By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Max bandwidth with multiple IPsec tunnels

0

Dear Team - As per https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/aws-accelerated-site-to-site-vpn-aws-transit-gateway-single-aws-region.html,

Up 50 Gbps of bandwidth with multiple IPsec tunnels and ECMP configured (each traffic flow will be limited to the maximum bandwidth per VPN tunnel).

As per https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html,

Site-to-Site VPN connections per Region- 50

As per above site-to-site connection (default 50), we can get max bandwidth of 50*2.5 Gbps (ECMP with both active tunnel) = 125 Gbps bandwidth .

However, as per the previous limit of 50 Gbps with multiple IPSec tunnels and ECMP, we can only get 50 Gbps bandwidth out of max 125 Gbps possible bandwidth. Is this correct understanding ?

In other words, anything beyond 20 VPN connection (20*2.5 Gbps = 50 Gbps) with ECMP on single TGW will not have any advantage ?

Topics
Networking & Content Delivery
Tags
AWS Transit GatewayAWS Virtual Private Network (VPN)
Language
English
JD
asked 8 months ago628 views
1 Answer
2
Accepted Answer

You're correct: The maximum bandwidth of a combined (using ECMP) set of VPNs is 50 Gb/s. The reason for having more VPN connections available is that many customers have VPN connections to multiple locations - so it's not about having a maximum of 125 Gb/s for a single link; it's that there can be multiple "logical" links (each comprising multiple tunnels).

profile pictureAWS
EXPERT
Brettski-AWS
answered 8 months ago
  • JD
    8 months ago

    Which means, we can not have VPN as a backup for 100G Direct connection link?

  • Brettski-AWS EXPERT
    8 months ago

    In my experience ECMP is tricky when you use many parallel links. Four is where I'd generally stop but I know customers running eight. The challenge is that the bandwidth limit on each VPN link is 1.25 Gb/s which means that traffic flows are limited to that too. Because of the way traffic is hashed it's easy to get links that are overloaded and others that are not. In theory this gets better with more links; in practice keeping that many links alive all at the same time and with equal routing metrics is difficult at best. If you're looking for encryption at 100 Gb/s I'd be spending time/money ensuring the applications are doing end-to-end encryption rather than trying to get the network to do it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content