AWS Networking & CDN
VPN
Secure site-to-site and client VPN tunnels to AWS and remote users
AWS VPN provides two managed VPN solutions: Site-to-Site VPN for connecting on-premises networks to AWS VPCs over IPSec tunnels, and AWS Client VPN for providing remote users with secure access to AWS resources. Both use the public internet as the transport but encrypt all traffic with industry-standard cryptography.
Site-to-Site VPN Architecture
A Site-to-Site VPN connection consists of two IPSec tunnels for redundancy. One terminates on a Virtual Private Gateway (VGW) or Transit Gateway attached to your VPC, and the other end terminates on your Customer Gateway (CGW) - a physical or software appliance on your side.
| Component | Role | Key Detail |
|---|---|---|
| Virtual Private Gateway (VGW) | AWS-side VPN endpoint attached to a VPC | One per VPC; can also attach to TGW for multi-VPC |
| Customer Gateway (CGW) | Representation of your on-prem VPN device in AWS | Stores the public IP and BGP ASN of your device |
| VPN Connection | Logical connection between VGW/TGW and CGW | Two tunnels per connection for HA |
| IKE version | IKEv1 or IKEv2 for key exchange | IKEv2 preferred; more reliable rekeying |
| Routing mode | Static or dynamic (BGP) | BGP preferred; enables automatic route propagation |
| Tunnel CIDR | Two /30 CIDRs for the tunnel endpoints | AWS assigns from 169.254.0.0/16 by default |
Each VPN connection gives you two tunnels but only one is active at a time in most configurations. Both tunnels can be active simultaneously using BGP ECMP via Transit Gateway (TGW supports equal-cost multi-path routing, doubling throughput to 2.5 Gbps). This is a common architecture for high-bandwidth hybrid connectivity.
AWS Client VPN for Remote Access
AWS Client VPN is a managed OpenVPN-based service that lets individual users connect to AWS VPCs and on-premises networks. It scales automatically and eliminates the need to manage VPN server infrastructure.
| Feature | Detail | Notes |
|---|---|---|
| Protocol | OpenVPN (TLS) | Clients use the standard OpenVPN client |
| Authentication | Mutual cert, Active Directory (via Simple AD or Managed AD), SAML 2.0 | SAML enables SSO (Okta, Azure AD, etc.) |
| Authorization | Network-based (CIDR rules per user/group) or security groups | Split tunneling controlled here |
| Split tunneling | Optional; send only VPC-bound traffic through VPN | Reduces bandwidth costs and improves performance |
| Client CIDR | IP range assigned to connected clients | Must not overlap VPC or on-prem CIDRs; minimum /22 |
| Scaling | Automatic; no capacity planning | Up to thousands of concurrent connections |
Split tunneling is the recommended configuration for most deployments. It routes only traffic destined for VPC CIDRs through the VPN tunnel, while internet traffic goes directly from the client. This reduces AWS data transfer costs and improves performance for internet browsing.
# Create a Client VPN endpoint
aws ec2 create-client-vpn-endpoint \
--client-cidr-block 10.100.0.0/22 \
--server-certificate-arn arn:aws:acm:us-east-1:123:certificate/abc \
--authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:us-east-1:123:certificate/def} \
--connection-log-options Enabled=true,CloudwatchLogGroup=/aws/clientvpn \
--split-tunnelVPN Routing: BGP vs Static
| Aspect | Static Routing | Dynamic Routing (BGP) |
|---|---|---|
| Setup | Manually specify on-prem CIDRs in AWS | BGP peer exchanges routes automatically |
| Failover | Manual route updates | Automatic failover between tunnels |
| Scalability | Poor; every new subnet requires manual update | Automatic propagation of new routes |
| Tunnel health awareness | No; traffic may black-hole if tunnel is down | BGP withdraws routes on tunnel failure |
| Route propagation to VPC | Manual route table updates | Automatic with route propagation enabled on VGW |
| Use case | Simple setups; devices without BGP support | Recommended for all production setups |
With static routing, if the active tunnel fails and traffic switches to the second tunnel, AWS automatically handles the switchover on its side. However, your on-premises device must also detect the failure and switch. With BGP, this is automatic on both sides.
VPN Pricing
| Component | Site-to-Site VPN | Client VPN |
|---|---|---|
| Connection/endpoint fee | $0.05/hr per connection (~$36/month) | $0.10/hr per endpoint per AZ |
| Data transfer (outbound) | $0.09/GB (standard AWS rates) | $0.09/GB (standard AWS rates) |
| Active connections | Charged per VPN connection, not per tunnel | $0.05/hr per client connection |
| Accelerated VPN (Global Accelerator) | +$0.025/hr + data premium | Not available for Client VPN |
Accelerated Site-to-Site VPN runs your VPN traffic over Global Accelerator for improved performance and reliability. It is recommended for latency-sensitive workloads. The additional cost is the Global Accelerator data processing fee on top of the standard VPN fee.
Interview Focus Points
- 1Explain the two-tunnel architecture of Site-to-Site VPN. How do you achieve active/active throughput?
- 2When would you choose Site-to-Site VPN over Direct Connect? What are the trade-offs?
- 3How does BGP routing improve Site-to-Site VPN reliability compared to static routing?
- 4Walk through the components needed to set up a VPN from an on-premises data center to a VPC.
- 5What is split tunneling in Client VPN and when would you enable or disable it?
- 6How does Accelerated VPN differ from standard Site-to-Site VPN?
- 7How do you achieve redundancy if a single VPN connection provides 1.25 Gbps but you need more bandwidth?
- 8What authentication methods does AWS Client VPN support? How would you integrate with corporate SSO?