Inactive VPNs: A Hidden Cost in Your Infrastructure

Inactive VPNs, which are VPNs with both primary and secondary tunnels down, quietly accumulate costs while providing no operational value. Consider AWS Site-to-Site VPN: the cost is five cents an hour per VPN, totaling $36 monthly, or $432 annually. Still, for many large companies, this type of operational oversight is par for the course.

Even so, with multiple inactive VPNs, the costs can add up. Given an account with 100 inactive VPNs, that totals $3600 a month and a staggering annual cost of $43,200. Even if you’re not at that spending level, it may be worth it to take steps to routinely check the status of your VPNs.

VPN Tunnel Failure

For those unfamiliar with the structure of VPNs, they consist of primary and secondary tunnels. The primary tunnel is the main pathway for secure data transmission between two endpoints. The secondary tunnel provides continuous connectivity and acts as a failover mechanism.

When both tunnels fail, the VPN connection becomes inoperable, and data cannot securely flow between the two networks until the tunnels are restored. Failures happen for several reasons, such as network issues, misconfigurations, or problems at the VPN endpoints. Although you are no longer charged for active data transmission, with AWS Site-to-Site VPN you are still charged five cents an hour per VPN.

How to Check for VPN Tunnel Failure

To avoid unnecessary charges for inactive VPNs you need to identify if you have an inactive VPN, then either fix or terminate that VPN. There are several options to check if the tunnels in your AWS Site-to-Site VPN are down. For other VPN services check the documentation for the corresponding steps.

• Via an API: Utilize the DescribeVPNConnections API to view the status of the VPN connection and identify if the tunnel is down. A status of “DOWN” indicates the tunnel is down.

<vgwTelemetry>
    <item>
        <outsideIpAddress>203.0.113.3</outsideIpAddress>
        <status>DOWN</status>
        <lastStatusChange>2023-11-09T15:45:22.000Z</lastStatusChange>
        <statusMessage>Configuration mismatch: Phase 1 encryption algorithm does not match.</statusMessage>
        <acceptedRouteCount>0</acceptedRouteCount>
    </item>
    <item>
        <outsideIpAddress>203.0.113.5</outsideIpAddress>
        <status>DOWN</status>
        <lastStatusChange>2023-11-09T15:45:22.000Z</lastStatusChange>
        <statusMessage>No response from peer: Network connectivity issue</statusMessage>
        <acceptedRouteCount>0</acceptedRouteCount>
    </item>
</vgwTelemetry>

Sample DescribeVPNConnections response

• AWS Management Console: You can also see the status of the tunnels within the VPN Connections section of the AWS Management Console.
• CloudWatch: Use CloudWatch metrics, such as TunnelState to check if your tunnels are down. Note that 0 indicates the tunnel is down.
• Logs: The information from the VPN logs, particularly TunnelIKEPhase1State and TunnelIKEPhase2State can be used to check if the tunnels are down. If the value is “Down” it suggests that there is an issue with the corresponding phase of the VPN tunnel.
• Check for Connectivity: Attempt to connect to resources on the remote network through the VPN. If both tunnels are down, establishing a connection will be impossible, indicating the inactive status of the VPN.

Taking these measures allows you to detect inactive VPNs, thereby preventing unnecessary charges and ensuring that your VPN infrastructure is both cost-effective and operationally sound.

VPN Best Practices

After auditing existing VPNs for inactivity, consider these proactive steps moving forward:

• CloudWatch Alerts: Use CloudWatch to set an alarm for the TunnelState metric, so you will know in real-time if your tunnel goes down.

aws cloudwatch put-metric-alarm \
  --alarm-name BothTunnelsDownAlarm \
  --alarm-description "Alert when both tunnels are down" \
  --actions-enabled \
  --alarm-actions <SNS_TOPIC_ARN> \
  --metric-name TunnelState \
  --namespace AWS/VPN \
  --statistic Minimum \
  --dimensions Name=Tunnel,Value=Tunnel1 \
  --period 300 \
  --threshold 0 \
  --comparison-operator LessThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --unit Count \
  --alarm-name-suffix Tunnel1 \
  --threshold-metric TunnelState:Tunnel2:Minimum:300

CloudWatch alarm to send a SNS message when both tunnels are down for more than 5 minutes

• AWS Health Events: Use the automatically reported metrics sent to the AWS Health Dashboard to configure actions such as tunnel endpoint replacement notifications and single tunnel VPN notifications.
• Audits: Perform regular audits of your VPN metrics using the steps above to ensure there are no tunnels down.
• Automated Testing: Implement automated testing procedures to simulate various scenarios, such as tunnel failures or network interruptions, identifying potential issues right away.

Conclusion

Monitoring and maintaining the health of your VPN infrastructure is crucial to avoid needless charges. Checking for inactive VPNs through API calls, the AWS Management Console, or connectivity tests can help in detecting inactive VPNs. Taking steps such as regular audits or proactive measures such as regular audits or implementing CloudWatch alerts can save you thousands of dollars. By following these guidelines, you can optimize costs, maintain a robust VPN infrastructure, and ensure seamless connectivity between networks.