# Monitor an AWS Site-to-Site VPN connection
<a name="monitoring-overview-vpn"></a>

Monitoring is an important part of maintaining the reliability, availability, and performance of your AWS Site-to-Site VPN connection. You should collect monitoring data from all of the parts of your solution so that you can more easily debug a multi-point failure if one occurs. Before you start monitoring your Site-to-Site VPN connection; however, you should create a monitoring plan that includes answers to the following questions:
+ What are your monitoring goals?
+ What resources will you monitor?
+ How often will you monitor these resources?
+ What monitoring tools will you use?
+ Who will perform the monitoring tasks?
+ Who should be notified when something goes wrong?

The next step is to establish a baseline for normal VPN performance in your environment, by measuring performance at various times and under different load conditions. As you monitor your VPN, store historical monitoring data so that you can compare it with current performance data, identify normal performance patterns and performance anomalies, and devise methods to address issues.

To establish a baseline, you should monitor the following items:
+ The state of your VPN tunnels
+ Data into the tunnel
+ Data out of the tunnel

**Topics**
+ [Monitoring tools](#monitoring-automated-manual)
+ [Site-to-Site VPN logs](monitoring-logs.md)
+ [Monitor Site-to-Site VPN tunnels using CloudWatch](monitoring-cloudwatch-vpn.md)
+ [AWS Health and Site-to-Site VPN events](monitoring-vpn-health-events.md)

## Monitoring tools
<a name="monitoring-automated-manual"></a>

AWS provides various tools that you can use to monitor a Site-to-Site VPN connection. You can configure some of these tools to do the monitoring for you, while some of the tools require manual intervention. We recommend that you automate monitoring tasks as much as possible.

### Automated monitoring tools
<a name="monitoring-automated_tools"></a>

You can use the following automated monitoring tools to watch a Site-to-Site VPN connection and report when something is wrong:
+ **Amazon CloudWatch Alarms** — Watch a single metric over a time period that you specify, and perform one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The action is a notification sent to an Amazon SNS topic. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods. For more information, see [Monitor AWS Site-to-Site VPN tunnels using Amazon CloudWatch](monitoring-cloudwatch-vpn.md).
+ **AWS CloudTrail Log Monitoring** — Share log files between accounts, monitor CloudTrail log files in real time by sending them to CloudWatch Logs, write log processing applications in Java, and validate that your log files have not changed after delivery by CloudTrail. For more information, see [Log API calls using AWS CloudTrail](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html) in the *Amazon EC2 API Reference* and [Working with CloudTrail log files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-working-with-log-files.html) in the *AWS CloudTrail User Guide*.
+ **AWS Health events** — Receive alerts and notifications related to changes in the health of your Site-to-Site VPN tunnels, best practice configuration recommendations, or when approaching scaling limits. Use events on the [Personal Health Dashboard](https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html) to trigger automated failovers, reduce troubleshooting time, or optimize connections for high availability. For more information, see [AWS Health and AWS Site-to-Site VPN events](monitoring-vpn-health-events.md).

### Manual monitoring tools
<a name="monitoring-manual-tools"></a>

Another important part of monitoring a Site-to-Site VPN connection involves manually monitoring those items that the CloudWatch alarms don't cover. The Amazon VPC and CloudWatch console dashboards provide an at-a-glance view of the state of your AWS environment. 

**Note**  
In the Amazon VPC console, Site-to-Site VPN tunnel state parameters such as "Status" and "Last status change", may not reflect transient state changes or momentary tunnel flaps. It is recommended to use CloudWatch metrics and logs for granular tunnel state change updates.
+ The Amazon VPC dashboard shows:
  + Service health by Region
  + Site-to-Site VPN connections
  + VPN tunnel status (In the navigation pane, choose **Site-to-Site VPN Connections**, select a Site-to-Site VPN connection, and then choose **Tunnel Details**)
+ The CloudWatch home page shows:
  + Current alarms and status
  + Graphs of alarms and resources
  + Service health status

  In addition, you can use CloudWatch to do the following: 
  + Create [customized dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html) to monitor the services you care about
  + Graph metric data to troubleshoot issues and discover trends
  + Search and browse all your AWS resource metrics
  + Create and edit alarms to be notified of problems

# AWS Site-to-Site VPN logs
<a name="monitoring-logs"></a>

AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, dead peer detection (DPD) protocol messages, Border Gateway protocol (BGP) status and routing updates.

Site-to-Site VPN logs can be published to Amazon CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

**Topics**
+ [Benefits of Site-to-Site VPN logs](#log-benefits)
+ [Amazon CloudWatch Logs resource policy size restrictions](#cwl-policy-size)
+ [Site-to-Site VPN log contents](#log-contents)
+ [Example log format for Tunnel BGP logs](#example-bgp-logs)
+ [IAM requirements to publish to CloudWatch Logs](#publish-cw-logs)
+ [View Site-to-Site VPN logs configuration](status-logs.md)
+ [Enable Site-to-Site VPN logs](enable-logs.md)
+ [Disable Site-to-Site VPN logs](disable-logs.md)

## Benefits of Site-to-Site VPN logs
<a name="log-benefits"></a>
+ **Simplified VPN troubleshooting:** Site-to-Site VPN logs help you to pinpoint configuration mismatches between AWS and your customer gateway device, and address initial VPN connectivity issues. VPN connections can intermittently flap over time due to misconfigured settings (such as poorly tuned timeouts), there can be issues in the underlying transport networks (like internet weather), or routing changes or path failures can cause disruption of connectivity over VPN. This feature allows you to accurately diagnose the cause of intermittent connection failures and fine-tune low-level tunnel configuration for reliable operation.
+ **Centralized AWS Site-to-Site VPN visibility:** Site-to-Site VPN logs can provide tunnel activity and BGP routing logs across all Site-to-Site VPN connection types. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.
+ **Security and compliance:** Site-to-Site VPN logs can be sent to Amazon CloudWatch Logs for retrospective analysis of VPN connection status and activity over time. This can help you meet compliance and regulatory requirements.

## Amazon CloudWatch Logs resource policy size restrictions
<a name="cwl-policy-size"></a>

CloudWatch Logs resource policies are limited to 5120 characters. When CloudWatch Logs detects that a policy approaches this size limit, it automatically enables log groups that start with `/aws/vendedlogs/`. When you enable logging, Site-to-Site VPN must update your CloudWatch Logs resource policy with the log group you specify. To avoid reaching the CloudWatch Logs resource policy size limit, prefix your log group names with `/aws/vendedlogs/`.

## Site-to-Site VPN log contents
<a name="log-contents"></a>

The following information is included in the Site-to-Site VPN tunnel activity log. The log stream file name uses VpnConnectionID and TunnelOutsideIPAddress.


| Field | Description | 
| --- | --- | 
|  VpnLogCreationTimestamp (`event_timestamp`)  |  Log creation timestamp in epoch time format.  | 
|  VpnLogCreationTimestampReadable (`timestamp`)  |  Log creation timestamp in human readable time format.  | 
|  TunnelDPDEnabled (`dpd_enabled`)  |  Dead Peer Detection Protocol Enabled Status (True/False).  | 
|  TunnelCGWNATTDetectionStatus (`nat_t_detected`)  | NAT-T detected on customer gateway device (True/False). | 
|  TunnelIKEPhase1State (`ike_phase1_state`)  | IKE Phase 1 Protocol State (Established \$1 Rekeying \$1 Negotiating \$1 Down). | 
| TunnelIKEPhase2State (ike\$1phase2\$1state) | IKE Phase 2 Protocol State (Established \$1 Rekeying \$1 Negotiating \$1 Down). | 
| VpnLogDetail (details) | Verbose messages for IPsec, IKE and DPD protocols. | 

The following information is included in the Site-to-Site VPN tunnel BGP log. The log stream file name uses VpnConnectionID and TunnelOutsideIPAddress.


| Field | Description | 
| --- | --- | 
|  resource\$1id  |  A unique ID to identify the tunnel and the VPN connection the log is associated with.  | 
|  event\$1timestamp  |  Log creation timestamp in epoch time format.  | 
|  timestamp  |  Log creation timestamp in human readable time format.  | 
|  type  | Type of BGP Log Event (BGPStatus \$1 RouteStatus). | 
|  status  | status update for a specific type of log event (BGPStatus: UP \$1 DOWN) (RouteStatus: ADVERTISED \$1route was advertised by the peer\$1 \$1 UPDATED: \$1existing route was updated by the peer\$1 \$1 WITHDRAWN: \$1route was withdrawn by peer\$1) . | 
| message | Provides additional details on the log even and status. This field will help you understand why the BGPStatus is down what route attributes were exchanged in the RouteStatus message. | 

**Topics**
+ [IKEv1 Error Messages](#sample-log-ikev1)
+ [IKEv2 Error Messages](#sample-log-ikev2)
+ [IKEv2 Negotiation Messages](#sample-log-ikev2-negotiation)
+ [BGP Status Messages](#sample-bgp-status-messages)
+ [Route Status Messages](#sample-route-status-messages)

