“Simplicity is prerequisite for reliability.”

― Edsger W. Dijkstra

This post aims to show how to monitor your VPN tunnels using Lambda in AWS.

AWS Lambda lets you run code without provisioning or managing servers.

This per definition is something quite new (and mind blowing) for people who comes like me from the old school of building servers in a DC (hard drives, nics, storage, etc).

When using a service in production, we like to have all monitored and running smoothly. At this moment in time, AWS has no way to monitor (and notify) when a tunnel is down in your VPN Connection

In order to solve this situation, I had to write a Lambda function in Python to return error when both tunnels are down. Let me go in detail here as may be probably needed if you never setup a VPN Connection.

When creating a VPN Connection, you need to create:

1) A Customer Gateway per endpoint.

2) A VPN Gateway (and attach it to your VPC)

This automatically creates 2 tunnels for redundancy. More info here.

If you can't configure both tunnels, mostly because your Customer Gateway (endpoint) does not support it, one of them will shown as DOWN. This means, our solution will look always for 2 tunnels DOWN in order to fail and notify to our SNS Topic.

At the top of this post, there is a quote that simplifies what I think about complex solutions. The script I put below, is that. A simple way of return fail if both tunnels are down. Please feel free to modify it or comment in my gist if you find a better way to do it.

Also, you can use a CloudFormation template I created for you to deploy this in an easy way.

When using the CloudFormation template, be sure to upload the python script as "vpnChecker.py.zip" to your S3 Bucket.

Find the code of vpnChecker.py here.

Please contact me if you need some assistance on how to deploy and use these scripts.