Why did I get a notification that the tunnel endpoints for my AWS VPN Site-to-Site connection are being replaced?

3 minute read

I received a notification in my Personal Health Dashboard (PHD) that an endpoint for my AWS Site-to-Site VPN connection was replaced.


Site-to-Site VPN is a fully managed service that consists of two tunnels for redundancy. Periodically, AWS carries out maintenance on your Site-to-Site VPN connection, and one or both of your Site-to-Site VPN tunnel endpoints are replaced. Tunnels are updated for a number of reasons. This includes endpoint upgrades, underlying hardware replacement, resiliency improvements, and other enhancements. AWS applies these tunnel updates to one tunnel of the Site-to-Site VPN connection at a time.

When AWS replaces a tunnel endpoint, if the tunnel status was UP, the status changes to DOWN. The tunnel remains DOWN until IKE negotiation is initiated by AWS or from your customer gateway device. AWS initiates IKE negotiation to bring up the tunnel only if the tunnel is configured to use IKEv2 and the start-up action is Start. If the tunnel is configured with IKEv1 or IKEV2 but the startup action is Add, then the tunnel remains down after endpoint replacement. It remains down pending negotiation from the customer gateway device.

When you modify your Site-to-Site VPN connection, one or both of the tunnel endpoints are also replaced. This happens whether you use the AWS Management Console, AWS Command Line Interface (AWS CLI), or SDK.

Configure your tunnels for high availability

It's a best practice to configure your tunnels for high availability to make sure that traffic isn't interrupted when tunnels are replaced. Also, it's a best practice to use Border Gateway Protocol (BGP) routing if it's supported by the customer gateway device. BGP protocol offers robust liveness detection checks that can assist with automatic failover of traffic to the second Site-to-Site VPN tunnel. If you're using static routing, then consider using an active/active set up. Note that asymmetric routing must be supported on the customer gateway device with an active/active set up. Or, use an active/passive setup, and then configure health checks on the customer gateway device to facilitate failover of traffic to the alternate tunnel.

Add a contact for your PHD notifications

AWS sends a notification to the PHD and to the primary email that's associated with your account when a tunnel endpoint is replaced. To add a contact to your PHD notifications, see Adding, changing, or removing alternate contacts and How do I CC another email address on account-related correspondence from AWS?

AWS OFFICIALUpdated a year ago

Just a short question, the words "tunnel replacement" are a little bit confusing. Currently it is not possible to use an ElasticIP for the tunnels, so AWS is providing an "Outside IP address" for both tunnels during the initial Site-2-Site creation. Can someone confirm that these outside IP addresses do not change while the tunnels are being replaced? That would be fatal, because these IPs are configures on the customer side and if they simply change, the VPN will suddenly stop working.

A second question is about the "Tunnel endpoint lifecycle control" option. In my case this is currently off. Can you explain this option?

profile picture
replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 3 months ago