### IKEv1 Error Messages
<a name="sample-log-ikev1"></a>


| Message | Explanation | 
| --- | --- | 
|  Peer is not responsive - Declaring peer dead  |  Peer has not responded to DPD Messages, enforcing DPD time-out action.  | 
|  AWS tunnel payload decryption was unsuccessful due to invalid Pre-shared Key  |  Same Pre-Shared key needs to be configured on both IKE Peers.  | 
|  No Proposal Match Found by AWS  |  Proposed Attributes for Phase 1 (Encryption, Hashing and DH Group) are not supported by AWS VPN Endpoint— for example, `3DES`.  | 
|  No Proposal Match Found. Notifying with "No proposal chosen"  |  No Proposal Chosen error message is exchanged between Peers to inform that correct Proposals/Policies must be configured for phase 2 on IKE Peers.  | 
|  AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx  | CGW has sent the Delete\$1SA message for Phase 2. | 
|  AWS tunnel received DELETE for IKE\$1SA from CGW  | CGW has sent the Delete\$1SA message for Phase 1. | 

### IKEv2 Error Messages
<a name="sample-log-ikev2"></a>


| Message | Explanation | 
| --- | --- | 
|  AWS tunnel DPD timed out after \$1retry\$1count\$1 retransmits  |  Peer has not responded to DPD Messages, enforcing DPD time-out action.   | 
|  AWS tunnel received DELETE for IKE\$1SA from CGW  |  Peer has sent the Delete\$1SA message for Parent/IKE\$1SA.  | 
| AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx | Peer has sent the Delete\$1SA message for CHILD\$1SA. | 
|  AWS tunnel detected a (CHILD\$1REKEY) collision as CHILD\$1DELETE  |  CGW has sent the Delete\$1SA message for the Active SA, which is being rekeyed.  | 
|  AWS tunnel (CHILD\$1SA) redundant SA is being deleted due to detected collision  | Due to Collision, If redundant SAs are generated, Peers will close redundant SA after matching the nonce values as per RFC. | 
|  AWS tunnel Phase 2 was unable to establish while keeping Phase 1  | Peer was unable to establish CHILD\$1SA due to negotiation error — for example, incorrect proposal.  | 
| AWS: Traffic Selector: TS\$1UNACCEPTABLE: received from responder | Peer has proposed Incorrect Traffic Selectors/Encryption Domain. Peers should be configured with identical and correct CIDRs. | 
| AWS tunnel is sending AUTHENTICATION\$1FAILED as the response | Peer is unable to Authenticate the Peer by verifying IKE\$1AUTH message's contents | 
| AWS tunnel detected a pre-shared key mismatch with cgw: xxxx | Same Pre-Shared key needs to be configured on both IKE Peers. | 
| AWS tunnel Timeout: deleting un-established Phase 1 IKE\$1SA with cgw: xxxx | Deleting the half-opened IKE\$1SA as peer has not proceeded with negotiations | 
| No Proposal Match Found. Notifying with "No proposal chosen" | No Proposal Chosen error message is exchanged between Peers to inform that correct Proposals must be configured on IKE Peers. | 
| No Proposal Match Found by AWS | Proposed Attributes for Phase 1 or Phase 2 (Encryption, Hashing and DH Group) are not supported by AWS VPN Endpoint— for example, `3DES`. | 

### IKEv2 Negotiation Messages
<a name="sample-log-ikev2-negotiation"></a>


| Message | Explanation | 
| --- | --- | 
|  AWS tunnel processed request (id=xxx) for CREATE\$1CHILD\$1SA  |  AWS has received the CREATE\$1CHILD\$1SA request from CGW.  | 
|  AWS tunnel is sending response (id=xxx) for CREATE\$1CHILD\$1SA  |  AWS is sending CREATE\$1CHILD\$1SA response to CGW.  | 
| AWS tunnel is sending request (id=xxx) for CREATE\$1CHILD\$1SA | AWS is sending CREATE\$1CHILD\$1SA request to CGW. | 
|  AWS tunnel processed response (id=xxx) for CREATE\$1CHILD\$1SA  |  AWS has received CREATE\$1CHILD\$1SA response form CGW.  | 

### BGP Status Messages
<a name="sample-bgp-status-messages"></a>

 BGP Status messages contain information related to BGP Session state transitions, prefix limit warnings, limit violations, BGP session notifications, BGP OPEN messages, and attribute updates for a BGP neighbor for a given BGP session. 


