AWS SitetoSite VPN: Avoiding 1.25 Gbps Limits
Five distinct AWS VPN options now exist, forcing architects to choose between 1.25 Gbps limits and new 5 Gbps tunnels.
Pick the wrong AWS VPN solution and you waste capital on idle bandwidth or hit a hard wall that demands a expensive rebuild. The November 2025 launch of Large Bandwidth Tunnels and the VPN Concentrator killed the one-size-fits-all model. Legacy decision matrices are dead. You cannot configure your way out of a bad architectural choice; you must evaluate site count and throughput before writing a single rule.
This guide strips away the marketing fluff to define the core architectural definitions separating Virtual Private Gateways from Transit Gateway attachments. We dissect the technical mechanics of high-throughput tunneling, showing exactly how 5 Gbps capacity changes routing logic compared to standard 1.25 Gbps links. Finally, we provide an applied decision framework mapping your specific constraints-multi-region complexity, aggregate bandwidth, and cost-to the correct service tier. Stop paying for capacity you cannot use. Stop building networks that cannot scale.
Core AWS VPN Components and Architectural Definitions
AWS Site-to-Site VPN and Large Bandwidth Tunnel Specifications
AWS Site-to-Site VPN provides encrypted IPSec connectivity between on-premises networks and Amazon VPCs via redundant tunnels. Standard implementations cap individual tunnel throughput at 1.25 Gb. That is a hard ceiling for single-path data flows. The November 2025 introduction of Large Bandwidth Tunnels raises this per-tunnel limit to 5 Gb, but with a catch: termination requires a transit gateway, not a legacy virtual private gateway.
Your architectural selection dictates your performance potential. Centralized management via Transit Gateways enables Equal Cost Multi-Path (ECMP) routing, bypassing single-tunnel constraints entirely. By aggregating multiple tunnels through ECMP mechanics, operators achieve a maximum theoretical throughput of 50 Gb across the attachment. Ignore this aggregation capability, and you leave 80% of your potential bandwidth on the table.
Deploying AWS Client VPN for zero-trust Remote Access
AWS Client VPN scales elastically, supporting 7,000 to 126,000 concurrent connections per endpoint. This managed OpenVPN service replaces static hardware appliances, functioning as a secure transport layer within modern least-privilege frameworks. Version 5.2.1, released April 21, 2025, added the ping-exit flag to improve session handling for intermittent links. Operators deploy this to enforce identity-aware policies, integrating Active Directory or SAML for certificate-based authentication. The service adjusts capacity automatically, removing the operational burden found in fixed-capacity legacy systems.
Accelerated VPN routes traffic through the AWS global backbone, slashing latency for distributed workforces compared to standard internet paths. This feature requires a Transit Gateway attachment; virtual private gateways cannot support it.
| Feature | Standard Client VPN | Accelerated Client VPN |
|---|---|---|
| Path | Public Internet | AWS Backbone |
| Latency | Variable | Reduced |
| Gateway Requirement | None | Transit Gateway |
| Cost Model | Hourly + Data | Hourly + Data + Acceleration |
Do not assume this solves every remote access problem. Per-user throughput caps remain, restricting high-bandwidth use cases like large file transfers or video production. Pair this solution with site-to-site tunnels for bulk data movement, or accept the bottleneck.
VGW Packet Processing Limits and ECMP Absence
A single Virtual Private Gateway tunnel caps processing at 140,000 packets per second. This creates a hard ceiling for small-packet workloads long before you hit bandwidth limits. The root cause is the absence of Equal Cost Multi-Path routing on the VGW platform, which prevents traffic distribution across parallel tunnels. Attempting to scale beyond this limit results in immediate packet loss, not graceful degradation. The gateway simply cannot shard the flows.
Architectural comparisons reveal distinct scaling boundaries between gateway types.
| Feature | VGW VPN | TGW/Cloud WAN |
|---|---|---|
| ECMP Support | No | Yes |
| Max Sites | 10 | 50 |
| Throughput Scaling | Static | Flexible via aggregation |
Aggregating tunnels through a Transit Gateway bypasses the single-tunnel bottleneck, enabling aggregate throughput up to 50 Gb. The VGW restricts deployments to 10 connections. Exceed this threshold, and you face a hard architectural migration. High-frequency trading or IoT ecosystems demanding low-latency processing often hit the packets-per-second wall first. Sessions drop silently during route convergence events when the single tunnel saturates. That is the cost of ignoring this metric.
Routing BGP and Static Paths Without Accelerated VPN
VGW deployments lack Accelerated VPN capabilities. Cross-region traffic hits the public internet with unoptimized latency. Engineers must configure BGP peering or static routes manually; the service supports both but offers no global accelerator integration. Packets traverse standard internet paths rather than the AWS backbone, introducing jitter that disrupts real-time applications. Without Equal Cost Multi-Path aggregation on these gateways, a hard throughput ceiling exists per site.
The decision to deploy Large Bandwidth Tunnels over standard ECMP configurations depends entirely on the termination point. Only Transit Gateway attachments support the higher throughput tiers required for bandwidth-intensive workloads. Standard VGW connections remain limited to single-tunnel performance. Every connection automatically includes a pair of redundant VPN tunnels for failover, yet this redundancy does not increase aggregate capacity.
These gateways are unsuitable for latency-sensitive trading or real-time collaboration tools due to the absence of acceleration features. Migrate to Transit Gateway when performance requirements exceed what standard internet routing can provide.
Cost Inflation from Over-Provisioned VGW Capacity
Selecting a Virtual Private Gateway for high-bandwidth sites drives immediate cost inflation while creating unavoidable performance bottlenecks. Over-provisioning VPN capacity is a primary driver of inflated costs; under-provisioning leads to packet loss and eventual architectural rework expenses. The VGW VPN lacks ECMP support, preventing traffic sharding across multiple tunnels to exceed the single-tunnel throughput ceiling. Forcing 5 Gb workloads onto this architecture hits hard caps that standard tunnels cannot absorb.
| Constraint | VGW Impact | TGW Alternative |
|---|---|---|
| Routing Logic | Static or BGP only | BGP with ECMP |
| Throughput Scale | Fixed per tunnel | Aggregated via parallel paths |
| Flexible IP Support | CGW with Flexible IPs is Yes |
Small hybrid networks with few VPCs find that using a Virtual Private Gateway to terminate internet-based Site-to-Site VPNs remains more cost-effective than deploying a Transit Gateway. However, this economic advantage vanishes when bandwidth demands exceed the gateway's processing limits. Predicting growth is the real challenge: a site needing 400 Mb today might spike beyond 1 Gb tomorrow, rendering the cheap VGW option a liability. Misalignment here forces a costly migration later, as VGW attachments do not convert to Transit Gateway configurations in place.
Applied Decision Framework for Enterprise Hybrid Connectivity
Defining the Retail Scale Threshold for AWS VPN Concentrator
Retail chains hit a breaking point at the default 100-site threshold where per-tunnel overhead destroys margin. The VPN Concentrator becomes mandatory here. Operators managing fleets with <100 Mbps/site requirements face a structural issue, with connection charges accruing at $0.05 per hour plus data transfer fees. While sufficient for small deployments, scaling individual tunnels proves economically disastrous. The architecture aggregates traffic from up to 100 sites into a single shared pool, eliminating the need to provision discrete connections for every store. This approach yields up to 64% cost reduction compared to maintaining dedicated IPSec sessions for each branch office. Small hybrid networks achieve superior economics by avoiding the per-connection charges inherent in standard designs, as terminating internet-based Site-to-Site VPNs on a Virtual Private Gateway proves less efficient at this specific scale.
Strict BGP-only routing excludes static path configurations common in legacy retail POS systems. You must choose between operational simplicity and granular traffic engineering control. Sites exceeding the per-site bandwidth cap trigger immediate congestion since the concentrator lacks ECMP support for sharding flows. Selecting a Site-to-Site VPN connection option designed for high-bandwidth requirements creates unnecessary expense for small-packet retail workloads. The failure mode involves hitting the aggregate ceiling while individual tunnels remain underutilized.
