By using AWS re:Post, you agree to the Terms of Use

Policy Based Site to Site VPN-VGW


At times AWS documentation is so poor which makes simple stuff more complicated.

Dear Expert - As per AWS doc it VGW does support policy based site to site VPN, however while creating connect on AWS side, you only see option to create dynamic routing and static. Technically you do not need tunnels and any sort of routing on policy based VPN. Will those tunnel IP's will still be generated on AWS side, even though remote is configured just for policy based ? and has no significance ?

Technically speaking options should be little different from use point of view since same options comes even if you want to configure route-based VPN with static routes.

2 Answers
Accepted Answer

The answer to this question is Yes, even if CGW has Policy based implementation, the AWS side (VGW or TGW) will still have 2 Tunnels as well as the Tunnel Outside IPs (169.254.x.x/30) that is because AWS Site-Site VPN is a Route based VPN implementation.

Will those tunnel IP's will still be generated on AWS side, even though remote is configured just for policy based ?

That being said, if your CGW only supports Policy based VPN you can still implement it and it will work; the only issue being only 1 SA (Security Association) will be supported so that would mean 1 single Policy. This is described in this KC article.

If however your CGW does supports Route based VPN then it is recommended to use Route based instead of Policy based VPN, with this you will not run into SA limitation, you can choose to use Static or BGP based VPN.

profile picture
answered 2 months ago
  • As per AWS only remote should initiate traffic to bring policy based VPN tunnel, not sure how that's handled from AWS side having said that there are two public IP's ? Anyways thanks Tushar for responding my queries.


Hello, As mentioned in the documentation below, AWS Site-Site VPN is a Route based VPN solution. So to put it in simple words, AWS Site-Site VPN does NOT support multiple policies and hence is not a policy based solution. If you are using a policy-based configuration, you must limit your configuration to a single security association (SA). Static and Dynamic are routing options depending on whether or not, your CGW device supports BGP or not. It is always recommended to use Dynamic routing with BGP. Hope this helps clear out your confusion.


answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions