Skip to content

AWS Site-to-Site VPN

What Is AWS Site-to-Site VPN?

AWS Site-to-Site VPN is a managed service that creates encrypted IPSec VPN tunnels between:

  • on-premises networks
  • branch offices
  • corporate data centers
  • remote environments

and AWS VPCs.

It enables secure hybrid connectivity over the public internet.

Think of AWS Site-to-Site VPN as:

Encrypted hybrid network connectivity between AWS and external networks.

Why It Matters for Security

AWS Site-to-Site VPN is foundational for hybrid cloud security architectures.

Organizations use it for:

  • secure hybrid networking
  • encrypted data transit
  • extending private networks into AWS
  • disaster recovery connectivity
  • secure branch office communication
  • hybrid workload access

Security teams use Site-to-Site VPN to:

  • protect data in transit
  • securely connect corporate networks to AWS
  • reduce public exposure
  • enable secure administrative access
  • support hybrid governance models

It is heavily used in:

  • enterprise hybrid architectures
  • migration environments
  • disaster recovery designs
  • multi-cloud networking
  • regulated environments

Core Concepts

  • IPSec-encrypted VPN tunnels
  • hybrid cloud connectivity
  • secure VPC access
  • internet-based encrypted transport
  • redundant VPN tunnels
  • dynamic or static routing
  • integrates with Transit Gateway and Virtual Private Gateway
  • secure private communication over public internet

Important Integrations

Amazon VPC

Site-to-Site VPN securely connects external networks to VPCs.

Virtual Private Gateway (VGW)

VGW attaches directly to a single VPC and terminates VPN tunnels.

Traditional VPN architecture.

AWS Transit Gateway (TGW)

Transit Gateway enables centralized VPN connectivity across:

  • multiple VPCs
  • multiple AWS accounts
  • enterprise hybrid environments

Very important enterprise networking pattern.

Customer Gateway (CGW)

Represents the on-premises VPN device or router.

Can be:

  • physical router
  • firewall appliance
  • virtual appliance

AWS Direct Connect

Commonly combined with VPN for:

  • encrypted transport
  • resilient hybrid connectivity
  • backup failover

Route Tables

Control hybrid routing behavior between AWS and external networks.

AWS Network Firewall

Can centrally inspect VPN-connected traffic.

VPC Flow Logs

Used for:

  • hybrid traffic visibility
  • troubleshooting
  • forensic investigations

Amazon CloudWatch

Supports:

  • tunnel monitoring
  • VPN state alarms
  • operational visibility

Security Features

IPSec Encryption

AWS Site-to-Site VPN uses IPSec tunnels to encrypt traffic between AWS and external environments.

This protects:

  • confidentiality
  • integrity
  • data in transit

Very important hybrid security capability.

Redundant VPN Tunnels

Each VPN connection includes:

  • two redundant VPN tunnels

This improves:

  • high availability
  • resilience
  • failover capability

Very important operational feature.

True High Availability Design

Although AWS provides two tunnels per VPN connection, both tunnels commonly terminate on the same Customer Gateway device.

For maximum resilience:

  • deploy multiple Customer Gateways
  • use multiple physical routers
  • create multiple VPN connections

Very important enterprise architecture pattern.

Dynamic Routing with BGP

Supports Border Gateway Protocol (BGP) for dynamic route exchange.

Benefits:

  • automatic failover
  • route propagation
  • simplified routing management

Very important enterprise networking feature.

Static Routing Support

Can also use static routes instead of BGP.

Common in:

  • smaller branch office deployments
  • legacy environments
  • simpler networking architectures

Accelerated Site-to-Site VPN

Accelerated VPN uses AWS Global Accelerator to improve VPN performance.

Benefits:

  • lower latency
  • reduced jitter
  • more predictable performance
  • optimized global connectivity

Traffic enters the AWS global backbone at the nearest AWS edge location.

Very important advanced hybrid networking feature.

Hybrid Network Segmentation

Organizations commonly combine VPN connectivity with:

  • Security Groups
  • NACLs
  • Transit Gateway
  • AWS Network Firewall

to enforce hybrid segmentation and least privilege access.

Secure Administrative Access

VPNs commonly provide secure administrative access to:

  • EC2 instances
  • private workloads
  • internal management systems

without exposing workloads publicly.

Transit Encryption

Traffic remains encrypted while traversing the public internet.

Very important compliance and regulatory capability.

NAT Traversal (NAT-T)

AWS Site-to-Site VPN supports NAT Traversal (NAT-T).

This allows VPN connectivity when the Customer Gateway is located behind a NAT device.

NAT-T commonly uses:

  • UDP port 4500

Very important real-world networking detail.

