Networking & Content Delivery

Introducing AWS Site-to-Site VPN Concentrator for multi-site connectivity

This blog was co-authored by Mostafa Elkhouly, Sr Technical Account Manager and Prashanth Nalubandhu, WW Consulting Partners PSA. 

AWS announced AWS Site-to-Site Concentrator, a new feature that simplifies multi-site connectivity for distributed enterprises. If you’re managing distributed enterprises with numerous remote sites, such as retail stores, restaurant chains, hotels, or healthcare facilities, VPN Concentrator offers a streamlined approach to multi-site connectivity. In this post, We will walk through the key use cases for VPN Concentrator, demonstrate how to set up the feature using the AWS Management Console and highlight important considerations for implementation.

Organizations use Site-to-Site VPN to extend their data centers into the cloud, enable hybrid cloud architectures, and provide secure connectivity for remote offices and branch locations. Each Site-to-Site VPN connection provides up to 1.25 or 5Gbps of bandwidth and consists of two tunnels for high availability, allowing you to route traffic between your on-premises infrastructure and AWS resources. You can terminate these VPN connections on Transit Gateway to connect to multiple VPCs.

Introducing AWS Site-to-Site VPN Concentrator

AWS Site-to-Site VPN Concentrator is a new type of attachment to a Transit Gateway. Connecting multiple remote sites to AWS has traditionally required provisioning individual VPN connections with 1.25 Gbps bandwidth for each location, regardless of the bandwidth needed. This approach resulted in underutilized VPN connections and higher costs per site, especially for organizations with numerous low-bandwidth locations.

AWS Site-to-Site VPN Concentrator simplifies multi-site connectivity by allowing multiple remote sites to connect through a single VPN attachment to AWS Transit Gateway. You can terminate these VPN connections on Transit Gateway to connect to multiple VPCs. Individual VPN connections are still required from each site, but multiple locations can share one VPN attachment, reducing operational overhead and bandwidth costs.

Key Use Cases for VPN Concentrator

1.Cost-effective multi-site connectivity

VPN Concentrator is designed for organizations with 25 or more remote sites, with each site requiring 50-100 Mbps of bandwidth. This solution is particularly valuable for:

  • Distributed retail enterprises with tens to thousands of store locations
  • Restaurant chains requiring reliable connectivity across multiple franchises
  • Hotel chains needing consistent network access across properties
  • Multi-location healthcare providers connecting clinics, hospitals, and other facilities
  • Branch office networks with low bandwidth requirements

2.Efficient bandwidth utilization

  • Share aggregate bandwidth across multiple sites
  • Reduce per-site VPN costs through consolidated connections
  • Scale connectivity based on actual usage patterns
  • Maintain high availability with endpoints in two availability zones

How Site-to-Site VPN Concentrator works

AWS site-to-site VPN Concentrator is a new type of attachment to a Transit Gateway. When you create a VPN Concentrator, it automatically provisions two concentrator endpoints one in each availability zone for high availability. Each VPN concentrator supports 5 Gbps aggregate bandwidth through a single concentrator. You can then attach multiple remote sites to this concentrator and establish VPN connections by specifying the concentrator ID during the VPN connection creation for each site.

VPN Concentrator architecture connecting multiple remote sites to AWS Transit Gateway

Figure 1: VPN Concentrator architecture connecting multiple remote sites to AWS Transit Gateway

Figure 1 shows how three remote sites connect through a single VPN Concentrator to AWS Transit Gateway, which then provides access to multiple VPCs. Each remote site has a VPN connection that has two tunnels for high availability like existing site-to-site VPN connections, while the concentrator manages the shared bandwidth allocation across all connected sites. For current limits and quotas, refer to the AWS Site-to-Site VPN quotas page.

