_id: Optional[str] = None,
                  type: Optional[str] = None,
                  remote_ipv6_network_cidr: Optional[str] = None,
                  local_ipv6_network_cidr: Optional[str] = None,
                  outside_ip_address_type: Optional[str] = None,
                  remote_ipv4_network_cidr: Optional[str] = None,
                  local_ipv4_network_cidr: Optional[str] = None,
                  static_routes_only: Optional[bool] = None,
                  tags: Optional[Sequence[_root_inputs.TagArgs]] = None,
                  transit_gateway_id: Optional[str] = None,
                  transport_transit_gateway_attachment_id: Optional[str] = None,
                  tunnel_inside_ip_version: Optional[str] = None,
                  enable_acceleration: Optional[bool] = None,
                  vpn_gateway_id: Optional[str] = None,
                  vpn_tunnel_options_specifications: Optional[Sequence[VpnConnectionVpnTunnelOptionsSpecificationArgs]] = None)
func NewVpnConnection(ctx *Context, name string, args VpnConnectionArgs, opts ...ResourceOption) (*VpnConnection, error)
public VpnConnection(string name, VpnConnectionArgs args, CustomResourceOptions? opts = null)
public VpnConnection(String name, VpnConnectionArgs args)
public VpnConnection(String name, VpnConnectionArgs args, CustomResourceOptions options)

type: aws-native:ec2:VpnConnection
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. VpnConnectionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. VpnConnectionArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. VpnConnectionArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. VpnConnectionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. VpnConnectionArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

VpnConnection Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The VpnConnection resource accepts the following input properties:

CustomerGatewayId This property is required. string
The ID of the customer gateway at your end of the VPN connection.
Type This property is required. string
The type of VPN connection.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Default: false
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
OutsideIpAddressType string
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
StaticRoutesOnly bool
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
Tags List<Pulumi.AwsNative.Inputs.Tag>
Any tags assigned to the VPN connection.
TransitGatewayId string
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
TransportTransitGatewayAttachmentId string
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
VpnGatewayId string
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
VpnTunnelOptionsSpecifications List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionVpnTunnelOptionsSpecification>
The tunnel options for the VPN connection.
CustomerGatewayId This property is required. string
The ID of the customer gateway at your end of the VPN connection.
Type This property is required. string
The type of VPN connection.
EnableAcceleration bool
Indicate whether to enable acceleration for the VPN connection. Default: false
LocalIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
LocalIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
OutsideIpAddressType string
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
RemoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
RemoteIpv6NetworkCidr string
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
StaticRoutesOnly bool
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
Tags TagArgs
Any tags assigned to the VPN connection.
TransitGatewayId string
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
TransportTransitGatewayAttachmentId string
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
TunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
VpnGatewayId string
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
VpnTunnelOptionsSpecifications []VpnConnectionVpnTunnelOptionsSpecificationArgs
The tunnel options for the VPN connection.
customerGatewayId This property is required. String
The ID of the customer gateway at your end of the VPN connection.
type This property is required. String
The type of VPN connection.
enableAcceleration Boolean
Indicate whether to enable acceleration for the VPN connection. Default: false
localIpv4NetworkCidr String
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
localIpv6NetworkCidr String
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
outsideIpAddressType String
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
remoteIpv4NetworkCidr String
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
remoteIpv6NetworkCidr String
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
staticRoutesOnly Boolean
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
tags List<Tag>
Any tags assigned to the VPN connection.
transitGatewayId String
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
transportTransitGatewayAttachmentId String
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
tunnelInsideIpVersion String
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
vpnGatewayId String
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
vpnTunnelOptionsSpecifications List<VpnConnectionVpnTunnelOptionsSpecification>
The tunnel options for the VPN connection.
customerGatewayId This property is required. string
The ID of the customer gateway at your end of the VPN connection.
type This property is required. string
The type of VPN connection.
enableAcceleration boolean
Indicate whether to enable acceleration for the VPN connection. Default: false
localIpv4NetworkCidr string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
localIpv6NetworkCidr string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
outsideIpAddressType string
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
remoteIpv4NetworkCidr string
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
remoteIpv6NetworkCidr string
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
staticRoutesOnly boolean
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
tags Tag[]
Any tags assigned to the VPN connection.
transitGatewayId string
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
transportTransitGatewayAttachmentId string
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
tunnelInsideIpVersion string
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
vpnGatewayId string
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
vpnTunnelOptionsSpecifications VpnConnectionVpnTunnelOptionsSpecification[]
The tunnel options for the VPN connection.
customer_gateway_id This property is required. str
The ID of the customer gateway at your end of the VPN connection.
type This property is required. str
The type of VPN connection.
enable_acceleration bool
Indicate whether to enable acceleration for the VPN connection. Default: false
local_ipv4_network_cidr str
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
local_ipv6_network_cidr str
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
outside_ip_address_type str
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
remote_ipv4_network_cidr str
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
remote_ipv6_network_cidr str
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
static_routes_only bool
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
tags Sequence[TagArgs]
Any tags assigned to the VPN connection.
transit_gateway_id str
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
transport_transit_gateway_attachment_id str
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
tunnel_inside_ip_version str
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
vpn_gateway_id str
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
vpn_tunnel_options_specifications Sequence[VpnConnectionVpnTunnelOptionsSpecificationArgs]
The tunnel options for the VPN connection.
customerGatewayId This property is required. String
The ID of the customer gateway at your end of the VPN connection.
type This property is required. String
The type of VPN connection.
enableAcceleration Boolean
Indicate whether to enable acceleration for the VPN connection. Default: false
localIpv4NetworkCidr String
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
localIpv6NetworkCidr String
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: ::/0
outsideIpAddressType String
The type of IPv4 address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 Default: PublicIpv4
remoteIpv4NetworkCidr String
The IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
remoteIpv6NetworkCidr String
The IPv6 CIDR on the AWS side of the VPN connection. Default: ::/0
staticRoutesOnly Boolean
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
tags List<Property Map>
Any tags assigned to the VPN connection.
transitGatewayId String
The ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
transportTransitGatewayAttachmentId String
The transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
tunnelInsideIpVersion String
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
vpnGatewayId String
The ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
vpnTunnelOptionsSpecifications List<Property Map>
The tunnel options for the VPN connection.

