What is AWS Virtual Private Network (AWS VPN)?

AWS VPN allows establishing secure connection between customer’s on-premise site (datacenter, office, remote site) and the AWS global network.


AWS offers two services under VPN service category:

  • AWS Client VPN
  • AWS Site-to-Site VPN


AWS Client VPN

This is a simple managed service that requires configuration only on the AWS side (no setup needed on user side, other than installing OpenVPN client).


  • Allows users to connect (using OpenVPN client) from anywhere, and access AWS resources or on-premise resources.
  • Fully managed by AWS. There is no need to install (and thus manage) any software or hardware to setup this VPN service.
  • Secure connections (using TLS).
  • Highly scalable – AWS automatically scales according to number of users connecting.
  • Administrator(s) can administer the connection logs and other details from console.



  • Client VPN only supports IPv4 traffic.
  • Client VPN is not HIPAA (Health Insurance Portability and Accountability Act) or FIPS (Federal Information Processing Standards) compliant.


Steps to setup Client VPN

  1. Define Client VPN endpoint – this is where all the connections end at.
    • Associate Subnet(s) to VPN endpoint. You can associate multiple Subnets so long each of them are from different Availability Zone, and under the same VPC.
  2. Associate Authentication and Authorization
    • Authentication is supported through Active Directory and / or Mutual Authentication (certificates). MFA is supported only if the Active Directory has enabled it.
    • Authorization is supported through Network-based and Security Groups
  3. Update Route Table for the VPN endpoint to establish routing to desired sources.
    • Sources may include resources within this VPC, other VPCs (through VPC peering), on-premise network, Internet, AWS public services



  • Billed per active Client VPN endpoint hour, and
  • Billed per each client VPN connection hour


AWS Site-to-Site VPN

This VPN service allows connection between a VPC and on-premise network.


Key components

  • VPC
  • Virtual Private Gateway – attaches to the VPC
  • Customer Gateway – a physical or software component in on-premise network
    • Routing may be Dynamic (propagated routes using BGP) or Static (defined routes)
    • should have a public IP
    • to be more precise, this has two components – Customer Gateway (AWS provided resource) and Customer Gateway device (physical or software)
  • Tunnel – an encrypted link to allow data flow between AWS and on-premise site
    • Each VPN connection has two tunnels to allow high availability



  • Site-to-Site VPN only supports IPv4 traffic.



  • Billed for each hour the Site-to-Site VPN is available. To stop incurring charges, you have to terminate the VPN connection (from console, CLI, or API)
  • Also billed for each GB (after the first GB) transferred out
  • Enabling Global Acceleration will add the premium changes, in addition to above two basic fees


External Resources