While both AWS Site-to-Site VPN and Client VPN serve the purpose of secure connectivity, they operate at different network layers and serve distinct use cases:
- Site-to-Site VPN uses IPSec (Layer 3) to connect entire networks (e.g., corporate office to AWS VPC)
- Client VPN uses TLS (Application Layer) to connect individual devices to AWS resources
The protocol difference leads to several technical implications:
# Site-to-Site VPN configuration example (IPSec)
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-123456 \
--vpn-gateway-id vgw-123456 \
--options "{\"StaticRoutesOnly\":true}"
# Client VPN configuration example (TLS)
aws ec2 create-client-vpn-endpoint \
--client-cidr-block 10.0.0.0/22 \
--server-certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
--authentication-options "Type=certificate-authentication,ActiveDirectoryArn=arn:aws:directoryservice:us-east-1:123456789012:directory/d-1234567890" \
--connection-log-options "Enabled=false" \
--dns-servers "10.0.0.2" \
--transport-protocol tcp
Site-to-Site VPN is ideal for:
- Connecting entire corporate networks to AWS
- Hybrid cloud architectures requiring persistent connections
- High-throughput scenarios (supports up to 1.25 Gbps per tunnel)
Client VPN is better suited for:
- Remote worker access to AWS resources
- Temporary access scenarios
- Mobile workforce requirements
- When you need granular access control per user/device
While both options are secure, they have different security models:
# Example: Verifying VPN connection status (Python boto3)
import boto3
def check_vpn_status():
ec2 = boto3.client('ec2')
# For Site-to-Site VPN
site_vpns = ec2.describe_vpn_connections()
print("Site-to-Site VPNs:", site_vpns)
# For Client VPN
client_vpns = ec2.describe_client_vpn_endpoints()
print("Client VPNs:", client_vpns)
| Metric | Site-to-Site VPN | Client VPN |
|---|---|---|
| Maximum Throughput | 1.25 Gbps per tunnel | 100-200 Mbps per endpoint |
| Latency | Lower (direct IPSec) | Higher (TLS overhead) |
| Connection Persistence | Always-on | On-demand |
For Site-to-Site VPN:
- Use BGP routing for dynamic path selection
- Implement multiple tunnels for redundancy
- Monitor tunnel status with CloudWatch metrics
For Client VPN:
- Use certificate-based authentication
- Implement proper authorization rules
- Enable connection logging for audit purposes
# Terraform example for both VPN types
resource "aws_vpn_connection" "site_to_site" {
vpn_gateway_id = aws_vpn_gateway.vpn_gw.id
customer_gateway_id = aws_customer_gateway.customer_gw.id
type = "ipsec.1"
static_routes_only = true
}
resource "aws_ec2_client_vpn_endpoint" "client_vpn" {
description = "Client VPN Access"
server_certificate_arn = aws_acm_certificate.client_cert.arn
client_cidr_block = "10.0.0.0/22"
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.root_cert.arn
}
connection_log_options {
enabled = false
}
}
Site-to-Site VPN pricing is based on:
- Connection hours
- Data transfer out of AWS
Client VPN pricing includes:
- Endpoint association hours
- Active client connections
- Data transfer
Generally, Client VPN has higher operational costs for large-scale deployments due to per-client licensing.
At its core, the fundamental distinction lies in the networking layers they operate on:
- Site-to-Site VPN: Establishes IPSec tunnels at Layer 3 (Network Layer) between your on-premises network and AWS VPC. Example configuration in CloudFormation:
Resources:
VPNConnection:
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
CustomerGatewayId: !Ref CustomerGateway
VpnGatewayId: !Ref VPNGateway
StaticRoutesOnly: true- Client VPN: Uses TLS at Layer 7 (Application Layer) for individual device connections. Terraform example for endpoint setup:
resource "aws_ec2_client_vpn_endpoint" "main" {
server_certificate_arn = aws_acm_certificate.server.arn
client_cidr_block = "10.2.0.0/16"
vpc_id = aws_vpc.main.id
security_group_ids = [aws_security_group.client_vpn.id]
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.root.arn
}
connection_log_options {
enabled = false
}
}The choice between these VPN types impacts several architectural aspects:
- Network Topology: Site-to-Site connects entire networks (e.g., branch office to AWS), while Client VPN connects individual devices (developers' laptops)
- Routing Complexity: Site-to-Site requires BGP or static routing configuration
- Authentication Methods: Client VPN supports Active Directory integration and certificate-based auth
Based on AWS Performance Lab tests:
| Metric | Site-to-Site VPN | Client VPN |
|---|---|---|
| Max Throughput | 1.25 Gbps | 300 Mbps |
| Connection Setup Time | 15-30 seconds | 2-5 seconds |
| Max Connections | 50 tunnels per VGW | 2000 concurrent users |
Choose Site-to-Site VPN when:
- Migrating legacy applications that require layer 3 connectivity
- Needing persistent connections between data centers and AWS
- Requiring compatibility with existing IPSec hardware
Choose Client VPN when:
- Providing secure remote access for distributed teams
- Needing granular user-level access controls
- Working with containerized applications where TLS termination is standard
Both services support encryption, but with different implementations:
# Sample IAM policy for VPN access control
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateClientVpnEndpoint",
"ec2:CreateClientVpnRoute"
],
"Resource": "*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["203.0.113.0/24"]}
}
}
]
}Client VPN provides additional security features like:
- Per-user authentication logging
- Session timeout controls
- Client-side certificate revocation