Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Enable AWS Site-to-Site VPN logs

PDF
RSS
Focus mode
Enable AWS Site-to-Site VPN logs - AWS Site-to-Site VPN

Enable Site-to-Site VPN logs to log VPN activity, such as tunnel state and other details. You can enable logging on a new connection or modify an existing connection to start logging activity. If you want to disable logging for a connection, see Disable Site-to-Site VPN logs.

Note

When you enable Site-to-Site VPN logs for an existing VPN connection tunnel, your connectivity over that tunnel can be interrupted for several minutes. However, each VPN connection offers two tunnels for high availability, so you can enable logging on one tunnel at a time while maintaining connectivity over the tunnel not being modified. For more information, see AWS Site-to-Site VPN tunnel endpoint replacements.

To enable VPN logging during creation of a new Site-to-Site VPN connection

Follow the procedure Step 5: Create a VPN connection. During Step 9 Tunnel Options, you can specify all the options you want to use for both tunnels, including VPN logging options. For more information about these options, see Tunnel options for your AWS Site-to-Site VPN connection.

To enable tunnel logging on a new Site-to-Site VPN connection using the AWS command line or API
To enable tunnel logging on an existing Site-to-Site VPN connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN connections.

  3. Select the VPN connection that you want to modify from the VPN connections list.

  4. Select Actions, Modify VPN tunnel options.

  5. Select the tunnel that you want to modify by choosing the appropriate IP address from the VPN tunnel outside IP address list.

  6. Under Tunnel activity log, select Enable.

  7. Under Amazon CloudWatch log group, select the Amazon CloudWatch log group where you want the logs to be sent.

  8. (Optional) Under Output format, choose the desired format for the log output, either json or text.

  9. Select Save changes.

  10. (Optional) Repeat steps 4 through 9 for the other tunnel if desired.

To enable tunnel logging on an existing Site-to-Site VPN connection using the AWS command line or API
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.