Introducing AWS Site-to-Site VPN 5 Gbps Tunnels to support high throughput workloads

AWS Site-to-Site VPN now supports VPN connections with up to 5 Gbps bandwidth per tunnel, a 4x improvement from existing limit of 1.25 Gbps. This increased bandwidth benefits customers who require high-capacity connections for bandwidth-intensive hybrid applications, big data migrations, and disaster recovery architectures.

AWS Site-to-Site VPN is a fully managed service that allows you to create a secure connection between your data center or branch office and your AWS resources using IP Security (IPsec) tunnels. It provides critical connectivity for a variety of workloads – connecting on-premises workloads to the cloud, connecting devices to the cloud, and providing encrypted communication. Until now, Site-to-Site VPN supported a maximum of 1.25 Gbps bandwidth per tunnel and customers had to rely on Equal-cost multi-path routing (ECMP) to logically bond multiple tunnels to achieve higher bandwidth. Now, customers can configure their tunnel bandwidth to 5 Gbps, reducing the need to deploy complex protocols such as ECMP while ensuring consistent bandwidth performance for all traffic profiles.

In this post, we dive into the 5 Gbps Tunnel use cases, getting started, and how you can migrate from existing VPN connection to higher bandwidth tunnel VPN connection.

The primary use cases for 5 Gbps tunnels are as follows:

• Data Center Connectivity: Customers who need higher capacity for bandwidth-intensive hybrid applications, big data migrations, and disaster recovery architectures while maintaining traffic encryption between AWS and on-premises data centers.
• AWS Direct Connect Overlay or Backup: Customers who deploy Site-to-Site VPN connections either as a backup or an overlay on top of high capacity Direct Connect circuits (e.g. 10 Gbps) to on-premises data centers or colocation facilities.

The diagram below shows the VPN connectivity with AWS Transit Gateway utilizing 5 Gbps VPN tunnels. This feature is supported for both Transit Gateway VPN (including private IP VPN) and AWS Cloud WAN VPN. It is not supported on Virtual Gateway (VGW) based VPN.

Figure 1: Transit gateway with multiple VPC attachments and a VPN connection

The VPN configuration now has the option to select Tunnel Bandwidth as Standard or Large. The default configuration is Standard, which is the same as the existing mode and provides maximum 1.25 Gbps per tunnel capacity. You can choose the Large configuration to use higher per tunnel bandwidth of 5 Gbps. Ensure your Customer Gateway (Firewall/VPN appliance) and Internet connection support higher throughput.

A single AWS VPN connection provides two tunnels for high availability and redundancy. The Standard or Large bandwidth tunnel option applies at the VPN Connection level and therefore applies to both tunnels. You cannot have Standard and Large bandwidth tunnel coexist in the same VPN Connection.

Next, we will cover following sections:

1. New AWS VPN 5 Gbps Tunnel setup with AWS Transit Gateway
2. Switching between Standard and Large AWS VPN
3. Using ECMP with Large Bandwidth Tunnel for higher throughput

New AWS Site-to-Site VPN 5 Gbps Tunnel setup with AWS Transit Gateway

The following figure highlights the additional option on the Create VPN connection page in the AWS Management Console. You can select Tunnel Bandwidth as Standard (1.25 Gbps) or Large (5 Gbps).

Figure 2: Create VPN Connection page highlighting the Tunnel bandwidth option

You can also use the AWS CLI with additional option TunnelBandwidth=Large option to create a Lare Bandwidth Tunnel connection:

aws ec2 create-vpn-connection —type ipsec.1 —transit-gateway-id tgw-123456789 —customer-gateway-id cgw- 45 123456789 —options TunnelBandwidth=Large, TunnelOptions= =[{StartupAction=start},{StartupAction=start}]

Note: If you do not provide the TunnelBandwidth option in the CLI, it will default to the Standard Tunnel bandwidth (1.25 Gbps)

Once the VPN Connection step is complete, you can view the Tunnel Bandwidth status in the details page as below:

Figure 3: VPN Connection details page highlighting the Tunnel Bandwidth configuration

Traffic test with a single Large AWS Site-to-Site VPN connection 

The AWS Transit Gateway route table will show the attachments for same destinations. This configuration is similar to Standard VPN.

