Networking & Content Delivery
Selecting the Right AWS VPN Solution: A Decision Framework
Introduction
This post is intended for networking engineers and architects evaluating AWS VPN options (200-level content). It assumes familiarity with basic AWS networking concepts such as virtual private clouds (VPCs), virtual private gateways (VGWs), and transit gateways (TGWs). If you are new to AWS VPN, the AWS VPN User Guide provides foundational context.
Organizations implementing hybrid connectivity face a growing challenge: selecting the right AWS VPN solution from an expanding portfolio. With the November 2025 launches of Large Bandwidth Tunnels (up to 5 Gbps per tunnel) and VPN Concentrator (shared bandwidth for many sites), the portfolio now includes five distinct options, and choosing incorrectly leads to over-provisioning or performance bottlenecks.
This post provides a structured decision framework based on four factors—site count, bandwidth, architecture complexity, and cost—to help you select the optimal VPN solution.
We discuss the following VPN connection types:
- Standard AWS Site-to-Site VPN with VGW – Up to 1.25 Gbps per tunnel; terminates on a VGW
- Standard AWS Site-to-Site VPN with TGW or AWS Cloud WAN – Up to 1.25 Gbps per tunnel; terminates on a TGW or AWS Cloud WAN
- Large bandwidth tunnel with TGW – Up to 5 Gbps per tunnel; requires a TGW or AWS Cloud WAN
- VPN Concentrator – Shared up to 5 Gbps aggregate for multiple sites; TGW only supported
- AWS Client VPN – Managed OpenVPN-based remote access for individual users
We discuss the following architecture patterns (which affect routing and management after the VPN connection is established):
- VPN CloudHub – Hub-and-spoke inter-site connectivity through a VGW using Border Gateway Protocol (BGP) with unique Autonomous System Numbers (ASNs) per site
- Transit Gateway + VPN – Centralized multi-VPC routing with VPN attachments and route table segmentation
- Cloud WAN + VPN – Global policy-based network management with VPN connectivity across AWS Regions and accounts
- Private IP VPN – AWS Site-to-Site VPN over AWS Direct Connect using private IP addresses; requires a TGW
Decision framework
You can use the decision framework in this post to narrow your options, then validate against the cost comparison tables. The real-world scenarios demonstrate how the framework applies to common architectures. The following figure illustrates the decision path: evaluate site count, then per-site bandwidth, then VPC/account architecture, and finally global performance requirements.
Figure 1. The decision path: evaluate site count, then per-site bandwidth, then VPC/account architecture, and finally global performance requirements.
Bandwidth and availability
The following table summarizes the bandwidth and availability for different criteria.
| Criteria | VGW VPN | TGW/Cloud WAN | Large VPN | Concentrator | Client VPN |
|---|---|---|---|---|---|
| Per-tunnel BW | Up to 1.25 Gbps | Up to 1.25 Gbps | Up to 5 Gbps | Up to 100 Mbps/site | Up to 50 Mbps/user |
| Max aggregate | Scales with multiple VPNs (no ECMP) | Scales with ECMP – multiple tunnels | Scales with ECMP – multiple tunnels | Up to 5 Gbps shared; scales with multiple concentrators | Scales with subnets |
| PPS/tunnel | Up to 140,000 | Up to 140,000 | Up to 400,000 | Up to 10,000 | — |
| ECMP | No | Yes | Yes | No | — |
| Routing | BGP, Static | BGP, Static | BGP, Static | BGP only | — |
| IPv6 outer tunnel | No | Yes | Yes | Yes | Yes |
| Accelerated VPN | No | Yes | No | Yes | — |
| Private IP VPN | No | Yes | Yes | No | — |
| Cloud WAN support | No | Yes | Yes | No | — |
| Certificate-based authentication | Yes | Yes | Yes | Yes | Yes (AD/SAML) |
| CGW with Dynamic IPs | Yes | Yes | No | Yes | — |
| Max sites/connections | 10/VGW | 50/Region | 50/Region | 100 sites/concentrator;
5 concentrators/Region |
7K–126K/endpoint |
Scenario 1: Standard VPN with VGW for startups and SMBs
In this real-world scenario, a startup operates a single VPC with two small offices in different locations. Each office generates 200–400 Mbps of sustained traffic for application development and database access, with spikes to 800 Mbps during deployments. The offices also need to communicate with each other.
This fits within the 1.25 Gbps per tunnel capacity of Standard VPN. With only one VPC and two offices, a VGW is the simplest entry point—no TGW needed. VPN CloudHub provides inter-office connectivity through the same VGW using BGP with unique ASNs per site. The following diagram illustrates this architecture.
Figure 2. AWS CloudHub inter-site connectivity connecting to VGW. VGW is attached to the VPC for communication with workloads within VPC.
Note the following key considerations:
- VGW limits – Up to 10 connections and 100 dynamic routes
- No advanced features – No IPv6 outer tunnels, ECMP, Large Bandwidth Tunnels, or Accelerated VPN
- CloudHub requires VGW – Plan a migration to TGW when expanding to multiple VPCs
Scenario 2: Global enterprise across two continents
A financial services firm with offices across North America and Asia Pacific runs latency-sensitive trading and collaboration applications. Communication between offices and workloads across Regions can experience up to 200-millisecond round-trip latency over standard internet paths, with jitter that disrupts real-time order execution.
Accelerated VPN routes traffic through the AWS backbone using Global Accelerator, entering at the nearest edge location and reducing latency to approximately 100 milliseconds depending on locations. You can measure the latency improvement using the Speed Comparison Tool. Each office sustains 500 Mbps–1 Gbps, within bandwidth up to 1.25 Gbps per tunnel capacity of Standard VPN with acceleration, ECMP scales throughput further. The following diagram illustrates this architecture.
Figure 3. Accelerated VPN setup created one in Asia Pacific (Mumbai) and one in US East (Ohio) Regions, terminating either at TGW or Cloud WAN connecting to VPC attachments.
Note the following key considerations:
- TGW or Cloud WAN only – Not supported on VGW.
- No in-place upgrade – Must delete and recreate existing connections.
- Additional GA charges – See AWS VPN pricing and Global Accelerator pricing.
- NAT-T required – Enabled by default. Certificate-based auth may require IKE fragmentation on the CGW.
Scenario 3: Manufacturing with three factories
Three factories running MES and SCADA systems generate sustained throughput of approximately 3 Gbps per site for production telemetry and database replication, with spikes to up to 5 Gbps during shift changes and batch uploads. Standard VPN (up to 1.25 Gbps per tunnel) would require four connections per factory with ECMP—12 total—adding operational complexity.
Large Bandwidth Tunnel VPN handles both the 3 Gbps baseline and 5 Gbps peak within a single connection per factory, each with two tunnels for redundancy, and perform ECMP across two tunnels, providing up to 10 Gbps per Large VPN. The following figure illustrates this architecture.
Figure 4. Three factory sites, each with a customer gateway device establishing a Large Bandwidth Tunnel VPN connection (up to 5 Gbps per tunnel, up to 10 Gbps with ECMP) terminating at a transit gateway. Each connection uses two tunnels for redundancy. TGW routes traffic to production VPCs hosting MES and SCADA workloads.
Note the following key considerations:
- TGW or Cloud WAN required – Cannot terminate on a VGW
- No in-place upgrade – Must delete and recreate existing connections
- Fixed-IP CGW required – CGWs without a public IP are not supported
- No Accelerated VPN – Use a separate Standard TGW VPN with Global Accelerator if reduced latency is also needed
Scenario 4: Retail chain with 100 stores
A retail organization with 100 stores needs connectivity for POS transactions and inventory management. Each store generates 20–50 Mbps sustained across multiple VPCs in different accounts and Regions, with spikes to 80 Mbps during nightly inventory syncs.
At 100 stores, total aggregate demand of approximately 3 Gbps fits within the concentrator’s up to 5 Gbps shared capacity. VPN Concentrator connects the stores through a single TGW attachment, delivering up to 60% cost reduction compared to 100 individual Standard VPN connections and attachments. The following figure illustrates this architecture.
Figure 5. 100 retail store customer gateway devices connecting through VPN Concentrator to a single TGW attachment. The TGW routes traffic to multiple VPC attachments in different accounts and Regions through TGW peering.
Note the following key considerations:
- BGP only – Static routing is not supported
- 100 sites default – Deploy multiple concentrators or request a quota increase
- TGW only – Not supported with Cloud WAN or VGW at this time
- No Private IP VPN – Public IP connections only
Scenario 5: Hybrid workforce with remote users and office
A company with 500 remote employees and a single headquarters office needs unified access to application VPCs. Remote users generate up to 50 Mbps each for video conferencing and software as a service (SaaS) access; the headquarters sustains approximately 800 Mbps.
Client VPN with SAML authentication supports up to 7,000 concurrent connections per subnet. The Client VPN VPC connects to a TGW and VPC peering that provides access to other AWS resources and terminates Site-to-Site VPN from the office, giving both remote and on-premises users unified access. The following figure illustrates this architecture.