Centralized Hybrid Connectivity

Transit Gateway enables centralized VPN architectures across:

  • multiple VPCs
  • multiple AWS accounts
  • multiple branch offices

Very important enterprise networking design pattern.

VPN Monitoring and Visibility

CloudWatch and VPC Flow Logs support:

  • tunnel monitoring
  • hybrid traffic visibility
  • VPN troubleshooting
  • operational analytics

Performance and Scaling

VPN Throughput Limits

A single Site-to-Site VPN tunnel supports approximately:

  • 1.25 Gbps throughput

Very important operational limitation.

ECMP (Equal-Cost Multi-Path)

Transit Gateway supports ECMP routing.

This allows organizations to:

  • aggregate bandwidth
  • load-balance traffic
  • scale VPN throughput

Example:

  • multiple VPN tunnels connected to TGW
  • traffic distributed across tunnels

Very important enterprise scaling pattern.

VGW vs TGW ECMP Support

Transit Gateway: - supports ECMP

Virtual Private Gateway: - does not support ECMP

Very important architectural distinction.

Architecture Example

Enterprise Hybrid Connectivity Architecture

flowchart TD

    ONPREM[On-Premises Data Center]

    CGW1[Customer Gateway Router 1]
    CGW2[Customer Gateway Router 2]

    TGW[AWS Transit Gateway]

    subgraph AWS [AWS Cloud]

        subgraph PROD [Production VPC]
            APP[EC2 Application Servers]
            DB[Amazon RDS]
        end

        subgraph SHARED [Shared Services VPC]
            DNS[Internal DNS]
            LOGS[Central Logging]
        end

        VPN1[VPN Tunnel 1]
        VPN2[VPN Tunnel 2]
        VPN3[VPN Tunnel 3]
        VPN4[VPN Tunnel 4]

        FW[AWS Network Firewall]

        FLOW[VPC Flow Logs]

        CW[Amazon CloudWatch]
    end

    ONPREM --> CGW1
    ONPREM --> CGW2

    CGW1 --> VPN1
    CGW1 --> VPN2

    CGW2 --> VPN3
    CGW2 --> VPN4

    VPN1 --> TGW
    VPN2 --> TGW
    VPN3 --> TGW
    VPN4 --> TGW

    TGW --> FW

    FW --> APP
    FW --> DB
    FW --> DNS
    FW --> LOGS

    APP -. Traffic Metadata .-> FLOW
    DB -. Traffic Metadata .-> FLOW

    VPN1 -. Tunnel Metrics .-> CW
    VPN2 -. Tunnel Metrics .-> CW
    VPN3 -. Tunnel Metrics .-> CW
    VPN4 -. Tunnel Metrics .-> CW

    FLOW --> CW

    classDef hybrid fill:#ede7f6,stroke:#5e35b1,color:#311b92;
    classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
    classDef monitoring fill:#fff3e0,stroke:#ef6c00,color:#e65100;

    class ONPREM,CGW1,CGW2,TGW,APP,DB,DNS,LOGS hybrid;
    class VPN1,VPN2,VPN3,VPN4,FW security;
    class FLOW,CW monitoring;

Use case: resilient enterprise hybrid connectivity using redundant Customer Gateways, Transit Gateway, ECMP, and IPSec VPN tunnels.

Hybrid VPN Traffic Workflow

sequenceDiagram
    autonumber

    participant USER as On-Premises User
    participant CGW as Customer Gateway
    participant VPN as IPSec VPN Tunnel
    participant TGW as Transit Gateway
    participant SG as Security Group
    participant APP as EC2 Application

    USER->>CGW: Send hybrid application request

    CGW->>VPN: Encrypt traffic using IPSec

    VPN->>TGW: Deliver encrypted traffic to AWS

    TGW->>SG: Route traffic to target VPC

    SG->>APP: Allow workload access

    APP-->>USER: Return encrypted response traffic

Use case: secure encrypted hybrid communication between on-premises users and AWS workloads.

Site-to-Site VPN vs Direct Connect

Site-to-Site VPN AWS Direct Connect
internet-based encrypted connectivity dedicated private network connection
IPSec encryption private transport
faster deployment lower latency and predictable throughput
lower setup cost enterprise-scale connectivity
ideal for secure hybrid networking ideal for high-performance workloads

Use Site-to-Site VPN when:

  • encrypted connectivity is required quickly
  • hybrid workloads need secure internet-based connectivity
  • backup connectivity is needed

Use Direct Connect when:

  • low latency is critical
  • high throughput is required
  • predictable performance is required

Direct Connect Encryption Nuance

AWS Direct Connect provides:

  • private connectivity

but not:

  • encryption by default

Common architecture pattern:

  • Direct Connect + Site-to-Site VPN

This provides:

  • private connectivity
  • encrypted transport

Advanced note:

  • MACsec encryption is supported on select dedicated Direct Connect connections

Very important hybrid networking distinction.

Site-to-Site VPN vs Client VPN

Site-to-Site VPN AWS Client VPN
network-to-network connectivity user-to-network connectivity
connects offices and data centers connects individual users
hybrid infrastructure focused remote workforce focused
router/firewall termination endpoint device termination

Use Site-to-Site VPN when:

  • connecting branch offices
  • integrating data centers
  • building hybrid infrastructure

Use Client VPN when:

  • enabling remote employee access
  • supporting remote administration
  • securing user endpoints

Site-to-Site VPN vs Transit Gateway Peering

Site-to-Site VPN Transit Gateway Peering
hybrid encrypted connectivity AWS-to-AWS backbone connectivity
internet-based IPSec tunnels AWS global backbone routing
connects external environments connects AWS regions/TGWs
hybrid networking focus cloud-native routing focus

Use Site-to-Site VPN when:

  • connecting on-premises networks
  • building hybrid environments

Use Transit Gateway Peering when:

  • connecting AWS regions
  • building global AWS routing backbones

Common Exam Traps

Trap 1 — Confusing Site-to-Site VPN and Client VPN

Site-to-Site VPN: - network-to-network

Client VPN: - user-to-network

Very important distinction.

Trap 2 — Forgetting Redundant Tunnels

Each VPN connection includes:

  • two redundant tunnels

Very important high availability behavior.

Trap 3 — Assuming VPN Traffic Is Unencrypted

Site-to-Site VPN uses:

  • IPSec encryption

Traffic remains encrypted over the public internet.

Trap 4 — Confusing VGW and TGW

VGW: - attached to one VPC

TGW: - centralized multi-VPC routing

Very important enterprise networking distinction.

Trap 5 — Forgetting Throughput Limits

Single VPN tunnel throughput is limited.

Large-scale architectures commonly use:

  • Transit Gateway
  • ECMP
  • multiple VPN tunnels

for scaling bandwidth.

Trap 6 — Assuming VGW Supports ECMP

Transit Gateway: - supports ECMP

VGW: - does not support ECMP

Very important scaling distinction.

Trap 7 — Assuming Direct Connect Is Encrypted

Direct Connect: - private - not encrypted by default

Common secure design: - VPN over Direct Connect

Trap 8 — Forgetting Hybrid Segmentation Controls

VPN traffic should still use:

  • Security Groups
  • NACLs
  • AWS Network Firewall
  • routing policies

Very important hybrid security principle.

Trap 9 — Assuming One Customer Gateway Is Fully HA

Maximum resilience commonly requires:

  • multiple Customer Gateway devices
  • multiple VPN connections

Very important disaster recovery consideration.

5-Second Recall

Identity

Site-to-Site VPN = encrypted hybrid network connectivity between AWS and external networks

Keywords

If the scenario mentions:

  • IPSec tunnels
  • hybrid networking
  • encrypted branch office access
  • on-premises integration
  • secure VPN tunnels
  • hybrid cloud connectivity

Answer:

→ AWS Site-to-Site VPN

Network-to-Network Trigger

If the requirement involves:

  • office connectivity
  • branch integration
  • data center connectivity
  • hybrid infrastructure

Answer:

→ Site-to-Site VPN

Remote User Trigger

If the requirement involves:

  • remote employees
  • endpoint users
  • user VPN connectivity

Answer:

→ AWS Client VPN

High-Performance Hybrid Trigger

If the requirement involves:

  • dedicated private circuits
  • predictable latency
  • enterprise WAN connectivity

Answer:

→ AWS Direct Connect

Need scalable VPN throughput?

→ Transit Gateway + ECMP

Need centralized multi-VPC hybrid routing?

→ Transit Gateway + Site-to-Site VPN

Need encrypted hybrid transport?

→ IPSec VPN

Need secure Direct Connect encryption?

→ VPN over Direct Connect

Quick Revision Notes

  • encrypted IPSec hybrid connectivity service
  • connects AWS with external networks
  • supports redundant VPN tunnels
  • supports BGP dynamic routing
  • integrates with Transit Gateway and VGW
  • traffic remains encrypted over internet
  • Transit Gateway supports ECMP scaling
  • VGW does not support ECMP
  • single VPN tunnel throughput is limited
  • Accelerated VPN improves global performance
  • NAT-T supports VPN behind NAT devices
  • Direct Connect is private but not encrypted by default
  • VPN over Direct Connect is common secure architecture
  • Security Groups and NACLs still apply to VPN traffic
  • foundational AWS hybrid networking service
  • important enterprise and disaster recovery connectivity service