Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

External IP of site to site VPN tunnel changed

0

External IP of site to site VPN tunnel changed

When I checked because the site to site VPN tunnel connection was disconnected, the external IP had changed.

I found information that it could be due to AWS maintenance, but other tunnels that were manually maintained through tunnel endpoint lifecycle control did not have their IP addresses changed.

Is there another factor that changed the IP? Or is it changing irregularly?

If the external IP changes, it is difficult because I have to pay to change the VPN configuration on the peer.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)Amazon VPC
Language
English
asked a year ago383 views
3 Answers
2

The change in the external IP address of your Site-to-Site VPN tunnel can indeed be due to AWS maintenance, but there are other factors that could cause this as well.

AWS periodically updates tunnel endpoints for various reasons, including software upgrades, addressing health issues, or retiring underlying hardware. These updates can result in a replacement of one of the tunnel endpoints, which may lead to a change in the external IP address.

However, the fact that other tunnels under manual maintenance through tunnel endpoint lifecycle control did not experience IP changes suggests that this might not be a regular or uniform process across all VPN connections.

Some other factors that could potentially cause IP changes include:

  1. Modifications to your VPN connection: If you or someone in your organization modified certain components of the VPN connection, such as changing the target gateway, customer gateway, or VPN connection options, this could trigger a replacement of one or both tunnel endpoints.

  2. Dynamic IP allocation: If your VPN connection is set up with dynamic IP allocation, the IP address might change more frequently.

  3. Network issues or reconfigurations: Sometimes, network-level changes or issues could result in a reassignment of IP addresses.

It's important to note that these changes don't follow a regular pattern and can occur irregularly. AWS typically tries to maintain stability, but changes can happen for various operational reasons.

Regarding the difficulty and cost associated with changing the VPN configuration on your peer when the external IP changes, this is a valid concern. To mitigate this issue, you might consider:

  1. Using DNS names instead of IP addresses where possible in your VPN configuration.
  2. Implementing automation for updating your peer VPN configuration.
  3. Discussing with AWS support about options for more stable IP assignments or notifications of impending changes.

Remember, AWS designs Site-to-Site VPN connections with two tunnels for redundancy. Ensuring both tunnels are properly configured can help maintain connectivity even if one tunnel experiences changes.
Sources
AWS Site-to-Site VPN tunnel endpoint replacements - AWS Site-to-Site VPN
VPCのtunnel断について | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago
1

I suggest using monitoring checks (ie. ping, http(s), etc.) to keep tunnels in-use. This can prevent tunnel replacement from waiting for 'interesting' traffic before bringing a tunnel up again.

AWS
answered a year ago
1

Note: AWS Site-to-Site VPN updates one of your tunnels at a time. When Site-to-Site VPN replaces your tunnel endpoint, your endpoint's outside IP address doesn't change.

Reference: https://repost.aws/knowledge-center/vpn-tunnel-endpoint-replacement

AWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content