Site-to-Site VPN quotas - AWS Site-to-Site VPN

Site-to-Site VPN quotas

Your AWS account has the following quotas, formerly referred to as limits, related to Site-to-Site VPN. To request an increase, use the limits form.

Site-to-Site VPN resources

  • Customer gateways per Region: 50

  • Virtual private gateways per Region: 5

    You can attach only one virtual private gateway to a VPC at a time. To connect the same Site-to-Site VPN connection to multiple VPCs, we recommend that you explore using a transit gateway instead. For more information, see Transit gateways in Amazon VPC Transit Gateways.

  • Site-to-Site VPN connections per Region: 50

  • Site-to-Site VPN connections per virtual private gateway: 10

Routes

  • Dynamic routes advertised from a customer gateway device to a Site-to-Site VPN connection (on a transit gateway or virtual private gateway): 100

    This quota cannot be increased.

  • Routes advertised from a Site-to-Site VPN connection on a virtual private gateway to a customer gateway device: 1,000

    Advertised route sources include VPC routes, other VPN routes, and routes from AWS Direct Connect virtual interfaces.

    This quota cannot be increased.

  • Routes advertised from a Site-to-Site VPN connection on a transit gateway to a customer gateway device: 1,000

    Advertised routes come from the route table that's associated with the VPN attachment.

    This quota cannot be increased.

Bandwidth and throughput

  • Maximum bandwidth per VPN tunnel: 1.25 Gbps

    This quota cannot be increased. For Site-to-Site VPN connections on a transit gateway, you can use ECMP to get higher VPN bandwidth by aggregating multiple VPN tunnels. To use ECMP, the VPN connection must be configured for dynamic routing. ECMP is not supported on VPN connections that use static routing. For more information, see Transit gateways.

  • Maximum packets per second (PPS) per VPN tunnel: 140,000

Maximum transmission unit (MTU)

  • You must set the MTU of the logical interface for your customer gateway device to 1399 bytes. For more information, see Requirements for your customer gateway device.

    Jumbo frames are not supported. For more information, see Jumbo frames in the Amazon EC2 User Guide for Linux Instances.

  • We recommend that you set the maximum segment size (MSS) on your customer gateway device to 1359 when using the SHA2-384 or SHA2-512 hashing algorithms.

Note

A Site-to-Site VPN connection does not support Path MTU Discovery.

Additional quota resources

For quotas related to transit gateways, including the number of attachments on a transit gateway, see Quotas for your transit gateways in the Amazon VPC Transit Gateways Guide.

For additional VPC quotas, see Amazon VPC quotas in the Amazon VPC User Guide.