| Message | BGP Status | Explanation | 
| --- | --- | --- | 
|   AWS-side peer BGP session state has changed from Idle to Connect with neighbor \$1ip: xxx\$1   |   DOWN   |   BGP Connection state on the AWS side has been updated to Connect.   | 
|   AWS-side peer BGP session state has changed from Connect to OpenSent with neighbor \$1ip: xxx\$1   |   DOWN   |   BGP Connection state on the AWS side has been updated to OpenSent.   | 
|   AWS-side peer BGP session state has changed from OpenSent to OpenConfirm with neighbor \$1ip: xxx\$1   |   DOWN   |   BGP Connection state on the AWS side has been updated to OpenConfirm.   | 
|   AWS-side peer BGP session state has changed from OpenConfirm to Established with neighbor \$1ip: xxx\$1   |   UP   |   BGP Connection state on the AWS side has been updated to Established.   | 
|   AWS-side peer BGP session state has changed from Established to Idle with neighbor \$1ip: xxx\$1   |   DOWN   |   BGP Connection state on the AWS side has been updated to Idle.   | 
|   AWS-side peer BGP session state has changed from Connect to Active with neighbor \$1ip: xxx\$1   |   DOWN   |   BGP Connection state on the AWS side transitioned from Connect to Active. Check TCP port 179 availability on CGW if BGP session is stuck in Connect state.   | 
|   AWS-side peer is reporting a maximum prefix limit warning - received \$1prefixes (count): xxx\$1 prefixes from neighbor \$1ip: xxx\$1, limit is \$1limit (numeric): xxx\$1   |   UP   |   The AWS side periodically generates a log message when the number of prefixes received from the CGW nears the allowed limit.   | 
|   AWS-side peer detected the maximum prefix limit was exceeded - received \$1prefixes (count): xxx\$1 prefixes from neighbor \$1ip: xxx\$1, limit is \$1limit (numeric): xxx\$1   |   DOWN   |   The AWS side generates a log message when the number of prefixes received from the CGW exceeded the allowed limit.   | 
|   AWS-side peer sent a notification 6/1 (Cease/Maximum Number of Prefixes Reached) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW BGP peer to indicate that the BGP session was terminated due to a prefix limit violation.   | 
|   AWS-side peer received notification 6/1 (Cease/Maximum Number of Prefixes Reached) from neighbor \$1ip: xxx\$1   |   DOWN   |  The AWS side received a notification from the CGW peer to indicate that the BGP session was terminated due to a prefix limit violation.   | 
|   AWS-side peer sent a notification 6/2 (Cease/Administrative Shutdown) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW BGP peer to indicate that the BGP session was terminated.   | 
|   AWS-side peer received notification 6/2 (Cease/Administrative Shutdown) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer to indicate that the BGP session was terminated.   | 
|   AWS-side peer sent a notification 6/3 (Cease/Peer Unconfigured) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW peer to indicate that the peer is not configured or has been removed from configuration.   | 
|   AWS-side peer received notification 6/3 (Cease/Peer Unconfigured) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer to indicate that the peer is not configured or has been removed from configuration.   | 
|   AWS-side peer sent a notification 6/4 (Cease/Administrative Reset) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW BGP peer to indicate that the BGP session was reset.   | 
|   AWS-side peer received notification 6/4 (Cease/Administrative Reset) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer to indicate that the BGP session was reset.   | 
|   AWS-side peer sent a notification 6/5 (Cease/Connection Rejected) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW BGP peer to indicate that the BGP session was rejected.   | 
|   AWS-side peer received notification 6/5 (Cease/Connection Rejected) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer to indicate that the BGP session was rejected.   | 
|   AWS-side peer sent a notification 6/6 (Cease/Other Configuration Change) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW BGP peer to indicate that a BGP session configuration change took place.   | 
|   AWS-side peer received notification 6/6 (Cease/Other Configuration Change) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer which indicates that a BGP session configuration change took place.   | 
|   AWS-side peer sent a notification 6/7 (Cease/Connection Collision Resolution) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side sent a notification to the CGW peer to resolve a connection collision when both peers attempt to establish a connection simultaneously.   | 
|   AWS-side peer received notification 6/7 (Cease/Connection Collision Resolution) from neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side received a notification from the CGW peer indicating resolution of a connection collision when both peers attempt to establish a connection simultaneously.   | 
|   AWS-side peer sent a Hold Timer Expired notification to neighbor \$1ip: xxx\$1   |   DOWN   |   The BGP hold timer expired and a notification was sent by the AWS side to the CGW.   | 
|   AWS-side peer detected a bad OPEN message from neighbor \$1ip: xxx\$1- remote AS is \$1asn: xxx\$1, expected \$1asn: xxx\$1   |   DOWN   |   The AWS side detected a bad OPEN message was received from the CGW peer which is indicative of a configuration mismatch.   | 
|   AWS-side peer received an OPEN message from neighbor \$1ip: xxx\$1- version 4, AS \$1asn: xxx\$1, holdtime \$1holdtime (seconds): xxx\$1, router-id \$1id: xxx\$1\$1   |   DOWN   |   The AWS side received a BGP open message to initiate a BGP session with the CGW peer.   | 
|   AWS-side peer sent an OPEN message to neighbor \$1ip: xxx\$1- version 4, AS \$1asn: xxx\$1, holdtime \$1holdtime (seconds): xxx\$1, router-id \$1id: xxx\$1   |   DOWN   |   The CGW peer sent a BGP open message to initiate a BGP session with the AWS side BGP peer.   | 
|   AWS-side peer is initiating a connection (via Connect) to neighbor \$1ip: xxx\$1   |   DOWN   |   The AWS side is attempting to connect with the CGW BGP neighbor.   | 
|   AWS-side peer sent an End-of-RIB message to neighbor \$1ip: xxx\$1   |   UP   |   The AWS side has finished transmitting routes to the CGW after BGP session establishment.   | 
|   AWS-side peer received update with attributes from neighbor \$1ip: xxx\$1- AS path: \$1aspath (list): xxx xxx xxx\$1   |   UP   |   The AWS side received a BGP session attribute update from the neighbor.   | 

### Route Status Messages
<a name="sample-route-status-messages"></a>

 Unlike BGP Status Messages, Route Status Messages contain data about BGP attributes of a given prefix such as AS path, local preference, Multi-Exit Discriminator (MED), next hop IP address, and weight. A Route Status message will only contain a details field when there is an error with a route that was ADVERTISED, UPDATED, or WITHDRAWN. Examples of which are as follows 


| Message | Explanation | 
| --- | --- | 
|   DENIED due to: as-path contains our own AS   |   BGP update messages for a new prefix from CGW was denied by AWS due to the route containing the AWS-side peers own AS.   | 
|   DENIED due to: non-connected next-hop   |   AWS rejected a BGP route advertisement for the prefix from the CGW due to a non-connected next-hop validation failure. Ensure the route is reachable on the CGW side.   | 

## Example log format for Tunnel BGP logs
<a name="example-bgp-logs"></a>

```
{
    "resource_id": "vpn-1234abcd_1.2.3.4",
    "event_timestamp": 1762580429641,
    "timestamp": "2025-11-08 05:40:29.641Z",
    "type": "BGPStatus",
    "status": "UP",
    "message": {
        "details": "AWS-side peer BGP session state has changed from OpenConfirm to Established with neighbor 169.254.50.85"
    }
}

{
    "resource_id": "vpn-1234abcd_1.2.3.4",
    "event_timestamp": 1762579573243,
    "timestamp": "2025-11-08 05:26:13.243Z",
    "type": "RouteStatus",
    "status": "UPDATED",
    "message": {
        "prefix": "172.31.0.0/16",
        "asPath": "64512",
        "localPref": 100,
        "med": 100,
        "nextHopIp": "169.254.50.85",
        "weight": 32768,
        "details": "DENIED due to: as-path contains our own AS"
    }
}
```