Outputs

All input properties are implicitly available as output properties. Additionally, the VpnConnection resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
VpnConnectionId string
The ID of the VPN connection.
Id string
The provider-assigned unique ID for this managed resource.
VpnConnectionId string
The ID of the VPN connection.
id String
The provider-assigned unique ID for this managed resource.
vpnConnectionId String
The ID of the VPN connection.
id string
The provider-assigned unique ID for this managed resource.
vpnConnectionId string
The ID of the VPN connection.
id str
The provider-assigned unique ID for this managed resource.
vpn_connection_id str
The ID of the VPN connection.
id String
The provider-assigned unique ID for this managed resource.
vpnConnectionId String
The ID of the VPN connection.

Supporting Types

Tag
, TagArgs

Key This property is required. string
The key name of the tag
Value This property is required. string
The value of the tag
Key This property is required. string
The key name of the tag
Value This property is required. string
The value of the tag
key This property is required. String
The key name of the tag
value This property is required. String
The value of the tag
key This property is required. string
The key name of the tag
value This property is required. string
The value of the tag
key This property is required. str
The key name of the tag
value This property is required. str
The value of the tag
key This property is required. String
The key name of the tag
value This property is required. String
The value of the tag

VpnConnectionCloudwatchLogOptionsSpecification
, VpnConnectionCloudwatchLogOptionsSpecificationArgs

LogEnabled bool
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
LogGroupArn string
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat Pulumi.AwsNative.Ec2.VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
Set log format. Default format is json. Valid values: json | text
LogEnabled bool
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
LogGroupArn string
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
Set log format. Default format is json. Valid values: json | text
logEnabled Boolean
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
logGroupArn String
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
logOutputFormat VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
Set log format. Default format is json. Valid values: json | text
logEnabled boolean
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
logGroupArn string
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
logOutputFormat VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
Set log format. Default format is json. Valid values: json | text
log_enabled bool
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
log_group_arn str
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
log_output_format VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
Set log format. Default format is json. Valid values: json | text
logEnabled Boolean
Enable or disable VPN tunnel logging feature. Default value is False. Valid values: True | False
logGroupArn String
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
logOutputFormat "json" | "text"
Set log format. Default format is json. Valid values: json | text

VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormat
, VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormatArgs

Json
json
Text
text
VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormatJson
json
VpnConnectionCloudwatchLogOptionsSpecificationLogOutputFormatText
text
Json
json
Text
text
Json
json
Text
text
JSON
json
TEXT
text
"json"
json
"text"
text

VpnConnectionIkeVersionsRequestListValue
, VpnConnectionIkeVersionsRequestListValueArgs

value "ikev1" | "ikev2"
The IKE version.

VpnConnectionIkeVersionsRequestListValueValue
, VpnConnectionIkeVersionsRequestListValueValueArgs

Ikev1
ikev1
Ikev2
ikev2
VpnConnectionIkeVersionsRequestListValueValueIkev1
ikev1
VpnConnectionIkeVersionsRequestListValueValueIkev2
ikev2
Ikev1
ikev1
Ikev2
ikev2
Ikev1
ikev1
Ikev2
ikev2
IKEV1
ikev1
IKEV2
ikev2
"ikev1"
ikev1
"ikev2"
ikev2

VpnConnectionPhase1EncryptionAlgorithmsRequestListValue
, VpnConnectionPhase1EncryptionAlgorithmsRequestListValueArgs

value "AES128" | "AES256" | "AES128-GCM-16" | "AES256-GCM-16"
The value for the encryption algorithm.

VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValue
, VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValueArgs

Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValueAes128
AES128
VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValueAes256
AES256
VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValueAes128Gcm16
AES128-GCM-16
VpnConnectionPhase1EncryptionAlgorithmsRequestListValueValueAes256Gcm16
AES256-GCM-16
Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
AES128
AES128
AES256
AES256
AES128_GCM16
AES128-GCM-16
AES256_GCM16
AES256-GCM-16
"AES128"
AES128
"AES256"
AES256
"AES128-GCM-16"
AES128-GCM-16
"AES256-GCM-16"
AES256-GCM-16

VpnConnectionPhase1IntegrityAlgorithmsRequestListValue
, VpnConnectionPhase1IntegrityAlgorithmsRequestListValueArgs

value "SHA1" | "SHA2-256" | "SHA2-384" | "SHA2-512"
The value for the integrity algorithm.

VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValue
, VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValueArgs

Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValueSha1
SHA1
VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValueSha2256
SHA2-256
VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValueSha2384
SHA2-384
VpnConnectionPhase1IntegrityAlgorithmsRequestListValueValueSha2512
SHA2-512
Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
SHA1
SHA1
SHA2256
SHA2-256
SHA2384
SHA2-384
SHA2512
SHA2-512
"SHA1"
SHA1
"SHA2-256"
SHA2-256
"SHA2-384"
SHA2-384
"SHA2-512"
SHA2-512

VpnConnectionPhase1dhGroupNumbersRequestListValue
, VpnConnectionPhase1dhGroupNumbersRequestListValueArgs

Value int
The Diffie-Hellmann group number.
Value int
The Diffie-Hellmann group number.
value Integer
The Diffie-Hellmann group number.
value number
The Diffie-Hellmann group number.
value int
The Diffie-Hellmann group number.
value Number
The Diffie-Hellmann group number.

VpnConnectionPhase2EncryptionAlgorithmsRequestListValue
, VpnConnectionPhase2EncryptionAlgorithmsRequestListValueArgs

VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValue
, VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValueArgs

Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValueAes128
AES128
VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValueAes256
AES256
VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValueAes128Gcm16
AES128-GCM-16
VpnConnectionPhase2EncryptionAlgorithmsRequestListValueValueAes256Gcm16
AES256-GCM-16
Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
Aes128
AES128
Aes256
AES256
Aes128Gcm16
AES128-GCM-16
Aes256Gcm16
AES256-GCM-16
AES128
AES128
AES256
AES256
AES128_GCM16
AES128-GCM-16
AES256_GCM16
AES256-GCM-16
"AES128"
AES128
"AES256"
AES256
"AES128-GCM-16"
AES128-GCM-16
"AES256-GCM-16"
AES256-GCM-16

VpnConnectionPhase2IntegrityAlgorithmsRequestListValue
, VpnConnectionPhase2IntegrityAlgorithmsRequestListValueArgs

VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValue
, VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValueArgs

Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValueSha1
SHA1
VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValueSha2256
SHA2-256
VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValueSha2384
SHA2-384
VpnConnectionPhase2IntegrityAlgorithmsRequestListValueValueSha2512
SHA2-512
Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
Sha1
SHA1
Sha2256
SHA2-256
Sha2384
SHA2-384
Sha2512
SHA2-512
SHA1
SHA1
SHA2256
SHA2-256
SHA2384
SHA2-384
SHA2512
SHA2-512
"SHA1"
SHA1
"SHA2-256"
SHA2-256
"SHA2-384"
SHA2-384
"SHA2-512"
SHA2-512

VpnConnectionPhase2dhGroupNumbersRequestListValue
, VpnConnectionPhase2dhGroupNumbersRequestListValueArgs

Value int
The Diffie-Hellmann group number.
Value int
The Diffie-Hellmann group number.
value Integer
The Diffie-Hellmann group number.
value number
The Diffie-Hellmann group number.
value int
The Diffie-Hellmann group number.
value Number
The Diffie-Hellmann group number.

VpnConnectionVpnTunnelLogOptionsSpecification
, VpnConnectionVpnTunnelLogOptionsSpecificationArgs

CloudwatchLogOptions VpnConnectionCloudwatchLogOptionsSpecification
Options for sending VPN tunnel logs to CloudWatch.
cloudwatchLogOptions VpnConnectionCloudwatchLogOptionsSpecification
Options for sending VPN tunnel logs to CloudWatch.
cloudwatchLogOptions VpnConnectionCloudwatchLogOptionsSpecification
Options for sending VPN tunnel logs to CloudWatch.
cloudwatch_log_options VpnConnectionCloudwatchLogOptionsSpecification
Options for sending VPN tunnel logs to CloudWatch.
cloudwatchLogOptions Property Map
Options for sending VPN tunnel logs to CloudWatch.

VpnConnectionVpnTunnelOptionsSpecification
, VpnConnectionVpnTunnelOptionsSpecificationArgs

