Unused Virtual Private Gateways
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresIdentify and delete any unused Amazon Virtual Private Gateways (VGWs) in order to adhere to best practices and to avoid reaching the service limit (by default, you are limited to 5 VGWs - attached or detached - per AWS region). An AWS Virtual Private Gateway is considered unused when is no longer associated with a VPN connection (on the VPC side of the connection). Cloud Conformity Service Limits feature (integrated into Amazon Trusted Advisor service) can also help you ensure that the allocation of AWS VGW resources is not reaching the limit.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
As good practice, every unused (detached) AWS Virtual Private Gateway should be removed from your account for a better management of your AWS resources.
To recognize any unused Virtual Private Gateways (VGWs) currently available within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.
03 In the left navigation panel, under VPN Connections section, click Virtual Private Gateways.
04 Select the VPN VGW that you want to examine.
05 Select the Summary tab from the dashboard bottom panel and check the value set for the State configuration attribute listed below the resource ID. If the State value is "detached", the selected AWS Virtual Private Gateway is not attached to the VPC side of the VPN connection, therefore is considered unused and can be safely removed from your AWS account (see Remediation/Resolution section).
06 Repeat step no. 4 and 5 to determine the current state for other AWS VGWs available within the current region.
07 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-vpn-gateways command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS Virtual Private Gateways provisioned in the selected region:
aws ec2 describe-vpn-gateways --region us-east-1 --output table --query 'VpnGateways[*].VpnGatewayId'
02 The command output should return a table with the requested VGW IDs:
--------------------- |DescribeVpnGateways| +-------------------+ | vgw-e35fb78a | | vgw-b48da90a | | vgw-c8db335f | +-------------------+
03 Run again describe-vpn-gateways command (OSX/Linux/UNIX) using the ID of the gateway that you want to examine and custom query filters to expose the current state of the attachment between the gateway and the VPC for the selected AWS VGW:
aws ec2 describe-vpn-gateways --region us-east-1 --vpn-gateway-ids vgw-e35fb78a --query 'VpnGateways[*].VpcAttachments[*].State[]'
04 The command output should return the attachment state for the selected VGW:
[
"detached"
]
05 Repeat step no. 3 and 4 to determine the current attachment state for other AWS VGWs available in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.
To remove any unused AWS Virtual Private Gateways provisioned within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.
03 In the left navigation panel, under VPN Connections section, click Virtual Private Gateways.
04 Select the Amazon VPN VGW that you want to remove (see Audit section part I to identify the right resource).
05 Click the Delete Virtual Private Gateway button from the dashboard top menu to initiate the resource removal.
06 Inside the Delete Virtual Private Gateway dialog box, review the gateway details one more time, then click Yes, Delete to confirm the action. If successful, the state of the removed AWS VGW should change from "detached" to "deleted".
07 Repeat steps no. 4 – 6 to remove other detached AWS Virtual Private Gateways available in the current region.
08 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run delete-vpn-gateway command (OSX/Linux/UNIX) using the ID of the gateway that you want to delete as identifier to remove the unused Amazon VGW selected (see Audit section part II to identify the right resource). The following command examples deletes a Virtual Private Gateway identified by the ID vgw-e35fb78a, provisioned within the US East (N. Virginia) region (if the command succeeds, no output is returned):
aws ec2 delete-vpn-gateway --region us-east-1 --vpn-gateway-id vgw-e35fb78a
02 Repeat step no. 1 to remove other unused AWS VGWs available in the current region.
03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat