AWS Site-to-Site VPN: What It Is and When to Use It

Definition

AWS Site-to-Site VPN is a fully-managed service that creates a secure, encrypted connection between your on-premises data center, branch office, or colocation facility and your Amazon Virtual Private Clouds (VPCs). It uses industry-standard IP Security (IPsec) tunnels to establish this private link over the public internet, effectively extending your on-premises network into the AWS Cloud.

How It Works

An AWS Site-to-Site VPN connection links two main components: a Customer Gateway on your on-premises network and a Target Gateway on the AWS side.

1. Customer Gateway (CGW): This is a physical device or software application on your side of the connection (e.g., a router or firewall). You provide AWS with information about this device, such as its public IP address and routing type (static or dynamic using Border Gateway Protocol, or BGP).

2. Target Gateway: This is the VPN endpoint on the AWS side. It can be one of two types:

   • Virtual Private Gateway (VGW): This is the original VPN endpoint that attaches to a single VPC.
   • AWS Transit Gateway (TGW): A more modern and scalable option, the TGW acts as a regional network hub that can connect thousands of VPCs, on-premises networks, and other AWS services together.

When you create a Site-to-Site VPN connection, AWS provisions two redundant VPN tunnels, each terminating on a different endpoint in a separate Availability Zone (AZ) for high availability. If one tunnel fails or is down for maintenance, traffic automatically routes through the second tunnel. You configure your customer gateway device using a configuration file provided by AWS to establish the IPsec tunnels. Once connected, you update your VPC route tables to direct traffic destined for your on-premises network through the target gateway.

Key Features and Limits

• High Availability: Each VPN connection includes two tunnels by default, terminating in different AZs for automatic failover.
• Routing Options: Supports both static routing and dynamic routing with BGP for automated route propagation and failover.
• Encryption: Uses the IPsec protocol suite to secure data in transit.
• Bandwidth: Standard tunnels support up to 1.25 Gbps. For higher throughput needs, Large Bandwidth Tunnels attached to a Transit Gateway support up to 5 Gbps. You can also use Equal-Cost Multi-Path (ECMP) routing with a Transit Gateway to aggregate bandwidth across multiple VPN tunnels.
• Accelerated Site-to-Site VPN: An optional feature that uses the AWS Global Accelerator network to route traffic from your on-premises network to the nearest AWS edge location, improving performance and reducing latency for geographically dispersed networks. This is only supported for VPNs attached to a Transit Gateway.
• Private IP VPN: Allows you to run your Site-to-Site VPN over an AWS Direct Connect connection, providing end-to-end encryption for your dedicated link.
• Monitoring: Integrates with Amazon CloudWatch for visibility into the health and performance of your VPN connections.
• IPv6 Support: A Site-to-Site VPN connection can transport either IPv4 or IPv6 traffic, but not both simultaneously. IPv6 traffic is not supported on connections to a Virtual Private Gateway.

Common Use Cases

• Hybrid Cloud Architecture: Securely extend your on-premises data center into AWS, allowing applications to communicate seamlessly across both environments.
• Application Migration: Move applications to the cloud without changing how users access them by making AWS resources appear as part of your corporate network.
• Secure Branch Office Connectivity: Connect remote offices or retail locations to your AWS resources and each other through a central Transit Gateway.
• Disaster Recovery (DR): Establish a secure connection to a DR site in AWS for replicating data and failing over critical applications.
• Backup for AWS Direct Connect: Use a Site-to-Site VPN as a cost-effective, redundant backup connection in case your primary AWS Direct Connect link fails.

Pricing Model

The pricing for AWS Site-to-Site VPN has a few components:

• VPN Connection-Hour: You are charged a fixed hourly rate for each VPN connection that is provisioned and available. The hourly rate varies for standard (1.25 Gbps) and high-bandwidth (5 Gbps) connections.
• Data Transfer Out: Standard AWS data transfer charges apply for all data going out from AWS over the VPN connection to your on-premises network.
• Accelerated VPN (Optional): If you enable this feature, you incur additional hourly charges for the two AWS Global Accelerators provisioned on your behalf, plus a data transfer premium.

There are no additional charges for data transferred into AWS from your network or for using IPv6. For detailed pricing, consult the official AWS VPN Pricing page.

Pros and Cons

Pros:

• Security: Provides strong, industry-standard IPsec encryption for data in transit.
• Cost-Effective: Generally lower cost and quicker to set up compared to a dedicated private connection like AWS Direct Connect, especially for initial cloud adoption or lower bandwidth needs.
• Fast Provisioning: Can be set up in minutes or hours, compared to the weeks or months it can take to provision a Direct Connect circuit.
• Managed Service: AWS manages the availability and maintenance of the VPN endpoints on the AWS side, including automatic failover between tunnels.

Cons:

• Variable Performance: Because it operates over the public internet, performance (latency and throughput) can be inconsistent and is not guaranteed.
• Limited Bandwidth: While throughput has increased to 5 Gbps per tunnel, it is still significantly less than the 10 Gbps, 100 Gbps, or higher speeds available with AWS Direct Connect.
• Internet Dependency: Relies entirely on the reliability of your internet service provider and the public internet path to AWS.

Comparison with Alternatives

AWS Site-to-Site VPN vs. AWS Direct Connect

| Feature | AWS Site-to-Site VPN | AWS Direct Connect | | :--- | :--- | :--- | | Connection Path | Public Internet | Dedicated, private fiber-optic connection | | Performance | Variable latency and throughput | Consistent, low-latency performance | | Bandwidth | Up to 5 Gbps per tunnel; can be aggregated with ECMP | Dedicated ports from 1 Gbps to 100 Gbps | | Security | Encrypted by default (IPsec) | Not encrypted by default; requires MACsec or a VPN overlay for encryption | | Setup Time | Fast (minutes to hours) | Slow (weeks to months) | | Cost | Lower initial cost; pay-per-hour for connection + data transfer out | Higher cost; includes port-hour fees, provider circuit costs, and reduced data transfer out rates |

When to Choose Which:

• Choose Site-to-Site VPN for initial or non-critical hybrid connectivity, connecting smaller offices, workloads that are not latency-sensitive, and as a high-availability backup for a Direct Connect connection.
• Choose Direct Connect for mission-critical workloads, applications requiring high throughput and consistent low latency, transferring large datasets, or when bypassing the public internet is a compliance requirement.

Exam Relevance

AWS Site-to-Site VPN is a fundamental networking topic and appears frequently on several AWS certification exams, including:

• AWS Certified Solutions Architect – Associate (SAA-C03): Expect questions on the basic components (VGW, CGW), use cases for hybrid connectivity, and the difference between Site-to-Site VPN and Direct Connect.
• AWS Certified Solutions Architect – Professional (SAP-C02): Questions will delve deeper into complex hybrid architectures, high-availability configurations (e.g., redundant CGWs), routing with BGP, and using VPN as a backup for Direct Connect.
• AWS Certified Advanced Networking – Specialty (ANS-C01): This exam requires expert-level knowledge of VPN design, including troubleshooting IPsec tunnels, advanced BGP configurations, performance optimization with ECMP and Accelerated VPN, and integration with Transit Gateway.

Frequently Asked Questions

Q: What's the difference between a Virtual Private Gateway (VGW) and a Transit Gateway (TGW) for a VPN connection?

A: A Virtual Private Gateway (VGW) is an older construct that serves as the VPN endpoint for a single VPC. An AWS Transit Gateway (TGW) is a modern, highly scalable service that acts as a central cloud router or hub. You attach a VPN to a TGW to provide connectivity from your on-premises network to potentially hundreds or thousands of VPCs, simplifying network management and enabling transitive routing between all connected networks.

Q: Can I have a redundant or highly available Site-to-Site VPN connection?

A: Yes, high availability is built-in and can be enhanced. By default, every Site-to-Site VPN connection has two redundant tunnels terminating in different AWS Availability Zones. To protect against failure of your on-premises router, you can set up a second Site-to-Site VPN connection using a second, redundant customer gateway device on your end. Using BGP for dynamic routing allows for automatic failover between these redundant connections.

Q: What is Accelerated Site-to-Site VPN and when should I use it?

A: Accelerated Site-to-Site VPN is a feature that improves VPN performance by routing traffic through the AWS Global Accelerator network instead of just over the public internet. It directs your traffic to the nearest AWS edge location, which then carries it over the optimized and congestion-free AWS global backbone to the destination AWS Region. You should use it when connecting geographically distant on-premises sites to AWS to reduce latency and improve connection stability.

---

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.