Posted On: Aug 29, 2019

AWS Site-to-Site Virtual Private Network (AWS Site-to-Site VPN) has expanded VPN tunnel options to allow you to restrict security algorithms and configure timer settings for new and existing VPN connections. This allows you to enforce your security and compliance standards, and enables you to establish tunnels without having to change timer settings on customer gateway devices.

VPN tunnel settings for Internet Key Exchange (IKE) are negotiated between your customer gateway device and the tunnel endpoint on the AWS side. The settings include security algorithms used for encryption, integrity, and key exchange, as well as timer settings for tunnel setup and re-keying. While creating VPN connections, you can now specify the security algorithms allowed for your tunnels and the timer settings proposed during negotiation by tunnel endpoints on the AWS side. You can also now modify these tunnel options for existing VPN connections. Through AWS Identity and Access Management (AWS IAM) policies, you can control which tunnel settings and VPN connection properties can be specified when creating or modifying VPN connections. For details on which advanced tunnel options are now supported and to see how to control VPN connection settings through AWS IAM, see the AWS Site-to-Site VPN documentation.

This feature is now available in these AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), EU (London), EU (Paris), Asia Pacific (Singapore), Asia Pacific (Hong Kong), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), Canada (Central), and both AWS GovCloud (US) Regions. For more information about AWS Site-to-Site VPN, see the product page.