Applying VGW and CloudHub for Startup Multi-Site Connectivity
Startups with fewer than 10 remote sites avoid Transit Gateway complexity by terminating Site-to-Site VPN tunnels directly on a Virtual Private Gateway. This architecture uses VPN CloudHub to mesh small offices using unique BGP ASNs, enabling inter-branch traffic flow without additional routing appliances. Respect the hard limit of 10 connections per gateway. Ignoring this boundary creates tunnel sprawl, an operational debt that complicates troubleshooting and increases management overhead disproportionately.
Financial baselines for this design remain predictable. Connection charges accrue at no cost. Throughput cannot scale beyond a single tunnel's capacity due to the lack of ECMP support, creating a rigid performance ceiling. Teams anticipating rapid expansion should evaluate the management complexity of scaling individual VGW attachments versus a centralized hub. A premature commit to VGW locks the network into a static topology that requires destructive re-architecting to escape. Cost savings from avoiding Transit Gateway fees vanish immediately if the team must rebuild the entire edge fabric within six months due to site proliferation.
Avoiding Tunnel Sprawl When Migrating from VGW to Transit Gateway
Expanding beyond ten site connections on a Virtual Private Gateway forces operators into tunnel sprawl, a condition where management overhead grows quicker than network utility. This architectural debt stems from the hard limit of ten connections per gateway, a constraint that blocks organic growth for multi-VPC environments. Organizations attempting to mesh multiple offices through a single VGW encounter an operational wall that demands immediate migration to a Transit Gateway architecture. The shift resolves the inability to shard traffic across multiple paths, as standard gateways lack ECMP support entirely.
Aggregating bandwidth beyond a single tunnel ceiling requires the centralized routing plane found in Transit Gateway architectures, which enable scalable throughput up to 50 Gb. Without this upgrade, packet loss becomes inevitable as sustained traffic volumes exceed the physical interface limits of the legacy attachment. Delaying this transition converts a manageable configuration task into a complex operational problem. The cost of in-place fixes often exceeds the initial investment in a properly segmented routing domain. Failure to migrate locks the network into a rigid topology that cannot support modern multi-VPC communication patterns.
Implementation Strategies for Migration and Advanced Configuration
Deploying Hybrid VPN and Direct Connect Backup Paths
Transit Gateway Connect accepts GRE encapsulation from third-party SD-WAN appliances at up to 20 Gbps per attachment, bypassing standard IPsec overhead. Operators initiate this architecture by attaching the SD-WAN virtual appliance to the Transit Gateway using a Connect attachment rather than a traditional VPN attachment. This configuration enables the GRE tunnel to carry traffic without the encryption processing tax inherent in standard Site-to-Site designs, though operators must layer security at the application or device level. Validate that aggregate bandwidth demand exceeds the 1.25 Gb ceiling of standard tunnels while remaining below the per-attachment limit. Unlike static VPN configurations, this method supports flexible routing updates directly from the SD-WAN controller into the AWS routing table.
- Configure the SD-WAN virtual appliance with a GRE interface pointing to the Transit Gateway DNS name.
- Create a Connect attachment in the AWS console and associate it with the route table.
- Advertise specific prefixes via BGP over the GRE session to populate the TGW route table.
- Verify bidirectional flow using packet captures that confirm GRE protocol 47 traversal.
Loss of native IPSec encryption within the AWS fabric shifts the security burden to the edge device. Aggregating multiple tunnels via ECMP on the Transit Gateway allows the architecture to scale throughput notably beyond single-tunnel constraints. This approach avoids the cost penalty of provisioning dozens of standard VPN connections for high-bandwidth branches.
Direct Connect becomes necessary when network variance begins to break Service Level Objectives (SLOs), yet encrypted failover requires specific architectural patterns.
- Configure a transit VIF to enable Private IP VPN connectivity over the dedicated circuit rather than the public internet.
- Attach multiple Site-to-Site VPN tunnels to a Transit Gateway to aggregate bandwidth for backups exceeding 100 Mbps. Enable ECMP routing on the gateway to distribute failover traffic across the tunnel group effectively.
Standard single-tunnel designs fail high-throughput backup requirements because they lack parallel path distribution. Operators must terminate these redundant links on a central hub to use ECMP routing capabilities that scale aggregate throughput. This configuration transforms the backup path from a low-bandwidth safety net into a viable traffic carrier during primary outages. The cost model shifts notably because maintaining multiple active tunnels incurs additional connection-hour charges compared to a static standby link. Engineering teams often overlook that multiple VPNs are mandatory for speeds greater than 1 Gb, not optional enhancements.
Small hybrid networks might still find economic value in simpler Virtual Private Gateway terminations if bandwidth needs remain minimal. However, scaling beyond that threshold demands the centralized management plane of a transit architecture.
Measure baseline jitter against the 64% threshold before migrating from VGW to Transit Gateway.
- Capture peak throughput during business hours to verify traffic stays below the 50 Gb per-tunnel ceiling.
- Compare observed latency variance against Service Level Objectives.
- Calculate aggregate bandwidth needs; requirements exceeding 50 Gb mandate a switch to dedicated circuits.
- Validate that ECMP support exists on the target gateway to aggregate multiple tunnels effectively.
| Metric | Standard VPN | Direct Connect |
|---|---|---|
| Latency Consistency | Variable | Deterministic |
| Max Throughput | Limited | High |
| Cost Model | Hourly | Port + Data |
Operators ignoring pre-migration validation face immediate packet loss when bursting traffic exceeds provisioned capacity. The hidden cost lies in the inability of standard tunnels to absorb micro-bursts, causing TCP window collapse even when average bandwidth appears sufficient. InterLIR recommends deploying synthetic traffic generators to simulate peak loads rather than relying on historical averages.
This command confirms active tunnel states prior to cutting over production routes.
About
Evgeny Sevastyanov serves as the Support Team Leader at InterLIR, a Berlin-based IPv4 marketplace specializing in secure network resource redistribution. While his daily work focuses on managing RIPE database objects and ensuring clean BGP route integrity, this operational expertise provides a unique foundation for evaluating AWS VPN solutions. Selecting the right VPN architecture is not merely about connectivity; it fundamentally relies on reliable IP addressing and precise routing policies to function effectively. Sevastyanov's deep experience in resolving complex network availability issues allows him to analyze how AWS VPN options interact with global IP infrastructure. At InterLIR, where transparency and security are paramount, he understands that a flawed VPN setup can compromise IP reputation and routing stability. This article uses his practical background in network support to offer a clear decision framework, ensuring architects choose AWS VPN configurations that align with strict operational standards and long-term network reliability.
Conclusion
Scaling AWS VPN architectures reveals a critical fracture point where micro-burst traffic triggers TCP window collapse long before average bandwidth metrics indicate saturation. While the market expands toward a trillion-dollar valuation by 2030, relying on legacy single-path tunnels for expanding hybrid fleets introduces latent instability that standard monitoring often misses. The operational debt accumulates not just in hourly connection fees, but in the engineering hours spent troubleshooting intermittent packet loss caused by rigid 1.25 Gb per-tunnel ceilings. Staying within current limits is a temporary reprieve, not a sustainable strategy for modern data velocities.
Migrate to a Transit Gateway architecture immediately if your aggregate site requirements exceed 5 Gb or if jitter consistently breaches 10 milliseconds during peak windows. Delaying this transition beyond the next fiscal quarter risks compounding performance degradation as cloud dependency deepens. Do not wait for a total service failure; proactive restructuring ensures your network absorbs growth without sacrificing reliability.
Start by deploying a synthetic traffic generator this week to simulate peak load conditions across your existing tunnels. This single test will expose whether your current setup can handle real-world bursting or if you are already operating on borrowed time.
Frequently Asked Questions
You must upgrade to Large Bandwidth Tunnels to bypass the single-path limit. This configuration supports up to 5 Gb per tunnel but requires termination on a transit gateway.
Aggregating multiple tunnels through ECMP mechanics enables massive scalability for high-demand enterprise workloads. This approach yields a maximum theoretical throughput of 50 Gb across the specific attachment point.
Operators managing fleets with low bandwidth needs face structural inefficiencies using standard high-capacity tunnels. The VPN Concentrator is designed specifically for these scenarios, supporting up to 100 Mb per site.
Individual users are restricted by specific performance limits that prevent large file transfer bottlenecks. The service enforces a per-user throughput cap of up to 50 Mb for remote access sessions.
Standard tunnels handle significantly fewer packets per second compared to the new high-throughput options available. Large bandwidth tunnels increase processing capacity to up to 400 Mb of packet flow.
