AWS Site-to-Site VPN: How It Works and When to Use It
AWS Site-to-Site VPN connects your on-premises network to your AWS VPC using encrypted IPSec tunnels that run over your existing internet connection. Your data center, office, or branch location gets a private path into AWS, so EC2 instances stay in private subnets and nothing needs a public IP address.
Setup takes hours rather than weeks, there is no physical infrastructure to provision, and the cost is low. That combination makes Site-to-Site VPN the natural first choice for hybrid connectivity, before a Direct Connect investment is justified and often as a permanent solution for workloads with modest bandwidth needs.
Simple explanation
Site-to-Site VPN is a managed AWS service that creates a private, encrypted connection between your on-premises network and your VPC. Your office or data center acts as one end of the connection, and AWS manages the other end.
Once the tunnels are established, servers in your data center can reach EC2 instances, RDS databases, and other VPC resources using private IP addresses, as if both locations were on the same local network. Traffic is encrypted with IPSec so it cannot be read or modified in transit, even though it crosses the public internet.
AWS creates two tunnels automatically for redundancy. If one drops, traffic shifts to the other. For a broader picture of where Site-to-Site VPN fits alongside Direct Connect and Transit Gateway, see the Hybrid Connectivity Overview.
Picture your corporate data center as one building and AWS as a second building, each with its own private network. Site-to-Site VPN builds a pair of locked tunnels between them through a shared public road. Anyone on the road can see that something is travelling through the tunnel, but they cannot open it or read what is inside. Once the tunnels are up, any server in either building can reach any server in the other using private addresses.
How AWS Site-to-Site VPN works
When you create a Site-to-Site VPN connection, AWS establishes two encrypted tunnels between your on-premises location and the AWS side. Here is the traffic path step by step:
- Your on-premises VPN device (the customer gateway device) initiates or accepts the VPN tunnel. It encrypts outbound traffic destined for AWS and decrypts inbound traffic arriving from AWS.
- The encrypted packets travel over the public internet to AWS VPN endpoints.
- AWS receives the traffic at a target gateway. For most single-VPC setups this is a Virtual Private Gateway (VGW) attached to your VPC. For environments that need to reach multiple VPCs, a Transit Gateway can serve as the target instead.
- The target gateway decrypts the traffic and forwards it to the correct subnet inside the VPC, following the route tables attached to those subnets.
- Return traffic follows the same path in reverse: the VPC routes traffic back through the target gateway, encrypts it, and sends it over the internet back to your on-premises device.
Two tunnels and failover
Every VPN connection comes with two tunnels. Each terminates on a separate AWS VPN endpoint in a different Availability Zone. If one endpoint needs maintenance or fails, traffic shifts to the other tunnel automatically.
For failover to work, both tunnel endpoints must be configured on your on-premises device. Your device also needs to monitor tunnel health using Dead Peer Detection or an equivalent keepalive mechanism, so it switches to the backup tunnel quickly when needed.
AWS creates two tunnels, but your on-premises device has to be told about both. Teams that configure only the first tunnel discover this the hard way when AWS maintenance takes it down. Set up both tunnel endpoints on your device and test failover before going to production.
Encrypted tube analogy: Think of Site-to-Site VPN as a pair of locked tubes running between your office and AWS. Traffic flows through them in both directions. The internet is the physical medium the tubes travel through, but the content inside is locked with IPSec encryption so no one along the route can read or modify what is inside.
Core components
Customer gateway device — your physical or software VPN appliance on-premises. It handles IPSec encryption and decryption and manages the tunnel endpoints. AWS publishes validated configurations for Cisco, Juniper, Palo Alto, Fortinet, pfSense, and other common devices. The device needs a static public IP and must support IKEv1 or IKEv2.
Customer Gateway (CGW) resource — an AWS configuration record representing your on-premises device. You create it by providing the device’s public IP and, optionally, its BGP ASN. This is not a physical device. It is the record AWS uses to know where to send the far end of the tunnel.
Target gateway — the AWS-side endpoint that terminates the VPN tunnels. For a standard single-VPC setup, this is a Virtual Private Gateway (VGW) that you create and attach to your VPC. For environments connecting multiple VPCs, a Transit Gateway can serve as the target instead. Most beginner setups use a VGW.
VPN Connection — the object that links your Customer Gateway to the target gateway. When you create it, AWS generates both tunnel configurations including pre-shared keys, endpoint IPs, and IKE parameters. You download a device-specific configuration file and load it into your on-premises appliance.
When a VGW is attached to a VPC, you can enable route propagation on a subnet’s route table. This lets the VGW inject routes learned via BGP automatically, so you do not have to add them by hand. Without this step, even a working VPN will not carry traffic because the VPC has no route pointing toward on-premises. See Route Tables in AWS for how this fits together.
Static routing vs BGP
When you create a VPN connection, you choose how routes are exchanged between your on-premises network and AWS.
Static routing means you manually specify the on-premises CIDR blocks reachable over the VPN. AWS stores them as static routes in the VPC route tables, and your on-premises device is manually configured with the VPC CIDR. This is simple to set up and works well for small, stable networks where IP ranges rarely change.