## IAM requirements to publish to CloudWatch Logs
<a name="publish-cw-logs"></a>



For the logging feature to work properly, the IAM policy attached to the IAM principal being used to configure the feature, must include the following permissions at minimum. More details can also be found in the [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) section of the *Amazon CloudWatch Logs User Guide*.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Action": [
        "logs:CreateLogDelivery",
        "logs:GetLogDelivery",
        "logs:UpdateLogDelivery",
        "logs:DeleteLogDelivery",
        "logs:ListLogDeliveries"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow",
      "Sid": "S2SVPNLogging"
    },
    {
      "Sid": "S2SVPNLoggingCWL",
      "Action": [
        "logs:PutResourcePolicy",
        "logs:DescribeResourcePolicies",
        "logs:DescribeLogGroups"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}
```

------

# View AWS Site-to-Site VPN logs configuration
<a name="status-logs"></a>

View the activity log for a Site-to-Site VPN connection. Here you can view details about the configuration such encryption algorithms, or whether tunnel VPN logs are enabled. You can also view the tunnel state. This helps you to better track any issues or conflicts you might have with a VPN connection. 

**To view current tunnel logging settings**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN connections**.

1. Select the VPN connection that you want to view from the **VPN connections** list.

1. Choose the **Tunnel details** tab.

1. Expand the **Tunnel 1 options** and **Tunnel 2 options** sections to view all tunnel configuration details.

1. You can view the current status **Tunnel VPN log** feature, and the currently configured CloudWatch log group (if any) under **CloudWatch log group for tunnel VPN log** and the log output format under **Output format for tunnel VPN log**.

1. You can view the current status **Tunnel BGP log** feature, and the currently configured CloudWatch log group (if any) under **CloudWatch log group for tunnel VPN log** and the log output format under **Output format for tunnel BGP log**.

**To view current tunnel logging settings on a Site-to-Site VPN connection using the AWS command line or API**
+ [DescribeVpnConnections](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpnConnections.html) (Amazon EC2 Query API)
+ [describe-vpn-connections](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpn-connections.html) (AWS CLI)

# Enable AWS Site-to-Site VPN logs
<a name="enable-logs"></a>

Enable Site-to-Site VPN logs to log VPN activity, such as tunnel state and other details. You can enable logging on a new connection or modify an existing connection to start logging activity. If you want to disable logging for a connection, see [Disable Site-to-Site VPN logs](disable-logs.md).

**Note**  
When you enable Site-to-Site VPN logs for an existing VPN connection tunnel, your connectivity over that tunnel can be interrupted for several minutes. However, each VPN connection offers two tunnels for high availability, so you can enable logging on one tunnel at a time while maintaining connectivity over the tunnel not being modified. For more information, see [AWS Site-to-Site VPN tunnel endpoint replacements](endpoint-replacements.md).

**To enable VPN logging during creation of a new Site-to-Site VPN connection**  
Follow the procedure [Step 5: Create a VPN connection](SetUpVPNConnections.md#vpn-create-vpn-connection). During Step 9 **Tunnel Options**, you can specify all the options you want to use for both tunnels, including **VPN logging** options. For more information about these options, see [Tunnel options for your AWS Site-to-Site VPN connection](VPNTunnels.md).

**To enable tunnel logging on a new Site-to-Site VPN connection using the AWS command line or API**
+ [CreateVpnConnection](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnConnection.html) (Amazon EC2 Query API)
+ [create-vpn-connection](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-connection.html) (AWS CLI)

**To enable tunnel activity logging on an existing Site-to-Site VPN connection**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN connections**.

1. Select the VPN connection that you want to modify from the **VPN connections** list.

1. Select **Actions**, **Modify VPN tunnel options**.

1. Select the tunnel that you want to modify by choosing the appropriate IP address from the **VPN tunnel outside IP address** list.

1. Under **Tunnel activity log**, select **Enable**.

1. Under **Amazon CloudWatch log group**, select the Amazon CloudWatch log group where you want the logs to be sent.

1. (Optional) Under **Output format**, choose the desired format for the log output, either **json** or **text**.

1. Select **Save changes**.

1. (Optional) Repeat steps 4 through 9 for the other tunnel if desired.

**To enable tunnel BGP logging on an existing Site-to-Site VPN connection**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN connections**.

1. Select the VPN connection that you want to modify from the **VPN connections** list.

1. Select **Actions**, **Modify VPN tunnel options**.

1. Select the tunnel that you want to modify by choosing the appropriate IP address from the **VPN tunnel outside IP address** list.

1. Under **Tunnel BGP log**, select **Enable**.

1. Under **Amazon CloudWatch log group**, select the Amazon CloudWatch log group where you want the logs to be sent.

1. (Optional) Under **Output format**, choose the desired format for the log output, either **json** or **text**.

1. Select **Save changes**.

1. (Optional) Repeat steps 4 through 9 for the other tunnel if desired.

**To enable tunnel logging on an existing Site-to-Site VPN connection using the AWS command line or API**
+ [ModifyVpnTunnelOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptions.html) (Amazon EC2 Query API)
+ [modify-vpn-tunnel-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-options.html) (AWS CLI)

# Disable AWS Site-to-Site VPN logs
<a name="disable-logs"></a>

Disable VPN logging on a connection if you no longer want to track any activity on that connection. This action only disables logging and does not affect anything else for that connection. To enable or re-enable logging on a connection, see [Enable Site-to-Site VPN logs](enable-logs.md).

**To disable tunnel activity logging on a Site-to-Site VPN connection**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Connections**.

1. Select the VPN connection that you want to modify from the **VPN connections** list.

1. Select **Actions**, **Modify VPN tunnel options**.

1. Select the tunnel that you want to modify by choosing the appropriate IP address from the **VPN tunnel outside IP address** list.

1. Under **Tunnel activity log**, clear **Enable**.

1. Select **Save changes**.

1. (Optional) Repeat steps 4 through 7 for the other tunnel if desired.

**To disable tunnel BGP logging on a Site-to-Site VPN connection**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Site-to-Site VPN Connections**.

1. Select the VPN connection that you want to modify from the **VPN connections** list.

1. Select **Actions**, **Modify VPN tunnel options**.

1. Select the tunnel that you want to modify by choosing the appropriate IP address from the **VPN tunnel outside IP address** list.

1. Under **Tunnel BGP log**, clear **Enable**.

1. Select **Save changes**.

1. (Optional) Repeat steps 4 through 7 for the other tunnel if desired.

**To disable tunnel logging on a Site-to-Site VPN connection using the AWS command line or API**
+ [ModifyVpnTunnelOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptions.html) (Amazon EC2 Query API)
+ [modify-vpn-tunnel-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-options.html) (AWS CLI)

# Monitor AWS Site-to-Site VPN tunnels using Amazon CloudWatch
<a name="monitoring-cloudwatch-vpn"></a>

You can monitor VPN tunnels using CloudWatch, which collects and processes raw data from the VPN service into readable, near real-time metrics. These statistics are recorded for a period of 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. VPN metric data is automatically sent to CloudWatch as it becomes available.

For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).

**Topics**
+ [VPN metrics and dimensions](#metrics-dimensions-vpn)
+ [View VPN CloudWatch metrics](viewing-metrics.md)
+ [Create CloudWatch alarms to monitor VPN tunnels](creating-alarms-vpn.md)

## VPN metrics and dimensions
<a name="metrics-dimensions-vpn"></a>

The following CloudWatch metrics are available for your Site-to-Site VPN connections.


| Metric | Description | 
| --- | --- | 
|  `TunnelState`  |  The state of the tunnels. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. For both types of VPNs, values between 0 and 1 indicate at least one tunnel is not UP. Units: Fractional value between 0 and 1   | 
|  `TunnelDataIn` †  |  The bytes received on the AWS side of the connection through the VPN tunnel from a customer gateway. Each metric data point represents the number of bytes received after the previous data point. Use the Sum statistic to show the total number of bytes received during the period. This metric counts the data after decryption. Units: Bytes  | 
|  `TunnelDataOut` †  |  The bytes sent from the AWS side of the connection through the VPN tunnel to the customer gateway. Each metric data point represents the number of bytes sent after the previous data point. Use the Sum statistic to show the total number of bytes sent during the period. This metric counts the data before encryption. Units: Bytes  | 
|  `ConcentratorBandwidthUsage`  |  The bandwidth usage for a Site-to-Site VPN Concentrator connection. This metric is available for VPN connections that use a Site-to-Site VPN Concentrator. Use the Average statistic to show the average bandwidth usage during the period. Units: Bits per second  | 

† These metrics can report network usage even when the tunnel is down. This is due to periodic status checks performed on the tunnel, and background ARP and BGP requests.

To filter the metric data, use the following dimensions.


| Dimension | Description | 
| --- | --- | 
| `VpnId` |  Filters the metric data by the Site-to-Site VPN connection ID.  | 
| `TunnelIpAddress` |  Filters the metric data by the IP address of the tunnel for the virtual private gateway.  | 

# View Amazon CloudWatch Logs metrics for AWS Site-to-Site VPN
<a name="viewing-metrics"></a>

When you create a Site-to-Site VPN connection, the VPN service sends metrics about your VPN connection to CloudWatch, as they become available. You can view the metrics for your VPN connection as follows.

**To view metrics using the CloudWatch console**

Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace.

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, choose **Metrics**.

1. Under **All metrics**, choose the **VPN** metric namespace.

1. Select the metric dimension to view the metrics— for example, **VPN Tunnel Metrics**.

**Note**  
The VPN namespace will not appear in the CloudWatch console until after a Site-to-Site VPN connection has been created in the AWS region you are viewing.

**To view metrics using the AWS CLI**  
At a command prompt, use the following command:

```
aws cloudwatch list-metrics --namespace "AWS/VPN"
```

# Create Amazon CloudWatch alarms to monitor AWS Site-to-Site VPN tunnels
<a name="creating-alarms-vpn"></a>

You can create a CloudWatch alarm that sends an Amazon SNS message when the alarm changes state. An alarm watches a single metric over a time period you specify, and sends a notification to an Amazon SNS topic based on the value of the metric relative to a given threshold over a number of time periods. 

For example, you can create an alarm that monitors the state of a single VPN tunnel, and sends a notification when the tunnel state is DOWN for 3 datapoints within 15 minutes.

**To create an alarm for a single tunnel state**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, expand **Alarms**, then choose **All alarms**.

1. Choose **Create alarm**, then choose **Select metric**.

1. Choose **VPN**, then **VPN Tunnel Metrics**.

1. Select the IP address of the desired tunnel, on the same line with the **TunnelState** metric. Choose **Select metric**.

1. For **Whenever TunnelState is...**, select **Lower**, and then enter "1" in the input field under **than...**.

1. Under **Additional configuration**, set the inputs to "3 out of 3" for **Datapoints to alarm**.

1. Choose **Next**.

1. Under **Send a notification to the following SNS topic**, select an existing notification list or create a new one.

1. Choose **Next**.

1. Enter a name for your alarm. Choose **Next**. 

1. Check the settings for your alarm, and then choose **Create alarm**.

You can create an alarm that monitors the state of the Site-to-Site VPN connection. For example, you can create an alarm that sends a notification when the status of one or both tunnels is DOWN for one 5-minute period.

**To create an alarm for Site-to-Site VPN connection state**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, expand **Alarms**, then choose **All alarms**.

1. Choose **Create alarm**, then choose **Select metric**.

1. Choose **VPN**, then choose **VPN Connection Metrics**.

1. Select your Site-to-Site VPN connection and the **TunnelState** metric. Choose **Select metric**.

1. For **Statistic**, specify **Maximum**.

   Alternatively, if you've configured your Site-to-Site VPN connection so that both tunnels are up, you can specify a statistic of **Minimum** to send a notification when at least one tunnel is down.

1. For **Whenever**, choose **Lower/Equal** (**<=**) and enter **0** (or **0.5** for when at least one tunnel is down). Choose **Next**.

1. Under **Select an SNS topic**, select an existing notification list or choose **New list** to create a new one. Choose **Next**.

1. Enter a name and description for your alarm. Choose **Next**. 

1. Check the settings for your alarm, and then choose **Create alarm**.

You can also create alarms that monitor the amount of traffic coming in or leaving the VPN tunnel. For example, the following alarm monitors the amount of traffic coming into the VPN tunnel from your network, and sends a notification when the number of bytes reaches a threshold of 5,000,000 during a 15 minute period.

**To create an alarm for incoming network traffic**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, expand **Alarms**, then choose **All alarms**.

1. Choose **Create alarm**, then choose **Select metric**.

1. Choose **VPN**, then choose **VPN Tunnel Metrics**.

1. Select the IP address of the VPN tunnel and the **TunnelDataIn** metric. Choose **Select metric**.

1. For **Statistic**, specify **Sum**. 

1. For **Period**, select **15 minutes**.

1. For **Whenever**, choose **Greater/Equal**(**>=**) and enter **5000000**. Choose **Next**.

1. Under **Select an SNS topic**, select an existing notification list or choose **New list** to create a new one. Choose **Next**.

1. Enter a name and description for your alarm. Choose **Next**. 

1. Check the settings for your alarm, and then choose **Create alarm**.

The following alarm monitors the amount of traffic leaving the VPN tunnel to your network, and sends a notification when the number of bytes is less than 1,000,000 during a 15 minute period.

**To create an alarm for outgoing network traffic**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, expand **Alarms**, then choose **All alarms**.

1. Choose **Create alarm**, then choose **Select metric**.

1. Choose **VPN**, then choose **VPN Tunnel Metrics**.

1. Select the IP address of the VPN tunnel and the **TunnelDataOut** metric. Choose **Select metric**.

1. For **Statistic**, specify **Sum**. 

1. For **Period**, select **15 minutes**.

1. For **Whenever**, choose **Lower/Equal** (**<=**) and enter `1000000`. Choose **Next**.

1. Under **Select an SNS topic**, select an existing notification list or choose **New list** to create a new one. Choose **Next**.

1. Enter a name and description for your alarm. Choose **Next**. 

1. Check the settings for your alarm, and then choose **Create alarm**.

For more examples of creating alarms, see [Creating Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.

# AWS Health and AWS Site-to-Site VPN events
<a name="monitoring-vpn-health-events"></a>

AWS Site-to-Site VPN automatically sends notifications to the [Health Dashboard](https://docs.aws.amazon.com/health/latest/ug/aws-health-dashboard-status.html). This dashboard requires no setup, and is ready to use for authenticated AWS users. You can configure multiple actions in response to event notifications through the Health Dashboard.

The Health Dashboard provides the following types of notifications for your VPN connections:
+ [Tunnel endpoint replacement notifications](#tunnel-replacement-notifications)
+ [Single tunnel VPN notifications](#single-tunnel-notifications)

## Tunnel endpoint replacement notifications
<a name="tunnel-replacement-notifications"></a>

You receive a **Tunnel endpoint replacement notification** in the Health Dashboard when one or both of the VPN tunnel endpoints in your VPN connection is replaced. A tunnel endpoint is replaced when AWS performs tunnel updates, or when you modify your VPN connection. For more information, see [AWS Site-to-Site VPN tunnel endpoint replacements](endpoint-replacements.md).

When a tunnel endpoint replacement is complete, AWS sends the **Tunnel endpoint replacement notification** through a Health Dashboard event.

## Single tunnel VPN notifications
<a name="single-tunnel-notifications"></a>

A Site-to-Site VPN connection consists of two tunnels for redundancy. We strongly recommend that you configure both tunnels for high availability. If your VPN connection has one tunnel up but the other is down for more than one hour in a day, you receive a *monthly* **VPN single tunnel notification** through an Health Dashboard event. This event will be updated daily with any new VPN connections detected as single tunnel, with notifications sent weekly. A new event will be created each month, which will clear any VPN connections no longer detected as single tunnel.