Figure 6. Remote users connecting through Client VPN accessing AWS resources and on-premises through Site-to-Site VPN (Direct Connect if set up) attached to the TGW or Cloud WAN.
Scenario summary
The following table summarizes the capabilities of the real-world scenarios discussed.
| Scenario | Sites | BW/site | Solution | Key benefit |
|---|---|---|---|---|
| Startup/SMB
(Single VPC) |
1–2 | Up to 1.25 Gbps | VGW + CloudHub | Simplest entry point |
| Global
(2 continents) |
10 | Up to 1.25 Gbps (ECMP) | Accelerated VPN | Reduced latency |
| Manufacturing
(3 factories) |
3 | Up to 5 Gbps (ECMP) | Large VPN + TGW | No ECMP needed |
| Retail
(100 stores) |
100 | <100 Mbps | VPN Concentrator | Up to 64% cost reduction |
| Hybrid workforce | Remote users + office | Varies | Client + S2S VPN | Unified access |
Pricing parameters to consider
The following table shows billing components and technical capabilities. For current hourly rates, see the AWS VPN pricing page.
| Criteria | VGW VPN | TGW/Cloud WAN | Large VPN | VPN Concentrator | Client VPN |
|---|---|---|---|---|---|
| Data Transfer Out | Yes | Yes | Yes | Yes | Yes |
| VPN Connection Hour | Yes | Yes | Yes | Yes | Yes |
| Public IPv4 tunnel IPs | Yes | Yes | Yes | Yes | Yes |
| TGW/Cloud WAN Attachment Hour | No | Yes | Yes | Yes | N/A |
| Global Accelerator (optional) | No | Yes | No | Yes | No |
| Additional pricing | — | — | — | Concentrator/Hour | Endpoint Hour + Active Connection Hour |
When to consider alternatives
You might want to consider the following alternatives in specific situations:
- AWS Direct Connect – For dedicated bandwidth exceeding 10 Gbps, consistent sub-10 milliseconds latency, or regulatory requirements mandating private circuits. See the AWS Direct Connect User Guide for more details. For encrypted connectivity over Direct Connect, use Private IP VPN over a transit VIF.
- Hybrid VPN + Direct Connect – VPN as an encrypted backup path for Direct Connect failover. For high-bandwidth backup, combine Direct Connect with Large Bandwidth Tunnel VPN over the same TGW. See AWS Direct Connect Resiliency Recommendations for more details.
- SD-WAN integration – Use Transit Gateway Connect to establish GRE tunnels from third-party appliances (up to 20 Gbps per Connect attachment). See AWS Transit Gateway + SD-WAN solutions for more details.
Conclusion
Selecting the right AWS VPN solution requires evaluating four key factors: site count, per-site bandwidth, architecture complexity, and cost to help you select the optimal VPN solution. By matching the right option to your requirements upfront, you can avoid over-provisioning that inflates costs, under-provisioning that creates performance bottlenecks and architectural rework as your hybrid network scales.
To get started:
- Identify your site count and bandwidth requirements using the decision framework.
- Validate against the cost comparison tables and scenario-specific considerations.
- Review best practices in the AWS Site-to-Site VPN User Guide for high availability, security, and monitoring.
Further reading
- AWS Site-to-Site VPN User Guide – Complete VPN documentation
- AWS Client VPN Administrator Guide – Client VPN setup and management
- AWS VPN pricing – Hourly rates and data transfer charges
- Introducing AWS Site-to-Site VPN 5 Gbps Tunnels to support high throughput workloads – Large Bandwidth Tunnel setup and ECMP
- Introducing AWS Site-to-Site VPN Concentrator for multi-site connectivity – Multi-site connectivity setup
- Scaling VPN throughput using AWS Transit Gateway – ECMP configuration
- Connect attachments and Connect peers in AWS Transit Gateway – GRE tunnels for SD-WAN integration
- AWS Site-to-Site VPN quotas – Quotas for VPN
About the authors
Ravi Kulkarni
Ravi Kulkarni is a Technical Account Manager at AWS specializing in networking. He helps enterprises design and optimize network architectures, working across diverse network patterns to build solutions and capabilities that support customers on their cloud journey. He collaborates closely with customer architects and engineering teams to navigate tradeoffs, validate designs, and accelerate adoption of advanced AWS networking services.
Rahi Patel
Rahi is a Startups Technical Account Manager at AWS specializing in Networking. He architects cloud networking solutions optimizing performance across global AWS deployments. Previously a network engineer with Cisco Meraki, he holds an MS in Engineering from San Jose State University. Outside work, he enjoys tennis and pickleball.