BGP (Border Gateway Protocol) means your on-premises router and the AWS target gateway exchange route information automatically. Add a new subnet on-premises and it is advertised to AWS without any manual steps. BGP also enables more graceful failover: if you run Direct Connect as your primary path with VPN as a backup, BGP lets AWS prefer the Direct Connect route and fall back to VPN automatically when Direct Connect becomes unavailable.
Static routing is fine for simple, stable environments where your on-premises CIDR ranges rarely change. Choose BGP if your network is larger, if you expect to add subnets over time, or if you plan to run VPN alongside Direct Connect as a backup path. BGP handles all of that without manual route updates. Most enterprise routers and firewalls already support it.
When to use Site-to-Site VPN
Site-to-Site VPN is the right choice in these situations:
- You need connectivity quickly. VPN can be configured in hours using your existing internet connection. There is no physical infrastructure to provision or carrier coordination required.
- You are in a migration phase. Before committing to Direct Connect, VPN gives your on-premises systems access to AWS resources immediately. Many teams run VPN during migration and evaluate later whether Direct Connect is needed.
- You have modest bandwidth needs. Most internal application traffic, management access, and moderate data transfers fit comfortably within what a VPN tunnel can carry.
- You need encryption for compliance. IPSec encryption is built in. If your policy requires encrypted traffic between on-premises and cloud, Site-to-Site VPN satisfies that requirement out of the box.
- You are connecting branch offices to AWS. Branch locations with a supported router can connect directly to AWS without a full Direct Connect circuit.
- You need a backup path alongside Direct Connect. A VPN connection makes a cost-effective standby for Direct Connect resilience. With BGP, the failover between the two paths is automatic.
When not to use Site-to-Site VPN
VPN is not the right tool for every workload. Be clear-eyed about these limitations before committing it to scenarios where it will struggle:
- High-throughput workloads. Each VPN tunnel has a throughput ceiling. Workloads that regularly transfer large data volumes — database replication, high-volume data pipelines, bulk migrations — will run into that limit. For higher aggregate capacity, consider Direct Connect or multiple VPN connections with ECMP routing through Transit Gateway.
- Latency-sensitive applications. VPN traffic traverses the public internet and latency fluctuates with internet conditions. If your application needs consistent sub-20ms latency, Direct Connect is the right choice.
- Compliance that prohibits internet traversal. Even though the traffic is encrypted, it still crosses the public internet. Some compliance frameworks require that data never touch a public network. If yours does, you need Direct Connect.
- Complex large-scale multi-network topologies. Managing many individual VPN connections across dozens of branch offices or VPCs becomes operationally complex at scale. Transit Gateway with SD-WAN integrations may be a better fit.
Teams sometimes assume that because a VPN tunnel is “fast enough” during testing, it will be fast enough in production. Internet latency is unpredictable under load. If your application server makes frequent queries to an on-premises database over VPN, expect intermittent slowdowns when the internet path degrades. That is not a VPN misconfiguration — it is a fundamental property of routing traffic over the public internet.
AWS Site-to-Site VPN vs Direct Connect
The choice between VPN and Direct Connect comes down to your bandwidth requirements, latency sensitivity, and how quickly you need the connection.
| Feature | Site-to-Site VPN | Direct Connect |
|---|---|---|
| Setup time | Hours | Weeks to months |
| Bandwidth | Up to ~1.25 Gbps per tunnel; higher aggregate possible with multiple connections via Transit Gateway | 50 Mbps to 100 Gbps dedicated |
| Latency | Variable (internet-dependent) | Consistent and low (dedicated fiber) |
| Internet dependency | Yes. Tunnels run over the public internet. | No. Dedicated private circuit. |
| Encryption | IPSec by default | Not encrypted by default. Add VPN over Direct Connect if required. |
| Cost profile | Low hourly rate plus standard data transfer charges | Higher port fee, but lower per-GB data transfer rate. Cost-effective at high volumes. |
| Best fit | Quick setup, migration phases, branch offices, backup paths, modest bandwidth | High throughput, latency-sensitive workloads, compliance requirements, large-scale data transfer |
The most common production pattern is both: Direct Connect as the primary path, with Site-to-Site VPN as an automatic backup. If Direct Connect fails, BGP detects it and routes traffic over VPN within seconds to minutes. This gives you Direct Connect’s performance for normal operations and VPN’s availability as a fallback.
Setup overview
Setting up a Site-to-Site VPN involves four main steps:
- Create a Customer Gateway resource in AWS with your on-premises device’s public IP address and BGP ASN if you are using dynamic routing.
- Create or identify a target gateway — typically a Virtual Private Gateway that you create and attach to your VPC, or an existing Transit Gateway for multi-VPC setups.
- Create the VPN Connection, linking the Customer Gateway to the target gateway. AWS generates both tunnel configurations with pre-shared keys and IKE settings. Download the device-specific configuration file.
- Configure your on-premises device using the downloaded file. Apply both tunnel configurations, then enable route propagation on your VPC route tables or add static routes so subnets know to forward on-premises-bound traffic through the target gateway.
# Create a Customer Gateway (your on-premises device)
aws ec2 create-customer-gateway \
--type ipsec.1 \
--public-ip 203.0.113.50 \
--bgp-asn 65000
# Create a Virtual Private Gateway and attach it to your VPC
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway \
--vpn-gateway-id vgw-0abc123def456789a \
--vpc-id vpc-0abc123def456789a
# Create the VPN Connection (AWS generates both tunnel configs)
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-0abc123def456789a \
--vpn-gateway-id vgw-0abc123def456789a
# Enable route propagation so the VGW injects BGP routes automatically
aws ec2 enable-vgw-route-propagation \
--route-table-id rtb-0abc123def456789a \
--gateway-id vgw-0abc123def456789aAfter creating the connection, download the configuration file from the console and load it onto your on-premises device. AWS provides templates for Cisco, Juniper, Palo Alto, Fortinet, and other major vendors.
Route configuration is easy to overlook. Tunnels in an UP state do not automatically route traffic. Your VPC route tables need entries pointing on-premises-bound traffic toward the target gateway. Enable route propagation for BGP setups, or add static routes manually if you chose static routing.
Common beginner mistakes
- Configuring only one of the two tunnels. AWS creates two tunnels for redundancy, but redundancy only works if both are set up on your on-premises device. Many teams configure the first tunnel and skip the second, then are surprised when AWS maintenance takes the first one down. Configure both tunnels and test failover before going to production.
- Missing route propagation or manual routes. A VPN in the UP state does not automatically make VPC subnets route traffic to on-premises. Enable route propagation on the target gateway, or add static routes manually. Without this, tunnels are active but traffic does not flow. See Troubleshooting Network Issues if connectivity looks correct on paper but packets are not arriving.
- CIDR overlap between on-premises and VPC. If your on-premises network uses 10.0.0.0/8 and your VPC uses 10.1.0.0/16, routing becomes ambiguous. AWS cannot reliably distinguish traffic destined for on-premises 10.1.x.x from traffic destined for the VPC 10.1.x.x range. Ensure your CIDR ranges are distinct before creating the VPN. See VPC Networks Explained for guidance on designing non-overlapping address spaces.
- Using VPN for the wrong workload profile. The throughput ceiling and variable latency of internet-based tunnels catch teams off guard when they run high-volume replication or latency-sensitive applications over VPN. Confirm your bandwidth and latency requirements before choosing VPN over Direct Connect.
- Not testing tunnel failover. Most teams verify that the VPN connection works but never simulate a tunnel failure. The second tunnel could be misconfigured without anyone knowing until the first goes down in production. Test each tunnel independently before treating the connection as production-ready.
Summary
- Site-to-Site VPN creates encrypted IPSec tunnels over the internet between your on-premises network and an AWS VPC. Fast to set up, no physical infrastructure required.
- Key components: customer gateway device (your on-premises appliance), Customer Gateway resource (AWS config record), target gateway (VGW for single-VPC or Transit Gateway for multi-VPC), and the VPN Connection object.
- Every VPN connection creates two tunnels terminating on different AWS endpoints in different AZs. Configure and test both for redundancy to work.
- Static routing is simple and adequate for stable networks. BGP is preferred for dynamic route exchange, larger environments, and automatic failover alongside Direct Connect.
- VPN is the right starting point for quick connectivity, migration phases, branch offices, modest bandwidth, and as a Direct Connect backup path.
- Direct Connect is the right choice when throughput, consistent latency, or compliance requirements exceed what internet-based VPN tunnels can deliver.
Frequently asked questions
Why does AWS Site-to-Site VPN create two tunnels instead of one?
Each tunnel terminates on a different AWS endpoint in a different Availability Zone. If one endpoint has a maintenance event or failure, traffic fails over to the second tunnel automatically. Both tunnels must be configured on your on-premises device for this to work, and you should test failover before relying on it in production.
Does my on-premises device need a static public IP address?
Yes, for a standard Site-to-Site VPN connection. AWS needs a fixed public IP to route the tunnel back to your device. If your on-premises IP changes, update the Customer Gateway resource in AWS to reflect the new address. Some dynamic IP configurations are possible with specific device support, but a static IP is the reliable default.
When should I use Direct Connect instead of Site-to-Site VPN?
Consider Direct Connect when your workloads need reliable high bandwidth, require consistent low latency that the public internet cannot guarantee, generate enough data transfer that Direct Connect per-GB rates offset the port cost, or have compliance requirements that traffic must not traverse the public internet.
What is the difference between static routing and BGP for Site-to-Site VPN?
With static routing you manually define the on-premises CIDR blocks reachable over the VPN. With BGP your on-premises router and AWS exchange routes automatically, so new subnets are advertised without manual updates. BGP is also required for graceful failover between a Direct Connect primary path and a VPN backup, since AWS uses BGP path preference to choose between them.
Can I connect multiple VPCs through a single Site-to-Site VPN?
Not directly through a Virtual Private Gateway, which attaches to one VPC. To route a single VPN connection to multiple VPCs, use a Transit Gateway as the target on the AWS side and connect your VPCs to it. This is the recommended pattern for multi-VPC environments.