AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.

Billing

Q: What defines billable VPN connection-hours?

A: VPN connection-hours are billed for any time your VPN connections are in the "available" state. You can determine the state of a VPN connection via the AWS Management Console, CLI, or API. If you no longer wish to use your VPN connection, you simply terminate the VPN connection to avoid being billed for additional VPN connection-hours.

Q: Do your prices include taxes?

A: Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including value-added tax (VAT) and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax. Learn more.

AWS Site-to-Site VPN setup and management

Q: Can I use the AWS Management Console to control and manage AWS Site-to-Site VPN?

A: Yes. You can use the AWS Management Console to manage IPSec VPN connections, such as AWS Site-to-Site VPN.

Q: How many customer gateways, virtual private gateways, and AWS Site-to-Site VPN connections can I create?

A: You can have:

  • One internet gateway per VPC
  • Five virtual private gateways per AWS account per AWS Region
  • Fifty customer gateways per AWS account per AWS Region
  • Ten IPsec VPN Connections per virtual private gateway

See the Amazon VPC user guide for more information on VPC limits.

Q: How do I set up a Site-to-Site VPN connection?

A: To set up a Site-to-Site VPN connection, you first create a customer gateway to represent the gateway device on your side and create a target gateway for the AWS side. You then create a VPN connection using the CGW and the target gateway. See documentation (link) for more details.

Q: What is a customer gateway?

A: A CGW is an AWS object that represents the gateway on your side of the VPN connection. It can be a physical or software appliance.

Q: What target gateways on the AWS side are allowed for VPN connections?

A: You can create VPN connections with the AWS side endpoints in a virtual private gateway or an AWS Transit Gateway. You need to create and set up the target gateway before you create a VPN connection.

Q: What are the differences between a virtual gateway and AWS Transit Gateway?

A: A virtual gateway is a gateway to one VPC for a VPN or DX connection. A Transit Gateway allows connecting thousands of VPCs together and sharing VPN connections across them.

Q: What are the differences between AWS Site-to-Site VPN connection to a virtual gateway vs an AWS Transit Gateway?

A: An AWS Site-to-Site VPN connection is the same regardless of the target gateway used. However, only VPN connections attached to a Transit Gateway offer equal cost multipath (ECMP) routing support between VPN connections . With ECMP, you can aggregate multiple VPN connections to get a higher effective throughput. If connections advertise the same CIDRs, the traffic is distributed equally between them.

Q: Can I change the target gateway of an existing VPN connection?

A: Yes, you can use the modify VPN connection action on a VPN connection to update the target gateway by specifying a new target gateway which can be a Transit Gateway or a virtual gateway . The VPN endpoint IP addresses on the AWS side and the tunnel options are preserved, so you do not need to make any changes on your customer gateway device after the modification. See documentation (link) for more details.

Q: What happens when I modify the target gateway of a VPN connection?

A: When you modify the target gateway of a VPN connection, the existing endpoints on the AWS side are stopped, and new endpoints with the same IP addresses are provisioned on the new target gateway you specify. Your VPN connection will be temporarily unavailable during the modification while we provision the new endpoints.

AWS Site-to-Site VPN connectivity

Q: What are the VPN connectivity options for my Amazon VPC?

A: You may connect your VPC to your corporate data center using a Site-to-Site VPN connection via the virtual private gateway.

Q: How do instances without public IP addresses access the internet?

A: Instances without public IP addresses can access the internet in one of two ways:

  1. Instances without public IP addresses can route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances.
  2. For Amazon VPCs with a Site-to-Site VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

Q: How does an AWS Site-to-Site VPN connection work with Amazon VPC?

A: An AWS Site-to-Site VPN connection connects your Amazon VPC to your datacenter. Amazon supports Internet Protocol Security (IPSec) VPN connections. Data transferred between your Amazon VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An internet gateway is not required to establish a Site-to-Site VPN connection.

Q: What is IPSec?

A: IP Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

Q: Which customer gateway devices can I use to connect to Amazon VPC?

