AWS VPN

AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. You can securely and privately access your cloud resources with either a Site-to-Site VPN IP Security (IPSec) setup or with a Client VPN Transport Layer Security (TLS) tunnel. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.

AWS Site-to-Site VPN features

AWS Site-to-Site VPN extends your data center or branch office to the cloud via IP Security (IPSec) tunnels, and supports connecting to both virtual private gateway and AWS Transit Gateway. You can optionally run Border Gateway Protocol (BGP) over the IPSec tunnel for a highly available solution.

Secure connectivity

AWS Site-to-Site VPN enable you to create IPSec tunnels to a virtual gateway or AWS Transit Gateway. Traffic in the tunnel between these endpoints can be encrypted with AES128 or AES256 and use Diffie-Hellman groups for key exchange, providing Perfect Forward Secrecy. AWS Site-to-Site VPN will authenticate with SHA1 or SHA2 hashing functions.

High availability

AWS Site-to-Site VPN enable you to create failover and CloudHub solutions with AWS Direct Connect. CloudHub enables your remote sites to communicate with each other, and not just with the VPC. It operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing internet connections who'd like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.

Configuration and performance

AWS Site-to-Site VPN offers customizable tunnel options including inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN), so you can set up multiple secure VPN tunnels to increase the bandwidth for your applications or for resiliency in case of a down time. In addition, equal-cost multi-path routing (ECMP) is available with AWS Site-to-Site VPN on AWS Transit Gateway to help increase the traffic bandwidth over multiple paths.

Network Address Translation (NAT) Traversal

AWS Site-to-Site VPN supports NAT Traversal applications so that you can use private IP addresses on private networks behind routers with a single public IP address facing the internet.

Monitoring

AWS Site-to-Site VPN can send metrics to CloudWatch to provide you with greater visibility and monitoring. CloudWatch also allows you to send your own custom metrics and add data points in any order, and at any rate you choose. You can retrieve statistics about those data points as an ordered set of time-series data.

AWS Site-to-Site VPN limits

You can have up to five (5) customer gateways per AWS account per AWS Region.*

You can have up to five (5) virtual gateways per AWS account per AWS Region.*

You can have up to fifty (50) Site-to-Site VPN connections per AWS account per AWS Region.*

You can have up to fifty (50) Site-to-Site VPN connections per virtual gateway.

You can advertise up to one hundred (100) routes per virtual gateway.

*To learn more, please view VPN limits in the Amazon VPC user guide. Should you need to exceed these limits, please create a support case.

AWS Client VPN features

AWS Client VPN provides a fully-managed VPN solution that can be accessed from anywhere with an Internet connection and an OpenVPN-compatible client. It is elastic, and automatically scales to meet your demand. It enables your users to connect to both AWS and on-premises networks. AWS Client VPN seamlessly integrates with your existing AWS infrastructure including Amazon VPC and AWS Directory Services, so you don’t have to change your network topology.

AWS Client VPN provides the following features:

Authentication

AWS Client VPN will authenticate using either Active Directory or certificates. Client VPN integrates with AWS Directory Services, which connects to your existing on-premises Active Directory, so it does not require you to replicate data from your existing Active Directory to the cloud. Certificate-based authentication with Client VPN integrates with AWS Certificate Manager to easily provision, manage, and deploy certificates.

Authorization

AWS Client VPN provides network-based authorization so you can define access control rules that limit access to specific networks, based on Active Directory groups. Client VPN can provide granular access to specific applications for Client VPN users using security groups. 

Secure connectivity

AWS Client VPN uses the secure TLS VPN tunnel protocol to encrypt the traffic. A single VPN tunnel terminates at each Client VPN endpoint and provides users access to all AWS and on-premises resources.

Connection management

You can use Amazon CloudWatch Logs to monitor, store, and access your log files from AWS Client VPN connection logs. You can then retrieve the associated log data from CloudWatch Logs. So, you can easily monitor, conduct forensics analysis, and terminate specific connections, staying in control of who has access to your network.

Compatibility with your employees' devices

AWS Client VPN is designed to connect devices to your applications. It allows you to choose from OpenVPN-based client, giving employees the option to use the device of their choice, including Windows, Mac, iOS, Android, and Linux-based devices.

Product-Page_Standard-Icons_01_Product-Features_SqInk
Learn more about product pricing

Simple pricing so it's easy to know what is right for you.

Learn more 
Product-Page_Standard-Icons_02_Sign-Up_SqInk
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Product-Page_Standard-Icons_03_Start-Building_SqInk
Start building in the console

Get started building with AWS VPN in the AWS Console.

Get started