Site-to-Site VPN quotas - AWS Site-to-Site VPN

Site-to-Site VPN quotas

Your AWS account has the following quotas, formerly referred to as limits, related to Site-to-Site VPN. Unless otherwise noted, each quota is Region-specific. You can request increases for some quotas, and other quotas cannot be increased.

To request a quota increase for an adjustable quota, choose Yes in the Client VPN quotas table. For more information, see Requesting a quota increase in the Service Quotas User Guide.

Site-to-Site VPN resources

Name Default Adjustable
Customer gateways per Region 50 Yes
Virtual private gateways per Region 5 Yes
Site-to-Site VPN connections per Region 50 Yes
Site-to-Site VPN connections per virtual private gateway 10 Yes

You can attach one virtual private gateway to a VPC at a time. To connect the same Site-to-Site VPN connection to multiple VPCs, we recommend that you explore using a transit gateway instead. For more information, see Transit gateways in Amazon VPC Transit Gateways.

Site-to-Site VPN connections on a transit gateway are subject to the total transit gateway attachments limit. For more information, see Transit gateway quotas.

Routes

Advertised route sources include VPC routes, other VPN routes, and routes from AWS Direct Connect virtual interfaces. Advertised routes come from the route table that's associated with the VPN attachment.

Name Default Adjustable
Dynamic routes advertised from a customer gateway device to a Site-to-Site VPN connection on a virtual private gateway 100 No
Routes advertised from a Site-to-Site VPN connection on a virtual private gateway to a customer gateway device 1,000 No
Dynamic routes advertised from a customer gateway device to a Site-to-Site VPN connection on a transit gateway 1,000 No
Routes advertised from a Site-to-Site VPN connection on a transit gateway to a customer gateway device 5,000 No

Bandwidth and throughput

There are many factors that can affect realized bandwidth through a Site-to-Site VPN connection, including but not limited to: packet size, traffic mix (TCP/UDP), shaping or throttling policies on intermediate networks, internet weather, and specific application requirements.

Name Default Adjustable
Maximum bandwidth per VPN tunnel Up to 1.25 Gbps No
Maximum packets per second (PPS) per VPN tunnel Up to 140,000 No

For Site-to-Site VPN connections on a transit gateway, you can use ECMP to get higher VPN bandwidth by aggregating multiple VPN tunnels. To use ECMP, the VPN connection must be configured for dynamic routing. ECMP is not supported on VPN connections that use static routing. For more information, see Transit gateways.

Maximum transmission unit (MTU)

You must set the MTU of the logical interface for your customer gateway device to 1399 bytes. For more information, see Requirements for your customer gateway device.

Jumbo frames are not supported. For more information, see Jumbo frames in the Amazon EC2 User Guide for Linux Instances.

We recommend that you set the maximum segment size (MSS) on your customer gateway device to 1359 when using the SHA2-384 or SHA2-512 hashing algorithms.

A Site-to-Site VPN connection does not support Path MTU Discovery.

Additional quota resources

For quotas related to transit gateways, including the number of attachments on a transit gateway, see Quotas for your transit gateways in the Amazon VPC Transit Gateways Guide.

For additional VPC quotas, see Amazon VPC quotas in the Amazon VPC User Guide.