What is AWS VPN, and how does it work?

Illustration of the letters VPN surrounded by people, devices and padlocks
(Image credit: Shutterstock)

Amazon Web Services (AWS) offers Site-to-Site and client VPN services. Client VPN is a form of remote VPN service, while Site-to-Site is a form of cloud VPN. Confused? Read our comparison piece Remote VPN vs cloud VPN for a refresher on these two VPN types.

AWS VPN encrypts network communications, making it harder for hackers to access sensitive emails, customer information, and other confidential data. In this article, we’ll explore the use cases for Site-to-Site and client VPN, and discuss unique features, pricing, and support options.

Perimeter 81 is the best business VPN

<a href="https://www.perimeter81.com/pricing?a_aid=2380&a_bid=8eeb4ac9&chan=code2" data-link-merchant="perimeter81.com"">Perimeter 81 is the best business VPN

Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

Do I need Site-to-Site or client VPN?

In a business context, AWS Client VPN creates temporary, secure communication tunnels between your corporate server and your employees’ devices. The tunnels are temporary, since they disappear when an employee logs off, and reappear when they log back on. With client VPN, when an employee logs on to the company network from home, or pulls it up on their mobile device, any information exchanged between the employee’s device and your corporate network is secure.

You can use AWS Site-to-Site VPN to encrypt communication between two or more large corporate networks, such as a satellite office and head office. Site-to-Site VPN creates a permanent, high-capacity secure tunnel where an Amazon VPN gateway encrypts all communication. These permanent tunnels are more costly than the temporary ones set up by client VPN, but they transfer large volumes of data more efficiently.

Which product makes sense for you depends on your VPN needs. To secure internal communication between multiple, geographically distant networks, you need Site-to-Site VPN. If you require secure remote access for employees, you will need client VPN. It’s not uncommon for businesses to use both.

Why choose AWS VPN?

There are many cloud and remote VPN solutions, such as Perimeter 81 and NordLayer, so let’s look at what makes AWS VPN stand out. If you want to learn more about these providers, see our Perimeter 81 Review and NordLayer Review

On the remote VPN side, AWS VPN provides a unique, cloud-based model. Typically, you must install a VPN client on your corporate server to set up remote VPN. The remote VPN relies on the computing power of your server, and of your employees’ devices, to help encrypt communications. This can cause slowdowns in your system, and places an upper limit on the number of remote employees you can have logged on at any one time.

With AWS Client VPN, there’s no client to install. Instead, everything remains in Amazon’s cloud, significantly reducing the computation strain on your system. This translates to a faster system with fewer slowdowns and crashes for remote employees.

AWS Site-to-Site VPN’s main advantage is integration with other AWS services. Firstly, being an AWS service, it benefits from the AWS Global Accelerator. This accelerates your system’s performance by up to 60%, which is particularly noticeable for long-range communications. You can also control and troubleshoot your Site-to-Site VPN connection directly from your AWS management console.

Regardless of which VPN you choose, your data is secure. AWS VPN products use AES-256-bit encryption, the same standard used by the US government and military.

How much does AWS VPN cost?

Client VPN and Site-to-Site VPN follow different pricing models. The pricing system for both products is straightforward compared to competing brands. There are no pricing tiers, and no limit to the number of connected users.

Client VPN has two charges: $0.10 per hour for an endpoint association, and $0.05 per client per hour for client (employee) connections. To begin, you create an endpoint and associate subnets, or IP addresses, with it. This is all a bit technical, so to keep things simple, think of the endpoint as your corporate network. Remote employees will connect to this endpoint to access their apps for work. The endpoint is always active, and the base rate for one endpoint is $0.10 per hour.

When employees connect to the VPN to begin working, AWS Cloud VPN will bill you $0.05 per client per hour. So, if 10 employees connect and work for an hour, your total cost for that hour will be:

$0.05 x 10 = $0.50

Endpoint = $0.10

Total = $0.50 + $0.10 = $0.60

Pricing is simple and consistent, whether you’re a small business with a few remote workers or a major corporation employing thousands of people.

Note that the above values used data from AWS US East (Ohio), which covers connections in the entire Eastern US. A quick check of other regions indicated that pricing is similar anywhere in the world at the time of writing, but regional pricing is subject to change at any time.

Billing for Site-to-Site VPN is a little different. There are two fees: A connection fee for every Site-to-Site connection, and a data transfer fee. The connection fee for US East (Ohio) is $0.05/hour, and fees vary by region. Transferring the first 100GB of data is free. Subsequently, data transfer follows an on-demand pricing model. The higher the demand for Amazon’s services in that hour, the more expensive the data transfer will be. Transferring data during off-hours is therefore cheaper. You can check the current on-demand pricing for all regions on Amazon’s EC2 On-Demand Pricing page.

For both client and Site-to-Site VPN, AWS billing is monthly and is drawn on the 1st of each month.

What customer support does AWS VPN offer?

Amazon AWS requires a high degree of technical knowledge to set up and run. Although its solutions are often simpler than competing products from a technical standpoint, there is little built-in support. You will need to purchase one of Amazon’s Premium Support Packages or hire an in-house AWS specialist. The best option will depend on your own technical experience with AWS, and your budget. Note that AWS support isn’t limited to AWS VPN, and provides support for all products in the AWS suite.


Implementing any of Amazon’s IaaS (infrastructure as a service) solutions can be a complex but rewarding task, and AWS VPN is no exception. Amazon has two business VPN products: AWS Client VPN, which allows employees to securely connect to your company server when working remotely, and AWS Site-to-Site VPN, which enables two geographically distant corporate networks to communicate securely with each other. 

Both systems use military grade encryption to conceal data, and use scalable, per-hour pricing without complex price tiers. If you need a powerful, flexible IaaS VPN, consider AWS. To learn more about business VPN, see our list of the best business VPNs, and our picks for the best VPN service overall.

Serguei holds degrees in finance and marketing from York University, and brings more than five years of professional experience at their intersection to his writing. His previous roles as a finance advisor involved breaking down and explaining complex concepts in everyday terms, a talent he now brings to his work as a freelance writer.