Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

AWS Site-to-Site VPN Setup

February 13, 2026 | AWS VPN IPsec

End-to-end VPN with dual tunnels.

AWS Site-to-Site VPN: Complete Setup Guide

AWS Site-to-Site VPN creates an encrypted IPsec tunnel between your on-premises network and your AWS VPC. This is the most common starting point for hybrid cloud connectivity, offering secure access to AWS resources without exposing them to the public internet.

Architecture Overview

A Site-to-Site VPN connection consists of:

  • Virtual Private Gateway (VGW) — The AWS side of the VPN tunnel, attached to your VPC
  • Customer Gateway (CGW) — Represents your on-premises VPN device
  • Two IPsec tunnels — AWS always provisions dual tunnels for high availability

Step-by-Step Setup

1. Create a Customer Gateway

aws ec2 create-customer-gateway \
  --type ipsec.1 \
  --public-ip 203.0.113.1 \
  --bgp-asn 65000 \
  --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=office-cgw}]'

2. Create a Virtual Private Gateway

aws ec2 create-vpn-gateway \
  --type ipsec.1 \
  --amazon-side-asn 64512 \
  --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=prod-vgw}]'

# Attach to VPC
aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-xxx --vpc-id vpc-xxx

3. Create the VPN Connection

aws ec2 create-vpn-connection \
  --type ipsec.1 \
  --customer-gateway-id cgw-xxx \
  --vpn-gateway-id vgw-xxx \
  --options '{"StaticRoutesOnly":false}' \
  --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=office-to-aws}]'

4. Download Configuration

aws ec2 describe-vpn-connections --vpn-connection-ids vpn-xxx \
  --query 'VpnConnections[0].CustomerGatewayConfiguration' --output text

This provides the complete configuration for your on-premises VPN device, including pre-shared keys, tunnel IPs, and BGP settings.

Route Propagation

Enable route propagation on your VPC route tables to automatically learn on-premises routes via BGP:

aws ec2 enable-vgw-route-propagation \
  --route-table-id rtb-xxx \
  --gateway-id vgw-xxx

Dual Tunnel Configuration

AWS provisions two tunnels for redundancy. Configure both on your on-premises device:

  • Tunnel 1 — Primary tunnel, active by default
  • Tunnel 2 — Standby tunnel, activates automatically on Tunnel 1 failure

With BGP, failover is automatic (typically 30-60 seconds). With static routing, you need to configure health checks and failover scripts.

Performance Considerations

  • Bandwidth: Up to 1.25 Gbps per tunnel (2.5 Gbps with ECMP across both tunnels)
  • Latency: Depends on internet path quality; typically 20-100ms additional
  • MTU: 1399 bytes due to IPsec overhead; configure TCP MSS clamping to avoid fragmentation

Monitoring

# Check tunnel status
aws ec2 describe-vpn-connections --vpn-connection-ids vpn-xxx \
  --query 'VpnConnections[0].VgwTelemetry'

Set up CloudWatch alarms on TunnelState metric to alert when tunnels go down.

Eazy SaaS Tip: We always configure both VPN tunnels as active (not active-standby) with BGP for automatic failover. For clients needing more than 1.25 Gbps, we design Transit Gateway with multiple VPN connections or Direct Connect.

← Back to Blog