In Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection with the other side usually being the AWS VPN gateway.

If you are using customer GW’s to connect to your AWS environment, it is important that you ensure it meets your security requirements. You can now reason on your VPN connection within the Dome9 Compliance Engine. Let’s look at some examples.

To make sure that customer gateway has VPN connections established, you can use check the number of VPN connections:

CustomerGateway should have vpnConnections

It is possible to verify established connection properties, for example making sure that the routing is static:

CustomerGateway should have vpnConnections with [options.staticRoutesOnly=true]

It is also possible to verify other connection attributes, such as the source and destination addresses, and various telemetry attributes.

Amazon limits the number of VPN connections in each region. To make sure the limit has not been reached, you can use the following query:

List<CustomerGateway> should have items groupBy [region] contain-all [values length()<50]