Cloud Networking Glossary
Learn the Fundamentals

What is a Virtual Private Gateway (VGW)?

A virtual private gateway is a logical, fully redundant distributed edge routing function that sits at the edge of your VPC. As it is capable of terminating VPN connections from your on-prem or customer environments, the VPG is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. This is one of the more mysterious components of the AWS networking core interface modules, as it represents the only way for you to terminate a VPN connection into your AWS cloud (that is until the Transit Gateway came on the scene...)

In a nutshell, A Virtual Private Gateway is a way for you to land in your cloud when creating a VPN tunnel. You can create up to ten VPN tunnels to the exterior, Non-VPC networking locations per VPG interfaced and each of these tunnels will be connected using the IPSec protocol.

You have the ability to create static or dynamic routes through the VPG. For any new virtual gateways, a configurable private Autonomous System Number (ASN) allows customers to set the ASN on the Amazon side of the BGP session for VPNs and AWS Direct Connect private VIFs. When BGP routing is exposed to the Customer Gateway ( an important step in configuring your VPN connection to work with your VPG ) from your edge router or firewall, the CGW repeats those learned routes to the VPG which completes the dynamic routing circuit into your cloud.

There are some inherent limitations to the VPG routing construct within AWS, such as the number of VPN connections and the BGP route addressing you can assign to your VPGs. You can only assign ASN numbers within the private ranges ( 64512 is the default ) as AWS does not perform any validation upon the BGP settings you input. And the VGW can only have ten VPN connections.