Tunnel endpoint lifecycle control
Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements, and can help minimize connectivity disruptions during AWS managed tunnel endpoint replacements. With this feature, you can choose to accept AWS managed updates to tunnel endpoints at a time that works best for your business. Use this feature if you have short-term business needs or can only support a single tunnel per VPN connection.
Note
In rare circumstances, AWS might apply critical updates to tunnel endpoints immediately, even if the tunnel endpoint lifecycle control feature is enabled.
Topics
How tunnel endpoint lifecycle control works
Turn on the tunnel endpoint lifecycle control feature for individual tunnels within a VPN connection. It can be enabled at the time of VPN creation or by modifying tunnel options for an existing VPN connection.
After tunnel endpoint lifecycle control is enabled, you will gain additional visibility into upcoming tunnel maintenance events in two ways:
-
You will receive AWS Health notifications for upcoming tunnel endpoint replacements.
-
The status of pending maintenance, along with the Maintenance auto applied after and Last maintenance applied timestamps, can be seen in the AWS Management Console or by using the get-vpn-tunnel-replacement-status
AWS CLI command.
When a tunnel endpoint maintenance is available, you will have the opportunity to accept the update at a time that is convenient for you, before the given Maintenance auto applied after timestamp.
If you do not apply updates before the Maintenance auto applied after date, AWS will automatically perform the tunnel endpoint replacement soon after, as part of the regular maintenance update cycle.
Enable tunnel endpoint lifecycle control
You can enable this feature using the AWS Management Console or AWS CLI.
Note
By default when you turn on the feature for an existing VPN connection, a tunnel endpoint replacement will be initiated at the same time. If you want to turn the feature on, but not initiate an tunnel endpoint replacement immediately, you can use the skip tunnel replacement option.
Verify if tunnel endpoint lifecycle control is enabled
You can verify whether tunnel endpoint lifecycle control is enabled on an existing VPN tunnel by using the AWS Management Console or CLI.
To verify if tunnel endpoint lifecycle control is enabled using the AWS Management Console
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the left-side navigation pane, choose Site-to-Site VPN Connections.
-
Select the appropriate connection under VPN connections.
-
Select the Tunnel details tab.
-
In the tunnel details, look for Tunnel Endpoint Lifecycle Control, which will report whether the feature is Enabled or Disabled.
To verify if tunnel endpoint lifecycle control is enabled using the AWS CLI
Use the describe-vpn-connections
Check for available updates
After you enable the tunnel endpoint lifecycle control feature, you can view whether a maintenance update is available for your VPN connection by using the AWS Management Console or CLI.
To check for available updates using the AWS Management Console
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the left-side navigation pane, choose Site-to-Site VPN Connections.
-
Select the appropriate connection under VPN connections.
-
Select the Tunnel details tab.
-
Check the Pending maintenance column. The status will be either Available or None.
To check for available updates using the AWS CLI
Use the get-vpn-tunnel-replacement-status
Accept a maintenance update
When a maintenance update is available, you can accept it using the AWS Management Console or CLI.
To accept an available maintenance update using the AWS Management Console
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the left-side navigation pane, choose Site-to-Site VPN Connections.
-
Select the appropriate connection under VPN connections.
-
Choose Actions, then Replace VPN Tunnel.
-
Select the specific tunnel that you want to replace by choosing the appropriate VPN tunnel outside IP address.
-
Choose Replace.
To accept an available maintenance update using the AWS CLI
Use the replace-vpn-tunnel
Turn tunnel endpoint lifecycle control off
If you no longer want to use the tunnel endpoint lifecycle control feature, you can turn it off using the AWS Management Console or the AWS CLI. When you turn off this feature, AWS will automatically deploy maintenance updates periodically, and these updates might happen during your business hours. To avoid any business impact, we highly recommend that you configure both tunnels in your VPN connection for high availability.
Note
While there is an available pending maintenance, you cannot specify the skip tunnel replacement option while turning the feature off. You can always turn the feature off without using the skip tunnel replacement option, but AWS will automatically deploy the available pending maintenance updates by initiating a tunnel endpoint replacement immediately.
To turn off tunnel endpoint lifecycle control using the AWS Management Console
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the left-side navigation pane, choose Site-to-Site VPN Connections.
-
Select the appropriate connection under VPN connections.
-
Choose Actions, then Modify VPN tunnel options.
-
Select the specific tunnel that you want to modify by choosing the appropriate VPN tunnel outside IP address.
-
To turn off tunnel endpoint lifecycle control, under Tunnel Endpoint Lifecycle Control, clear the Enable check box.
-
(Optional) Select Skip tunnel replacement.
-
Choose Save changes.
To turn off tunnel endpoint lifecycle control using the AWS CLI
Use the modify-vpn-tunnel-options