How to set "Remote IPv4 Network CIDR" VPN properties using cloudformation in AWS

Question

We use cloudformation as infrastructure as code for our VPN connection between on-premise and our AWS account. We need to set a parameter documented as (complete docs):

Remote IPv4 Network CIDR (IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. Default: 0.0.0.0/0

We have search the internet but there is no real syntax for cloudformation how to set that variable.

We would like to set the value from default value 0.0.0.0/0 to another more specific /24 range.

In some VPN software this is referred to traffic selector,proxy id or encryption domain.

Your link to documentation is no specific. Where exactly is the parameter defined? — Marcin, Sep 23 '21 at 08:16
@Marcin now the link is better. It is the parameter "Remote IPv4 Network CIDR". — Piazzolla, Sep 23 '21 at 08:19
Are these set in a vpn config file? This is not set at CloudFormation level. — Marcin, Sep 23 '21 at 08:21
@Marcin when we have set this property we can download a config from AWS console and then put it to our on-premise VPN software. What I can tell there is not the other way around. — Piazzolla, Sep 23 '21 at 08:41
I'm not fully sure, thus I just wrote comment, not an answer. — Marcin, Sep 24 '21 at 07:32

Leonard Saers · Accepted Answer · 2021-09-29T14:09:52.757

The Remote IPv4 Network CIDR can be changed using the sdk. The below cloud formation will change Remote IPv4 Network CIDR.

    lambdaExecutionRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Principal:
                Service:
                - lambda.amazonaws.com
              Action:
              - sts:AssumeRole
          Path: "/"
          Policies:
          - PolicyName: root
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
              - Effect: Allow
                Action:
                 - logs:*
                Resource: arn:aws:logs:*:*:* // Set appropriate value
              - Effect: Allow
                Action:
                 - ec2:ModifyVpnConnectionOptions
                Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection

    # A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
    # Asynchronous, so it will finish before the modification of the VPN is done.
    customResourceSetRemoteIp:
        Type: AWS::Lambda::Function
        Properties:
          Runtime: nodejs14.x
          Role: !GetAtt lambdaExecutionRole.Arn
          Handler: index.handler
          Code:
            ZipFile: |
                var response = require('cfn-response')
                var aws = require('aws-sdk')
                exports.handler = function (event, context) {
                    console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
                    
                    // For Delete requests, immediately send a SUCCESS response.
                    // You need to run this job with the new value if you want a rollback. 
                    if (event.RequestType == "Delete") {
                        response.send(event, context, "SUCCESS")
                        return
                    }
                    var responseStatus = "FAILED"
                    var responseData = {}
                    var vpnConnection = event.ResourceProperties.VpnConnection;
                    var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
                    
                    console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr + 
                        "' at vpn connection '" + vpnConnection + "'");
                    
                    var ec2 = new aws.EC2();
                    var params = {
                      VpnConnectionId: vpnConnection, /* required */
                      DryRun: false,
                      RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
                    };
                    ec2.modifyVpnConnectionOptions(params, function(err, data) {
                      if (err) {
                          console.log(err, err.stack); // an error occurred
                          responseData = {Error: err}
                          console.log(responseData.Error + ":\n", err)
                      } else {
                          responseStatus = "SUCCESS"
                          console.log(data);           // successful response
                      }
                      response.send(event, context, responseStatus, responseData)
                    });
                }
          Description: Set VPN options in cloudformation
          TracingConfig:
            Mode: PassThrough

    setRemoteIpOnVpnCustomResource:
        Type: AWS::CloudFormation::CustomResource
        Version: "1.0"
        Properties:
          ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
          VpnConnection: !Ref vpcVpnConnection
          RemoteIpv4NetworkCidr: "10.0.0.0/24"

Looks interesting and for us it works best with simple inline code. I will test it out! — Piazzolla, Sep 29 '21 at 14:07
Working great and as you commented in code the resource is async so need to look into the aws console to see when the modification is done. — Piazzolla, Sep 30 '21 at 09:13

How to set "Remote IPv4 Network CIDR" VPN properties using cloudformation in AWS

1 Answers1