Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS VPN Redundancy Loss happened in series almost every month

0

Hi everyone, I just noticed from the Health Dashboard, the VPN under my account will have a series of VPN Redundancy Loss almost every month, the recent one happen from 22, 24, 26, 28, 30th March and for 30th March, the tunnel is down for 1 minutes (AWS initiated) but restored back to normal again. Currently, with the hardware limitation, my tunnel only have single tunnel active. I just wondering whether is it normal?

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
asked 2 months ago76 views
2 Answers
0
Accepted Answer

Yes, this is normal behavior. The "VPN Redundancy Loss" notifications you're seeing are caused by AWS-managed tunnel endpoint replacements — routine maintenance that AWS performs periodically on all S2S VPN connections.

What's happening:

AWS Site-to-Site VPN is a managed service. AWS periodically replaces tunnel endpoints for:

  • General upgrades (patches, resiliency improvements)
  • Underlying hardware retirement
  • Automated health checks detecting an unhealthy endpoint

During these replacements, the tunnel briefly goes down and comes back up. The ~1 minute disruption on March 30th is consistent with a standard endpoint replacement. The pattern of multiple events across a month (22nd, 24th, 26th, 28th, 30th March) is also within normal range — AWS doesn't guarantee a fixed schedule for these.

(Source: AWS Site-to-Site VPN tunnel endpoint replacements)

Why it's more impactful for you:

AWS designs S2S VPN with two tunnels so that maintenance on one tunnel causes zero traffic impact. Since your customer gateway device only supports a single tunnel, every routine replacement results in a brief connectivity interruption rather than a seamless failover. This is an inherent trade-off of single-tunnel operation.

Recommendations given the hardware constraint:

  1. Enable Tunnel Endpoint Lifecycle Control — This is the most relevant option for your situation. It gives you advance notification of upcoming replacements and lets you choose when to apply them (e.g., during a maintenance window) rather than having AWS apply them at any time. You can enable it on your existing VPN connection via the console or CLI. - Details: Tunnel endpoint lifecycle control

  2. Set up CloudWatch alarms on TunnelState — Get immediate alerts when your tunnel goes down so you can monitor recovery in real time rather than discovering it after the fact in the Health Dashboard.

  3. Plan for device replacement long-term — When the hardware is due for refresh, consider a device that supports dual tunnels. This would eliminate the connectivity impact from AWS-managed maintenance entirely.

  4. Consider a secondary VPN connection as a workaround — If the device supports a second VPN connection (even if not a second tunnel on the same connection), you could set up a backup path using a separate VPN connection with a different customer gateway, providing redundancy at the connection level instead of the tunnel level.

The monthly maintenance events are normal and expected. The brief disruptions are unavoidable with a single-tunnel setup. Enabling Tunnel endpoint Lifecycle Control is the best immediate step — it won't prevent the replacements, but it gives you control over when they happen.

(* Note : Turning off the alarm — To deactivate single tunnel notifications, open a case with AWS Support. Only AWS Support can deactivate the notifications. Please read this article - How do I deactivate single tunnel notifications for my Site-to-Site VPN?))

AWS
EXPERT
answered 2 months ago
AWS
EXPERT
reviewed 2 months ago
0

Yes, this is normal behavior given your configuration. Since you mentioned that due to hardware limitations you only have a single tunnel active, AWS is designed to send you monthly notifications about this situation through the Health Dashboard.

When a Site-to-Site VPN connection has only one tunnel up while the other remains down for more than one hour in a day, AWS generates a VPN single tunnel notification. This event is updated daily with any detected single-tunnel VPN connections, and notifications are sent weekly. A new event is created each month, which explains why you're seeing these notifications consistently every month.

The brief tunnel disruptions you're experiencing (like the 1-minute downtime on March 30th) can occur during routine AWS maintenance or tunnel endpoint replacements. AWS performs periodic maintenance on VPN connections, which may temporarily disable one of the two tunnels.

While this is expected behavior, it's important to note that AWS strongly recommends configuring both tunnels for high availability. A Site-to-Site VPN connection consists of two tunnels for redundancy, with each tunnel terminating in a different Availability Zone. This design ensures that if there's a device failure or during maintenance, your VPN connection can automatically fail over to the second tunnel without interrupting access. When you're able to address your hardware limitations, enabling both tunnels would provide better resilience and eliminate these recurring notifications.
Sources
AWS Health and AWS Site-to-Site VPN events - AWS Site-to-Site VPN
Resilience in AWS Site-to-Site VPN - AWS Site-to-Site VPN

answered 2 months ago
EXPERT
reviewed 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content