Secure tunnel lifecycle
Tunnels can have the status OPEN
or CLOSED
. Connections
to the tunnel can have the status CONNECTED
or
DISCONNECTED
. The following shows how the different tunnel and
connection statuses work.
-
When you open a tunnel, it has a status of
OPEN
. The tunnel's source and destination connection status is set toDISCONNECTED
. -
When a device (source or destination) connects to the tunnel, the corresponding connection status changes to
CONNECTED
. -
When a device disconnects from the tunnel while the tunnel status remains
OPEN
, the corresponding connection status changes back toDISCONNECTED
. A device can connect to and disconnect from a tunnel repeatedly as long as the tunnel remainsOPEN
.Note
The client access tokens (CAT) can only be used once to connect to a tunnel. To reconnect to the tunnel, rotate the client access tokens using the RotateTunnelAccessToken API operation or the rotate-tunnel-access-token CLI command. For examples, see Resolving Amazon IoT secure tunneling connectivity issues by rotating client access tokens.
-
When you call
CloseTunnel
or the tunnel remainsOPEN
for longer than theMaxLifetimeTimeout
value, a tunnel's status becomesCLOSED
. You can configureMaxLifetimeTimeout
when callingOpenTunnel
.MaxLifetimeTimeout
defaults to 12 hours if you do not specify a value.Note
A tunnel cannot be reopened when it is
CLOSED
. -
You can call
DescribeTunnel
andListTunnels
to view tunnel metadata while the tunnel is visible. The tunnel can be visible in the Amazon IoT console for at least three hours before it is deleted.