Prerequisites

Before creating a Site-to-Site VPN Concentrator, you should have the following:

  • An existing AWS Transit Gateway
  • Customer Gateway configurations for each remote site. For guidance on creating customer gateways, see customer gateway documentation
  • Unique IP address ranges for each remote site to prevent routing conflicts
  • BGP routing protocol configured for VPN connections

Setting up your Site-to-Site VPN Concentrator

Step 1: Create a Site-to-Site VPN Concentrator

You can create a VPN Concentrator using the AWS Management Console, CLI, or APIs. The examples below demonstrate Console Walkthrough:

To create a VPN Concentrator through the AWS management console:

  1. Navigate to the VPC console and select “Virtual private network (VPN)” from the left navigation panel
  2. Choose “Site-to-Site VPN Concentrators” and click “Create VPN Concentrator”
  3. Select your target Transit Gateway from the dropdown menu
  4. Review your configuration and click “Create VPN Concentrator”

In this step, you can create a Site-to-Site VPN Concentrator using AWS Management Console (see Figure 2)

VPN Concentrator creation walkthrough via the AWS console

Figure 2: VPN Concentrator creation walkthrough via the AWS console

Step 2: Create a Site-to-Site VPN Connection using Concentrator

  1. Select the Concentrator that was created in step1
  2. From the concentrator window click “Create VPN connection”
    • Fill in the VPN connection Name
    • For target gateway type, select Site-to-Site VPN Concentrator, and select the concentrator that was created in Step 1
    • Select an existing customer gateway or create a new one
    • Routing is only supported via BGP
    • Select standard Pre-shared key storage or you can use Secret manager
    • Select IPv4 or IPv6 for the Tunnel insider IP Version
    • Optional, you can enable VPN acceleration
    • Select the Outside Ip address Type
  3. Then click Create VPN connection.

Figure 3 shows how to create a VPN connection and associate the connection to the concentrator.

Creating a VPN connection and associating the connection to the concentrator

Figure 3: Creating a VPN connection and associating the connection to the concentrator

Step 3: Configure routing

In this step, we configure routing between your remote sites and AWS resources through the Transit Gateway. We then run a ping test from X to Y and establish connectivity. Figure 4 shows the Transit Gateway route table that shows the concentrator propagating IPv4 and IPv6 routes.

The architecture demonstrated in this blog illustrates routing from two sites connecting to the concentrator, which then routes traffic to a Transit Gateway with two attached VPCs. This configuration helps readers understand the feature’s functionality and operation. The example demonstrates both IPv4 and IPv6 connectivity for the same site using separate VPN connections for each protocol.

Transit Gateway route table configuration and results from ping test

Figure 4: Transit Gateway route table configuration and results from ping test

Monitoring and maintenance

Monitor the combined bandwidth usage of all sites connected to a concentrator using CloudWatch metrics (TunnelDataIn, TunnelDataOut). If your aggregate traffic consistently approaches the concentrator’s capacity, consider distributing sites across multiple concentrators to maintain performance.

VPN Concentrator integrates with existing AWS monitoring and management tools:

  • VPN logs: Generate logs for all connected sites or individual sites as needed
  • VPC flow logs: Transit Gateway flow logs work unchanged with concentrator-based attachments
  • Tunnel maintenance: Follows the same maintenance schedule as standard VPN tunnels

Considerations

  • IPv6 and IPv4 connectivity are supported.
  • VPN concentrator supports standard VPN logging and monitoring capabilities.
  • You can use multiple customer gateway devices per site each with unique internet-routable IP addresses.
  • Accelerated VPN connections are supported.
  • Static routing is not supported.
  • VPN termination on Virtual Private Gateway and AWS Cloud WAN are not supported.
  • VPN concentrator does not support Equal-Cost Multi-Path (ECMP).
  • VPN concentrator does not support Private IP VPN connections
  • You can use VPN concentrator with new Site-to-Site VPN connections only.
  • You cannot use dual stack Site-to-Site VPN connections with VPN concentrator.
  • For current limits on routes, sites per concentrator, and Transit Gateway attachments, refer to the [AWS Site-to-Site VPN service quotas page].

Conclusion

AWS Site-to-Site VPN Concentrator simplifies multi-site connectivity for organizations with distributed networks. By consolidating multiple remote sites through a single Transit Gateway attachment, you can reduce operational complexity and optimize connectivity costs while maintaining the security and reliability of AWS Site-to-Site VPN. As you evaluate VPN Concentrator for your organization, consider your current multi-site architecture, bandwidth requirements, and routing needs. This feature is particularly valuable for enterprises managing numerous remote locations that can benefit from shared bandwidth and centralized connectivity management. For more information about AWS Site-to-Site VPN, visit the AWS Site-to-Site VPN documentation. To learn more about AWS Transit Gateway, see the AWS Transit Gateway User Guide. For more information about AWS Site-to-Site VPN Concentrator, visit the AWS Site-to-Site VPN Concentrator documentation.