AWS S2S VPN - Policy based Vs Route based implementation

Question

Looking to setup a new S2S VPN with AWS VGW. On the CGW what style of VPN implementation is advised - Route based or Policy based VPN?

Accepted Answer

Hello,

Please note there are SA (Security Association) limitations when you use Policy based VPN on CGW.

See below from the [VPN FAQ](https://aws.amazon.com/vpn/faqs/):

----------

**Q: How many IPsec security associations can be established concurrently per tunnel?**

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

-----------

This [Knowledge center article](https://aws.amazon.com/premiumsupport/knowledge-center/vpn-connection-instability/) describes this issue in detail.

More information on Site-to-Site VPN routing options can be found [here](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html#vpn-static-dynamic).

AWS S2S VPN - Policy based Vs Route based implementation

관련 콘텐츠