DpdTimeoutAction Pulumi.AwsNative.Ec2.VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
EnableTunnelLifecycleControl bool
Turn on or off tunnel endpoint lifecycle control feature.
IkeVersions List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionIkeVersionsRequestListValue>
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
LogOptions Pulumi.AwsNative.Ec2.Inputs.VpnConnectionVpnTunnelLogOptionsSpecification
Options for logging VPN tunnel activity.
Phase1EncryptionAlgorithms List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase1EncryptionAlgorithmsRequestListValue>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
Phase1IntegrityAlgorithms List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase1IntegrityAlgorithmsRequestListValue>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
Phase1dhGroupNumbers List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase1dhGroupNumbersRequestListValue>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
Phase2EncryptionAlgorithms List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase2EncryptionAlgorithmsRequestListValue>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
Phase2IntegrityAlgorithms List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase2IntegrityAlgorithmsRequestListValue>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
Phase2dhGroupNumbers List<Pulumi.AwsNative.Ec2.Inputs.VpnConnectionPhase2dhGroupNumbersRequestListValue>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
PreSharedKey string
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
RekeyFuzzPercentage int
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
ReplayWindowSize int
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
StartupAction Pulumi.AwsNative.Ec2.VpnConnectionVpnTunnelOptionsSpecificationStartupAction
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
TunnelInsideCidr string
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
TunnelInsideIpv6Cidr string
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.
DpdTimeoutAction VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
DpdTimeoutSeconds int
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
EnableTunnelLifecycleControl bool
Turn on or off tunnel endpoint lifecycle control feature.
IkeVersions []VpnConnectionIkeVersionsRequestListValue
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
LogOptions VpnConnectionVpnTunnelLogOptionsSpecification
Options for logging VPN tunnel activity.
Phase1EncryptionAlgorithms []VpnConnectionPhase1EncryptionAlgorithmsRequestListValue
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
Phase1IntegrityAlgorithms []VpnConnectionPhase1IntegrityAlgorithmsRequestListValue
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
Phase1LifetimeSeconds int
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
Phase1dhGroupNumbers []VpnConnectionPhase1dhGroupNumbersRequestListValue
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
Phase2EncryptionAlgorithms []VpnConnectionPhase2EncryptionAlgorithmsRequestListValue
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
Phase2IntegrityAlgorithms []VpnConnectionPhase2IntegrityAlgorithmsRequestListValue
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
Phase2LifetimeSeconds int
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
Phase2dhGroupNumbers []VpnConnectionPhase2dhGroupNumbersRequestListValue
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
PreSharedKey string
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
RekeyFuzzPercentage int
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
RekeyMarginTimeSeconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
ReplayWindowSize int
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
StartupAction VpnConnectionVpnTunnelOptionsSpecificationStartupAction
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
TunnelInsideCidr string
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
TunnelInsideIpv6Cidr string
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.
dpdTimeoutAction VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
dpdTimeoutSeconds Integer
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
enableTunnelLifecycleControl Boolean
Turn on or off tunnel endpoint lifecycle control feature.
ikeVersions List<VpnConnectionIkeVersionsRequestListValue>
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
logOptions VpnConnectionVpnTunnelLogOptionsSpecification
Options for logging VPN tunnel activity.
phase1EncryptionAlgorithms List<VpnConnectionPhase1EncryptionAlgorithmsRequestListValue>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase1IntegrityAlgorithms List<VpnConnectionPhase1IntegrityAlgorithmsRequestListValue>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase1LifetimeSeconds Integer
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
phase1dhGroupNumbers List<VpnConnectionPhase1dhGroupNumbersRequestListValue>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
phase2EncryptionAlgorithms List<VpnConnectionPhase2EncryptionAlgorithmsRequestListValue>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase2IntegrityAlgorithms List<VpnConnectionPhase2IntegrityAlgorithmsRequestListValue>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase2LifetimeSeconds Integer
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
phase2dhGroupNumbers List<VpnConnectionPhase2dhGroupNumbersRequestListValue>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
preSharedKey String
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
rekeyFuzzPercentage Integer
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
rekeyMarginTimeSeconds Integer
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
replayWindowSize Integer
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
startupAction VpnConnectionVpnTunnelOptionsSpecificationStartupAction
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
tunnelInsideCidr String
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
tunnelInsideIpv6Cidr String
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.
dpdTimeoutAction VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
dpdTimeoutSeconds number
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
enableTunnelLifecycleControl boolean
Turn on or off tunnel endpoint lifecycle control feature.
ikeVersions VpnConnectionIkeVersionsRequestListValue[]
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
logOptions VpnConnectionVpnTunnelLogOptionsSpecification
Options for logging VPN tunnel activity.
phase1EncryptionAlgorithms VpnConnectionPhase1EncryptionAlgorithmsRequestListValue[]