Figure 4: Transit Gateway route table with VPN attachments

The following traffic tests show the throughput observed with one tunnel. While the sustained maximum throughput is 5 Gbps, you may notice some burst of higher than 5 Gbps as seen in the testing results.

Figure 5: Traffic tests output with single large bandwidth tunnel active

Switching between Standard and Large AWS Site-to-Site VPN

Upgrading from an existing Standard AWS Site-to-Site VPN to Large AWS Site-to-Site VPN

You can upgrade from an existing Standard VPN to Large VPN by following below steps:

1. Create a new Large VPN Connection (VPN attachment) with the transit gateway
2. Associate the new VPN attachment to the appropriate transit gateway route table
3. Propagate the new VPN attachment to the appropriate transit gateway route table (this may or may not be same route table as in step 2)
4. Verify that end to end routing works through the Large VPN connection
5. Delete the existing Standard VPN connection

Downgrading from Large AWS VPN to default Standard VPN 

If you no longer require high throughput, you can downgrade from Large VPN to Standard VPN to reduce costs. Follow these steps to downgrade from an existing Large VPN to Standard VPN:

1. Create a new Standard VPN Connection (VPN attachment) with the transit gateway
2. Associate the new VPN attachment to the appropriate transit gateway route table
3. Propagate the new VPN attachment to the appropriate transit gateway route table (this may or may not be same route table as in step 2)
4. Verify that end to end routing work through the Standard VPN connection
5. Delete the existing Large VPN Connection

The scenarios above explain the configuration with AWS Transit Gateway. While this blog post does not cover AWS Cloud WAN VPN scenarios, this functionality applies to AWS Cloud WAN as well.

Using ECMP with 5 Gbps Tunnel for even higher throughput

Using equal-cost multi-path (ECMP) with AWS Transit Gateway or Cloud WAN allows you to aggregate VPN tunnels and attain higher throughput. You must enable the dynamic routing option on your AWS Transit Gateway to take advantage of ECMP for scalability (default in Cloud WAN). You can combine two 5 Gbps Tunnels in a single VPN Connection to attain 10 Gbps throughput. You can also combine tunnels from multiple VPN connections to attain even higher throughput. For example, two VPN connections provide you a total of four tunnels, enabling you to attain 20 Gbps throughput. Note that a single Large VPN tunnel still has a maximum throughput of 5 Gbps.

ECMP in Transit Gateway uses 5-tuple hash (protocol number, source IP address, destination IP address, source port number, destination port number) to route packets through one of the paths or VPN tunnels. Customers must configure customer gateway (CGW) to leverage ECMP by performing hash to forward packets equally over multiple paths. A single TCP or UDP flow is mapped to a single tunnel, so it cannot achieve more than 5 Gbps throughput.

You can also perform ECMP between Large and Standard VPN Connections. For e.g. by using 10 Gbps from a Large VPN connection and 2.5 Gbps from Standard VPN connection, you can attain an aggregated 12.5 Gbps throughput using ECMP.

Note: The increase in the throughput depends on the customer gateway’s VPN throughput capacity and support for dynamic routing with the equal-cost multi-path feature.

Conclusion

AWS Site-to-Site VPN service now offers 5 Gbps Tunnel support, four times improvement from existing limit of 1.25 Gbps. This enhancement eliminates or reduces the need for ECMP to combine multiple tunnels, simplifying operations and providing more consistent bandwidth performance. The increased bandwidth benefits customers requiring high-capacity connections for data center connectivity, hybrid applications, disaster recovery, and as a backup or overlay for AWS Direct Connect circuits. Upgrade your VPN connections now to simplify your network operations while achieving up to 5 Gbps throughput per tunnel.

About the authors