Connecting your office network to AWS securely — or giving remote employees access to cloud resources — comes down to two AWS VPN products. They look similar but solve different problems.
Site-to-Site VPN: Connecting a Location to AWS
A Site-to-Site VPN creates an encrypted tunnel between your on-premises network (office, data centre, branch) and your AWS VPC. Once connected, resources on your network and resources in AWS can communicate as if they are on the same local network.
How it works: you set up a Customer Gateway in AWS (which represents your on-premises router) and a Virtual Private Gateway on your VPC. AWS creates two redundant IPsec tunnels for high availability.
Use Site-to-Site VPN when:
- Your office needs to connect to AWS resources — RDS databases, internal applications on EC2, file servers on EFS
- You are running a hybrid cloud where some workloads stay on-premises and others move to AWS
- You want a permanent, always-on connection rather than per-user access
Cost: AWS charges around $0.05 per VPN connection hour plus data transfer. For a permanent office connection, this is typically $36–40 per month — far less than a dedicated leased line.
AWS Client VPN: Access for Individual Users
Client VPN gives individual users — remote employees, contractors, developers — encrypted access to your VPC from wherever they are. Each user installs an OpenVPN-compatible client, authenticates (via Active Directory, certificate-based auth, or SAML with SSO), and gets a private IP address on your VPC.
Use Client VPN when:
- Remote employees need to access internal AWS resources securely
- Developers need direct database access without exposing RDS publicly
- You want granular control over which users can access which subnets
Cost: you pay per endpoint association hour and per active client connection hour. For small teams, the cost is low. For large teams with constant connectivity, it adds up — evaluate whether a Site-to-Site VPN from a centralised office is more cost-effective.
Side-by-Side Comparison
| Factor | Site-to-Site VPN | Client VPN |
| Connects | Location to AWS VPC | Individual user to AWS VPC |
| Authentication | Router/firewall certificate | AD, SAML, certificate |
| Setup complexity | Moderate (router config required) | Low to moderate |
| Best for | Offices, hybrid cloud | Remote workers, developers |
| Redundancy | Built-in (dual tunnels) | High availability endpoints available |
| Cost basis | Per connection hour | Per endpoint + per client hour |
Can You Use Both?
Yes. Many businesses use Site-to-Site VPN to connect their office to AWS and Client VPN for remote employees. Both land on the same VPC, so all users — office-based and remote — access the same AWS resources securely.