A: There are two types of AWS Site-to-Site VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to:

  • Establish IKE Security Association using Pre-Shared Keys with protocol version 1 or version 2.
  • Establish IPsec Security Associations in Tunnel mode
  • Utilize the AES 128-bit or 256-bit encryption function
  • Utilize the SHA-1 or SHA-2 (256) hashing function
  • Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in "Group 2" mode, or one of the additional DH groups we support
  • Perform packet fragmentation prior to encryption

In addition to the above capabilities, devices supporting dynamically-routed Site-to-Site VPN connections must be able to:

  • Establish Border Gateway Protocol (BGP) peering
  • Bind tunnels to logical interfaces (route-based VPN)
  • Utilize IPsec Dead Peer Detection.

Q: Which IKE versions do you support?  

A: We support IKE version 1 and version 2.

Q: Which Diffie-Hellman groups do you support?

A: We support the following Diffie-Hellman (DH) groups in Phase 1 and Phase 2.

  • Phase 1 DH groups 2, 14-18, 22, 23, 24
  • Phase 2 DH groups 2, 5, 14-18, 22, 23, 24

Q: What customer gateway devices are known to work with Amazon VPC?

A: In the network administrator guide, you will find a list of the devices meeting the aforementioned requirements, that are known to work with Site-to-Site VPN connections, and that will support in the command line tools for automatic generation of configuration files appropriate for your device.

Q: If my device is not listed, where can I go for more information about using it with Amazon VPC?

A: We recommend checking the Amazon VPC forum as other customers may be already using your device.

Q: What is the approximate maximum throughput of a Site-to-Site VPN connection?

A: Virtual gateway supports IPSEC VPN throughput up to 1.25 Gbps. Multiple VPN connections to the same VPC are cumulatively bound by the virtual gateway throughput of 1.25 Gbps.

Q: What factors affect the throughput of my VPN connection?

A: VPN connection throughput can depend on multiple factors, such as the capability of your customer gateway, the capacity of your connection, average packet size, the protocol being used, TCP vs. UDP, and the network latency between your customer gateway and the virtual private gateway.

Q: What tools are available to me to help troubleshoot my Site-to-Site VPN configuration?

A: The DescribeVPNConnection API displays the status of the VPN connection, including the state ("up"/"down") of each VPN tunnel and corresponding error messages if either tunnel is "down". This information is also displayed in the AWS Management Console.

Q: How do I connect a VPC to my corporate datacenter?

A: Establishing a Site-to-Site VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a Site-to-Site VPN connection.

Q: Can I NAT my customer gateway behind a router or firewall?

A: You will use the public IP address of your NAT device.

Q: What IP address do I use for my customer gateway address?

A: You will use the public IP address of your NAT device.

Q: How do I disable NAT-T on my connection?

A: You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.

Q: I would like to have multiple customer gateways behind a NAT, what do I need to do to configure that?

A: You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.

Q: How many IPsec security associations can be established concurrently per tunnel?

A: The AWS Site-to-Site VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

Q: Can I advertise my VPC public IP address range to the internet and route the traffic through my datacenter, via the Site-to-Site VPN, and to my Amazon VPC?

A: Yes, you can route traffic via the Site-to-Site VPN connection and advertise the address range from your home network.

Q: What is the maximum throughput of a Site-to-Site VPN connection?

A: The maximum throughput of a Site-to-Site VPN connection is typically around 1.25 Gbps. If you need higher throughput you could use equal cost multipath (ECMP) which is available for VPN connections attached to a Transit Gateway. With ECMP, you can aggregate multiple VPN connections to achieve a higher effective throughput.

Q: How do I use ECMP to achieve a higher effective VPN throughput?

A: You can use ECMP on VPN connections that are attached to a Transit Gateway which was created with the VPN ECMP option enabled. If connections advertise the same CIDRs, the traffic is distributed equally between them. For example, if you use ECMP across ten VPN connections attached to a Transit Gateway, your maximum effective throughput for this set of VPN connections would typically be 1.25 * 10 = 12.5 Gbps.

AWS Client VPN setup and management

Q: How do I setup AWS Client VPN?

A: The IT administrator creates a Client VPN endpoint, associates a target network to that endpoint and sets up the access policies to allow end user connectivity. The IT administrator distributes the client VPN configuration file to the end users. End users will need to download an OpenVPN client and use the Client VPN configuration file to create their VPN session.

Q: What should an end user do to setup a connection?

A: The end user should download an OpenVPN client to their device. Next, the user will import the AWS Client VPN configuration file to the OpenVPN client and initiate a VPN connection.

Q: What is a Client VPN endpoint?

A: The Client VPN endpoint is a regional construct that you configure to use the service. The VPN sessions of end users terminate at the Client VPN endpoint. As part of configuring the Client VPN endpoint, you specify the authentication details, server certificate information, client IP address allocation, logging, and VPN options.

Q: What is a target network?

A: A target network, is a network that you associate to the Client VPN endpoint that enables secure access to your AWS resources as well as access to on-premises. Currently, the target network is a subnet in your Amazon VPC.

Q: Is Client VPN HIPAA or FIPS compliant?

A: Not at this time.

AWS Client VPN connectivity

Q: How do I enable connectivity to other networks?

A: You can enable connectivity to other networks like peered Amazon VPCs, on-premises networks via virtual gateway or AWS services, such as S3, via endpoints, networks via AWS PrivateLink or other resources via internet gateway. To enable connectivity, add a route to the specific network in the Client VPN route table, and add authorization rule enabling access to the specific network.

Q: Can the Client VPN endpoint belong to a different account from the associated subnet?

A: No, the subnet being associated has to be in the same account as Client VPN endpoint.

Q: Can I access resources in a VPC within a different region different from the region in which I setup the TLS session, using a Private IP address?

A: You can achieve this by following the two steps: First, set up a cross-region peering connection between your destination VPC (in the different region) and the Client VPN associated VPC. Second, you should add a route and access rule for the destination VPC in the Client VPN endpoint. Your users can now access the resources in the destination VPC that is in a different region from your Client VPN endpoint.

Q: What transport protocols are supported by AWS Client VPN?

A: You can choose either TCP or UDP for the VPN session.

Q: Does AWS Client VPN support split tunnel?

A: No. All the VPN sessions are full-tunnel VPN. Once the VPN session is created, all the traffic from the device will traverse through the VPN session

AWS Client VPN authentication and authorization

Q: What authentication mechanisms does AWS Client VPN support?

A: AWS Client VPN supports authentication with Active Directory using AWS Directory Services and Certificate-based authentication.

Q: Can I use an on-premises Active Directory service to authenticate users?

A: Yes. AWS Client VPN integrates with AWS Directory Service that will allow you to connect to on-premises Active Directory.

Q: Does AWS Client VPN support mutual authentication?

A: Yes, AWS Client VPN supports mutual authentication. When mutual authentication is enabled, customer have to upload the root certificate used to issue the client certificate on the server.

Q: Can I blocklist client certificates?

A: Yes, AWS Client VPN supports statically-configured Certificate Revocation List (CRL).

Q: Does AWS Client VPN support the ability for a customer to bring their own certificate?

A: Yes. You should upload the certificate of the server, root CA certificate and the private key of the server. These are uploaded to AWS Certificate Manager.

Q: Does AWS Client VPN integrate with AWS Certificate Manager (ACM) to generate server certificates?

A: Yes. You can use ACM as a subordinate CA chained to an external root CA. ACM then generates the server certificate. In this scenario, ACM also does the server certificate rotation.

Q: Does AWS Client VPN support posture assessment?

A: No. AWS Client VPN does not support posture assessment. Other AWS services, such as Amazon Inspectors, support posture assessment.

Q: Does AWS Client VPN support Multi-Factor Authentication (MFA)?

A: No, AWS Client VPN does not natively support MFA. If Active Directory is chosen as the authentication mechanism, the user can enter only one password that is used by the Active Directory for authentication. 

Q: How does AWS Client VPN support authorization?

A: You configure authorization rules which limit the users who can access a network. For a specified network, you configure the Active Directory group that is allowed access. Only users belonging to this Active Directory group can access the specified network.

Q: Does AWS Client VPN support security groups?

A: AWS Client VPN supports security groups. You can specify security groups for the group of associations. When a subnet is associated, we will automatically apply the default security group of the VPC of the subnet.

Q: How do I use security group to restrict access to my applications for only Client VPN connections?

A: For your application, you can specify to allow access only from the security groups that were applied to the associated subnet. Now you limit access to only users connected via Client VPN.

AWS Client VPN visibility and monitoring

Q: What logs are supported for AWS Client VPN?

A: AWS Client VPN exports the connection log as a best effort to CloudWatch logs. These logs are exported periodically at 15 minute intervals. The connection logs include details on creating and terminating connection requests.

Q: Does AWS Client VPN support Amazon VPC Flow Logs in the endpoint?

A: No. You can use Amazon VPC Flow Logs in the associated Amazon VPC.

Q: Can I monitor active connections?

A: Yes, using the CLI or console, you can view the current active connections for an endpoint and terminate active connections.

Q: Can I monitor by endpoint using CloudWatch?

A: Yes. Using CloudWatch monitor you can see ingress and egress bytes and active connections for each Client VPN endpoint.

VPN clients

Q: What client devices does AWS Client VPN support?

A: AWS Client VPN supports OpenVPN-based clients including Windows, MAC, iOS, Android, and Linux.

Virtual private gateway

Q: What is a virtual private gateway?

A: For any new virtual gateways, configurable private Autonomous System Number (ASN) allows customers to set the ASN on the Amazon side of the BGP session for VPNs and AWS Direct Connect private VIFs .

Q: What is the cost of using a virtual private gateway?

A: There is no additional charge for virtual private gateways.

Q: How can I configure/assign my ASN to be advertised as Amazon side ASN?

A: You can configure/assign an ASN to be advertised as the Amazon side ASN during creation of the new virtual private gateway. You can create a virtual gateway using the VPC console or a EC2/CreateVpnGateway API call.

Q: What ASN did Amazon assign prior to this feature?

A: Amazon assigned the following ASNs: EU West (Dublin) 9059; Asia Pacific (Singapore) 17493 and Asia Pacific (Tokyo) 10124. All other regions were assigned an ASN of 7224; these ASNs are referred as “legacy public ASN” of the region.

Q: Can I use any ASN – public and private?

A: You can assign any private ASN to the Amazon side. You can assign the "legacy public ASN" of the region until June 30th 2018, you cannot assign any other public ASN. After June 30th 2018, Amazon will provide an ASN of 64512.

Q: Why can’t I assign a public ASN for the Amazon half of the BGP session?

A: Amazon is not validating ownership of the ASNs, therefore, we’re limiting the Amazon-side ASN to private ASNs. We want to protect customers from BGP spoofing.

Q: What ASN can I choose?

A: You can choose any private ASN. Ranges for 16-bit private ASNs include 64512 to 65534. You can also provide 32-bit ASNs between 4200000000 and 4294967294.

Amazon will provide a default ASN for the virtual gateway if you don’t choose one. Until June 30th 2018, Amazon will continue to provide the “legacy public ASN” of the region. After June 30th 2018, Amazon will provide an ASN of 64512.

Q: What will happen if I try to assign a public ASN to the Amazon half of the BGP session?

A: We will ask you to re-enter a private ASN once you attempt to create the virtual gateway, unless it is the "legacy public ASN" of the region.

Q: If I don’t provide an ASN for the Amazon half of the BGP session, what ASN can I expect Amazon to assign to me?

A: Amazon will provide an ASN for the virtual gateway if you don’t choose one. Until June 30th 2018, Amazon will continue to provide the “legacy public ASN” of the region. After June 30th 2018, Amazon will provide an ASN of 64512.

Q: Where can I view the Amazon side ASN?

A: You can view the Amazon side ASN in the virtual gateway page of VPC console and in the response of EC2/DescribeVpnGateways API.

Q: If I have a public ASN, will it work with a private ASN on the AWS side?

A: Yes, you can configure the Amazon side of the BGP session with a private ASN and your side with a public ASN.

Q: I have private VIFs already configured and want to set a different Amazon side ASN for the BGP session on an existing VIF. How can I make this change?

A: You will need to create a new virtual gateway with desired ASN, and create a new VIF with the newly created virtual gateway. Your device configuration also needs to change appropriately.

Q: I have VPN connections already configured and want to modify the Amazon side ASN for the BGP session of these VPNs. How can I make this change?

A: You will need to create a new virtual gateway with the desired ASN, and recreate your VPN connections between your Customer Gateways and the newly created virtual gateway.

Q: I already have a virtual gateway and a private VIF/VPN connection configured using an Amazon assigned public ASN of 7224. If Amazon automatically generates the ASN for the new private virtual gateway, what Amazon side ASN will I be assigned?

A: Amazon will assign 64512 to the Amazon side ASN for the new virtual gateway.

Q: I have a virtual gateway and a private VIF/VPN connection configured using an Amazon assigned public ASN. I want to use the same Amazon assigned public ASN for the new private VIF/VPN connection I’m creating. How do I do this?

A: You can configure/assign an ASN to be advertised as the Amazon side ASN during creation of the new Virtual Private Gateway (virtual gateway). You can create virtual gateway using console or EC2/CreateVpnGateway API call. As noted earlier, until June 30th 2018, Amazon will continue to provide the “legacy public ASN” of the region. After June 30th 2018, Amazon will provide an ASN of 64512.

Q: I have a virtual gateway and a private VIF/VPN connection configured using an Amazon assigned public ASN of 7224. If Amazon auto generates the ASN for the new private VIF/VPN connection using the same virtual gateway, what Amazon side ASN will I be assigned?

A: Amazon will assign 7224 to the Amazon side ASN for the new VIF/VPN connection. The Amazon side ASN for your new private VIF/VPN connection is inherited from your existing virtual gateway and defaults to that ASN.

Q: I’m attaching multiple private VIFs to a single virtual gateway. Can each VIF have a separate Amazon side ASN?

A: No, you can assign/configure separate Amazon side ASN for each virtual gateway, not each VIF. Amazon side ASN for VIF is inherited from the Amazon side ASN of the attached virtual gateway.

Q: I’m creating multiple VPN connections to a single virtual gateway. Can each VPN connection have a separate Amazon side ASN?

A: No, you can assign/configure separate Amazon side ASN for each virtual gateway, not each VPN connection. Amazon side ASN for VPN connection is inherited from the Amazon side ASN of the virtual gateway.

Q: Where can I select my own ASN?

A: When creating a virtual gateway in the VPC console, uncheck the box asking if you want an auto-generated Amazon BGP ASN and provide your own private ASN for the Amazon half of the BGP session. Once virtual gateway is configured with Amazon side ASN, the private VIFs or VPN connections created using the virtual gateway will use your Amazon side ASN.

Q: I use CloudHub today. Will I have to adjust my configurations in the future?

A: You will not have to make any changes.

Q: I want to select a 32-bit ASN. What is the range of 32-bit private ASNs?

A: We will support 32-bit ASNs from 4200000000 to 4294967294.

Q: Once the virtual gateway is created, can I change or modify the Amazon side ASN?

A: No, you cannot modify the Amazon side ASN after creation. You can delete the virtual gateway and recreate a new virtual gateway with the desired ASN.

Q: Is there a new API to configure/assign the Amazon side ASN?

A: No. You can do this with the same API as before (EC2/CreateVpnGateway). We just added a new parameter (amazonSideAsn) to this API.

Q: Is there a new API to view the Amazon side ASN?

A: No. You can view the Amazon side ASN with the same EC2/DescribeVpnGateways API. We just added a new parameter (amazonSideAsn) to this API.

Product-Page_Standard-Icons_01_Product-Features_SqInk
Learn more about pricing

Simple pricing so it's easy to know what is right for you.

Learn more 
Product-Page_Standard-Icons_02_Sign-Up_SqInk
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Product-Page_Standard-Icons_03_Start-Building_SqInk
Start building in the console

Get started building with AWS VPN in the AWS Console.

Get started