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase1IntegrityAlgorithms VpnConnectionPhase1IntegrityAlgorithmsRequestListValue[]
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase1LifetimeSeconds number
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
phase1dhGroupNumbers VpnConnectionPhase1dhGroupNumbersRequestListValue[]
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
phase2EncryptionAlgorithms VpnConnectionPhase2EncryptionAlgorithmsRequestListValue[]
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase2IntegrityAlgorithms VpnConnectionPhase2IntegrityAlgorithmsRequestListValue[]
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase2LifetimeSeconds number
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
phase2dhGroupNumbers VpnConnectionPhase2dhGroupNumbersRequestListValue[]
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
preSharedKey string
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
rekeyFuzzPercentage number
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
rekeyMarginTimeSeconds number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
replayWindowSize number
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
startupAction VpnConnectionVpnTunnelOptionsSpecificationStartupAction
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
tunnelInsideCidr string
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
tunnelInsideIpv6Cidr string
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.
dpd_timeout_action VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
dpd_timeout_seconds int
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
enable_tunnel_lifecycle_control bool
Turn on or off tunnel endpoint lifecycle control feature.
ike_versions Sequence[VpnConnectionIkeVersionsRequestListValue]
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
log_options VpnConnectionVpnTunnelLogOptionsSpecification
Options for logging VPN tunnel activity.
phase1_encryption_algorithms Sequence[VpnConnectionPhase1EncryptionAlgorithmsRequestListValue]
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase1_integrity_algorithms Sequence[VpnConnectionPhase1IntegrityAlgorithmsRequestListValue]
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase1_lifetime_seconds int
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
phase1dh_group_numbers Sequence[VpnConnectionPhase1dhGroupNumbersRequestListValue]
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
phase2_encryption_algorithms Sequence[VpnConnectionPhase2EncryptionAlgorithmsRequestListValue]
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase2_integrity_algorithms Sequence[VpnConnectionPhase2IntegrityAlgorithmsRequestListValue]
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase2_lifetime_seconds int
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
phase2dh_group_numbers Sequence[VpnConnectionPhase2dhGroupNumbersRequestListValue]
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
pre_shared_key str
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
rekey_fuzz_percentage int
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
rekey_margin_time_seconds int
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
replay_window_size int
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
startup_action VpnConnectionVpnTunnelOptionsSpecificationStartupAction
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
tunnel_inside_cidr str
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
tunnel_inside_ipv6_cidr str
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.
dpdTimeoutAction "clear" | "none" | "restart"
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid Values: clear | none | restart Default: clear
dpdTimeoutSeconds Number
The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: 30
enableTunnelLifecycleControl Boolean
Turn on or off tunnel endpoint lifecycle control feature.
ikeVersions List<Property Map>
The IKE versions that are permitted for the VPN tunnel. Valid values: ikev1 | ikev2
logOptions Property Map
Options for logging VPN tunnel activity.
phase1EncryptionAlgorithms List<Property Map>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase1IntegrityAlgorithms List<Property Map>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase1LifetimeSeconds Number
The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: 28800
phase1dhGroupNumbers List<Property Map>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
phase2EncryptionAlgorithms List<Property Map>
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
phase2IntegrityAlgorithms List<Property Map>
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
phase2LifetimeSeconds Number
The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds. Default: 3600
phase2dhGroupNumbers List<Property Map>
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
preSharedKey String
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
rekeyFuzzPercentage Number
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: 100
rekeyMarginTimeSeconds Number
The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage. Constraints: A value between 60 and half of Phase2LifetimeSeconds. Default: 270
replayWindowSize Number
The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: 1024
startupAction "add" | "start"
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid Values: add | start Default: add
tunnelInsideCidr String
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/30
  • 169.254.1.0/30
  • 169.254.2.0/30
  • 169.254.3.0/30
  • 169.254.4.0/30
  • 169.254.5.0/30
  • 169.254.169.252/30
tunnelInsideIpv6Cidr String
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local fd00::/8 range.

VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutAction
, VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutActionArgs

Clear
clear
None
none
Restart
restart
VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutActionClear
clear
VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutActionNone
none
VpnConnectionVpnTunnelOptionsSpecificationDpdTimeoutActionRestart
restart
Clear
clear
None
none
Restart
restart
Clear
clear
None
none
Restart
restart
CLEAR
clear
NONE
none
RESTART
restart
"clear"
clear
"none"
none
"restart"
restart

VpnConnectionVpnTunnelOptionsSpecificationStartupAction
, VpnConnectionVpnTunnelOptionsSpecificationStartupActionArgs

Add
add
Start
start
VpnConnectionVpnTunnelOptionsSpecificationStartupActionAdd
add
VpnConnectionVpnTunnelOptionsSpecificationStartupActionStart
start
Add
add
Start
start
Add
add
Start
start
ADD
add
START
start
"add"
add
"start"
start

Package Details

Repository
AWS Native pulumi/pulumi-aws-native
License
Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi
pulumi/pulumi-aws-native