Back to Blog
Cloud9 min readJun 2026

Site-to-Site VPN, explained so it finally clicks

Watch traffic get encrypted, cross the public internet through two IPsec tunnels, and decrypt inside AWS. Then the consultant's cheat sheet: benefits, pitfalls, and when to pick something else.

networkingvpnawshybrid-cloudsecurity
SB

Sri Balaji

Founder

On this page

When "just connect them" stops being simple

Who this is for

You can spin up a VPC, but when someone says "connect our data center to AWS, securely," you freeze. By the end of this you should be able to whiteboard a site-to-site VPN, explain its trade-offs, and say when to reach for something else.

You have two private networks: your on-prem data center and your AWS VPC. Between them sits the public internet, which you do not trust and do not control. You cannot just route private traffic across it in clear text, anyone on the path could read it. So you need a way to make the open internet behave like a private cable.

A site-to-site VPN is an encrypted tunnel that makes the public internet behave like a private wire between your office and your VPC.

See it work

Press play. Watch a packet leave on-prem, get encrypted at the customer gateway, cross the internet through one of two IPsec tunnels, and get decrypted at the AWS side. Then break a tunnel to see failover, and turn encryption off to see exactly why the tunnel exists.

Site-to-Site VPN, live

On-prem network

your data center

Public internet

untrusted

AWS VPC

private subnet

Tunnel 1
Tunnel 2
sees: ◍◍◍◍ (encrypted)

Customer Gateway

encrypts here

Virtual Private GW

decrypts here

Two IPsec tunnels are up. Traffic is encrypted at the Customer Gateway, sent across the public internet, and decrypted at the Virtual Private Gateway. To the internet in between, it is unreadable noise.

Break a tunnel to watch traffic fail over. Turn encryption off to see what the internet would otherwise read.

How it actually works

  1. 1

    Two gateways

    A customer gateway (your side: the on-prem router or firewall) and a virtual private gateway, or transit gateway, on the AWS side.

  2. 2

    Two IPsec tunnels

    AWS provisions two tunnels per connection, to two different AWS endpoints, so a single tunnel failing does not take you offline.

  3. 3

    Encrypt, encapsulate, send

    Traffic is encrypted with IPsec at the customer gateway, wrapped up, and sent across the public internet as unreadable noise.

  4. 4

    Decrypt and route

    The AWS gateway decrypts the traffic and routes it into your VPC, as long as the route table points the on-prem CIDR at the gateway.

  5. 5

    Routing: BGP or static

    Dynamic routing (BGP) advertises networks automatically and handles failover cleanly. Static means you list every prefix by hand, fine for tiny setups, painful at scale.

Why teams reach for it

  • Fast to stand up: hours, not the weeks a dedicated circuit takes.
  • Cheap: it rides commodity internet, no leased line to pay for.
  • Encrypted by default: IPsec is the whole point, the data is protected in transit.
  • Great for branch offices and as a backup to a Direct Connect link.

The gotchas that bite in production

  1. Performance is variable. It runs over the public internet, so latency wanders and throughput is capped per tunnel (around 1.25 Gbps). You cannot promise low, steady latency on a VPN.
  2. One customer gateway is a single point of failure. Two tunnels protect the AWS side, but if your one on-prem device dies, you are down. Real HA needs two customer gateways.
  3. Overlapping CIDRs break everything. If on-prem and your VPC use the same address range, routing cannot tell them apart. Plan address space first.
  4. Static routing does not scale. Past a handful of networks, switch to BGP or you will hand-maintain route lists forever.
  5. It depends on the internet. Your ISP having a bad day is your VPN having a bad day.

Alternatives, and when to pick them

OptionReach for it when
Site-to-Site VPNYou want a fast, cheap, encrypted link and variable performance is acceptable. Branch offices, backups, getting started quickly.
Direct ConnectYou need consistent low latency and high, predictable throughput. A dedicated circuit, weeks to provision and more expensive, but rock steady.
Transit Gateway + VPNMany VPCs or accounts need on-prem access. Attach the VPN to a transit gateway hub instead of building a separate VPN per VPC.
Client VPNIndividual people (laptops) need into the VPC, not a whole site. A different tool for a different job.
A common production pattern: Direct Connect as the primary link, with a site-to-site VPN as the cheap encrypted backup.

The consultant's answer

If someone puts you on the spot

  • It is an encrypted IPsec tunnel that turns the public internet into a private link between on-prem and your VPC.
  • Always two tunnels for failover; use two customer gateways for genuine high availability.
  • Pros: fast, cheap, encrypted. Cons: rides the internet, so variable performance and capped throughput.
  • Pick Direct Connect for predictable performance, Transit Gateway when many networks must connect, Client VPN for individual users.
  • First checks on any design: no overlapping CIDRs, BGP over static at scale, and a plan for when the internet misbehaves.

Want the layer underneath this? Solidify subnets, route tables, and gateways in VPC fundamentals, then get your hands dirty in the networking lab.

Want to go deeper?

This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.

Explore Career Paths Try the Labs

Keep reading

Cloud

Cloud Networking Fundamentals: How a VPC Actually Works

Read

Cloud

How the Cloud Actually Works: Regions, AZs & the Edge

Read

Cloud

IaaS vs PaaS vs SaaS, What You Actually Manage

Read