VPC Virtual Private Networks (VPNs) provide a software-based secure connection between a VPC and on-premises networks.


  • Your organization requires secure communications
  • Lesser need for dedicated throughput (e.g. AWS Direct Connect) VPN transits public Internet


  • A customer gateway (CGW) — initiates the VPN connection. Configuration for on-premises router VPN connection (using one or two IPsec tunnels)
  • Virtual private gateway (VGW) – One per VPC – used with IPsec and AWS Direct Connect
  • VPN connection (two IPsec tunnels)

Best Practice and HA

  • Deploy VPN using standard AWS VPN components (VPN gateway, customer gateway, VPN connection)
  • Can also use custom VPN solutions if required (software VPN on AWS Marketplace)
  • Ensure VPC networking (subnets, security groups, NACLs) is secure
  • Use dynamic VPNs (uses BGP) where possible
  • Connect both tunnels to your CGW — VPC VPN is HA by design
  • Where possible, use two VPN connections and two CGWs