AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-05-01 · Documentation medium

File: vpn/latest/s2svpn/VPNTunnels.md

Summary

Clarified CIDR usage in VPN configurations and emphasized AWS's exclusive use of route-based VPNs with security control requirements

Security assessment

The documentation update explicitly states that CIDR ranges are for route proposals only and do not enforce traffic restrictions, requiring proper use of NACLs and security groups for actual traffic control. While this highlights security best practices, there is no direct evidence of addressing a specific security vulnerability. The change emphasizes AWS's security architecture but doesn't reference any specific security incident.

Diff

diff --git a/vpn/latest/s2svpn/VPNTunnels.md b/vpn/latest/s2svpn/VPNTunnels.md
index a86750409..ebc040cba 100644
--- a//vpn/latest/s2svpn/VPNTunnels.md
+++ b//vpn/latest/s2svpn/VPNTunnels.md
@@ -106 +106 @@ Default: A size /126 IPv6 CIDR block from the local `fd00::/8` range.
-(IPv4 VPN connection only) The IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels.
+(IPv4 VPN connection only) The CIDR range used during IKE phase 2 negotiation for the customer (on-premises) side of the VPN tunnel. This range is used to propose routes but does not enforce traffic restrictions since AWS uses route-based VPNs exclusively. Policy-based VPNs are not supported as they would limit AWS' ability to support dynamic routing protocols and multi-region architectures. This should include the IP ranges from your on-premises network that need to communicate over the VPN tunnel. Proper route table configurations, NACLs, and security groups should be used to control actual traffic flow.
@@ -113 +113 @@ Default: 0.0.0.0/0
-(IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. 
+(IPv4 VPN connection only) The CIDR range used during IKE phase 2 negotiation for the AWS side of the VPN tunnel. This range is used to propose routes but does not enforce traffic restrictions since AWS uses route-based VPNs exclusively. AWS does not support policy-based VPNs because they lack the flexibility required for complex routing scenarios and are incompatible with features like transit gateways and VPN Equal Cost Multi-Path (ECMP). For VPCs, this is typically the CIDR range of your VPC. For transit gateways, this could include multiple CIDR ranges from attached VPCs or other network.