AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-07-04 · Documentation high

File: vpn/latest/s2svpn/create-cwan-vpn-attachment.md

Summary

Added IPv6 protocol support documentation, clarified customer gateway creation steps, introduced Secrets Manager for pre-shared key storage, added tunnel activity logging, and expanded network CIDR configuration options.

Security assessment

The change introduces documentation for using AWS Secrets Manager to store pre-shared keys (security best practice) and adds tunnel activity logging capabilities. While these enhance security posture, there's no evidence they address a specific existing vulnerability.

Diff

diff --git a/vpn/latest/s2svpn/create-cwan-vpn-attachment.md b/vpn/latest/s2svpn/create-cwan-vpn-attachment.md
index 5a89907e5..8aace8549 100644
--- a//vpn/latest/s2svpn/create-cwan-vpn-attachment.md
+++ b//vpn/latest/s2svpn/create-cwan-vpn-attachment.md
@@ -7 +7,3 @@
-You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the following procedure. Follow the procedure below to create a VPN attachment for Cloud WAN. For more information about VPN attachments and Cloud WAN, see [Site-to-site VPN attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the _AWS Cloud WAN User Guide_.
+You can create an Site-to-Site VPN attachment for AWS Cloud WAN follow the procedure below. For more information about VPN attachments and Cloud WAN, see [Site-to-site VPN attachments in AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-s2s-vpn-attachment.html) in the _AWS Cloud WAN User Guide_.
+
+Cloud WAN VPN attachments support both IPv4 or IPv6 protocols. For more information on using either of these protocols for a Cloud WAN VPN attachment, see [IPv4 and IPv6 traffic in AWS Site-to-Site VPN](./ipv4-ipv6.html).
@@ -23 +25,7 @@ You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the follow
-     * To use an existing customer gateway, choose **Existing** , and then choose the customer gateway.
+     * To use an existing customer gateway, choose **Existing** , and then choose the **Customer gateway ID**.
+
+     * To create a new customer gateway, choose **New**.
+
+       1. For the **IP address** , enter a static **IPv4** or **IPv6** address.
+
+       2. (Optional) For **Certificate ARN** , choose the ARN of your private certificate (if using certificate-based authentication). 
@@ -25 +33 @@ You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the follow
-     * To create a customer gateway, choose **New**. For **IP address** , enter a static public IP address. For **Certificate ARN** , choose the ARN of your private certificate (if using certificate-based authentication). For **BGP ASN** , enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For more information, see [Customer gateway options](./cgw-options.html).
+       3. For **BGP ASN** , enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For more information, see [Customer gateway options](./cgw-options.html).
@@ -27 +35 @@ You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the follow
-  7. For **Routing options** , choose **Dynamic** or **Static**.
+  7. For **Routing options** , choose **Dynamic (requires BGP)** or **Static**.
@@ -29 +37 @@ You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the follow
-  8. For **Tunnel inside IP version** , choose **IPv4** or **IPv6**.
+  8. For **Pre-shared key storage** choose either **Standard** or **Secrets Manager**. The default selection is **Standard**. For more information about using AWS Secrets Manager, see [Security](./security.html).
@@ -31 +39,3 @@ You can create an Site-to-Site VPN attachment for AWS Cloud WAN using the follow
-  9. (Optional) For **Enable acceleration** , select the check box to enable acceleration. For more information, see [Accelerated VPN connections](./accelerated-vpn.html).
+  9. For **Tunnel inside IP version** , choose **IPv4** or **IPv6**.
+
+  10. (Optional) For **Enable acceleration** , choose the check box to enable acceleration. For more information, see [Accelerated VPN connections](./accelerated-vpn.html).
@@ -35 +45,7 @@ If you enable acceleration, we create two accelerators that are used by your VPN
-  10. (Optional) For **Local IPv4 network CIDR** , specify the IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. The default is `0.0.0.0/0`.
+  11. (Optional) Depending on which tunnel inside IP version you've chosen, do one of the following:
+
+     * IPv4 — For **Local IPv4 network CIDR** , specify the IPv4 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv4 network CIDR** , choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `0.0.0.0/0`. 
+
+     * IPv6 — For **Local IPv6 network CIDR** , specify the IPv6 CIDR range on the customer gateway (on-premises) side that is allowed to communicate over the VPN tunnels. For **Remote IPv6 network CIDR** , choose the CIDR range on the AWS side that is allowed to communicate over VPN tunnels. The default value for both fields is `::/0`
+
+  12. For **Outside IP address type** , choose one of the following options:
@@ -37 +53 @@ If you enable acceleration, we create two accelerators that are used by your VPN
-For **Remote IPv4 network CIDR** , specify the IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. The default is `0.0.0.0/0`.
+     * **Public IPv4** \- (Default) Use IPv4 addresses for the outer tunnel IPs.
@@ -39 +55 @@ For **Remote IPv4 network CIDR** , specify the IPv4 CIDR range on the AWS side t
-If you specified **IPv6** for **Tunnel inside IP version** , then specify the IPv6 CIDR ranges on the customer gateway side and AWS side that are allowed to communicate over the VPN tunnels. The default for both ranges is `::/0`.
+     * **Private IPv4** \- Use a private IPv4 address for use within private networks.
@@ -41 +57,7 @@ If you specified **IPv6** for **Tunnel inside IP version** , then specify the IP
-  11. (Optional) For **Tunnel options** , you can specify the following information for each tunnel:
+     * **IPv6** \- Use IPv6 addresses for the outer tunnel IPs. This option requires that your customer gateway device supports IPv6 addressing.
+
+###### Note
+
+If you select **IPv6** for the outside IP address type, you must create a customer gateway with an IPv6 address
+
+  13. (Optional) For **Tunnel 1 options** , you can specify the following information for each tunnel:
@@ -51 +73,7 @@ If you specified **IPv6** for **Tunnel inside IP version** , then specify the IP
-  12. Choose **Create VPN connection**.
+     * (Optional) Choose **Enable** for the **Tunnel activity log** to capture log messages for IPsec activity and DPD protocol messages.
+
+     * (Optional) Choose **Turn on** for **Tunnel endpoint lifecycle** to control the schedule for endpoint replacements. For more information about tunnel endpoint lifecycle, see [Tunnel endpoint lifecycle](./tunnel-endpoint-lifecycle.html).
+
+  14. (Optional) Choose **Tunnel 2 options** and follow the previous steps to set up a second tunnel.
+
+  15. Choose **Create VPN connection**.
@@ -61,0 +90,4 @@ If you specified **IPv6** for **Tunnel inside IP version** , then specify the IP
+Example for creating a VPN connection with IPv6 outer tunnel IPs and IPv6 inner tunnel IPs:
+    
+        aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-001122334455aabbc --options OutsideIPAddressType=Ipv6,TunnelInsideIpVersion=pv6,TunnelOptions=[{StartupAction=start},{StartupAction=start}]
+