IPsec-VPN supports two association modes: VPN gateway and Transit Router. VPN gateway connects an on-premises network to a single VPC; Transit Router connects to multiple VPCs simultaneously with higher bandwidth and more flexible routing. Choose based on your network scale, availability requirements, and bandwidth needs.
Quick decision guide
Use the following questions to find the mode that fits your setup.
How many VPCs do you need to connect?
One VPC → Choose VPN gateway
Multiple VPCs (same region or across regions) → Choose Transit Router
Do you need multiple links to carry traffic simultaneously?
No (active-passive failover is sufficient) → VPN gateway meets your needs
Yes (both links carry traffic at the same time, with Equal-Cost Multi-Path [ECMP] load balancing) → Choose Transit Router
What is your bandwidth requirement?
1 Gbps or less → Both modes work
1–2 Gbps → Choose Transit Router (a single connection supports up to 2 Gbps)
More than 2 Gbps → Choose Transit Router with multiple ECMP connections to scale bandwidth
Do you need SSL-VPN for remote access?
Yes → Choose VPN gateway (standard type)
No → Decide based on the criteria above
Feature comparison
| Feature | VPN gateway | Transit Router |
|---|---|---|
| Use case | On-premises to one VPC | On-premises to multiple VPCs |
| IKE/IPsec encryption | AES128, AES192, AES256, DES, 3DES; AES128-GCM-16 and AES256-GCM-16 (enhanced only) | AES128, AES192, AES256, DES, 3DES |
| IKE/IPsec authentication | SHA1, MD5, SHA256, SHA384, SHA512 | SHA1, MD5, SHA256, SHA384, SHA512 |
| Tunnel mode | Dual-tunnel (active-passive) | Dual-tunnel (ECMP) |
| High-availability mechanism | Active-passive switchover: traffic uses the primary tunnel by default and fails over to the secondary on failure | ECMP load balancing: both tunnels carry traffic simultaneously and serve as mutual backups |
| Max bandwidth per IPsec connection | Enhanced: 1 Gbps dedicated per connection¹; Standard: shared across all connections, up to 1 Gbps (500 Mbps in some regions)¹ | 2 Gbps (up to 1 Gbps per tunnel)²³ |
| Bandwidth scaling | Standard: cannot scale; Enhanced: multiple IPsec connections supported | Multi-connection ECMP; up to 32 tunnels (16 IPsec connections) for load balancing |
| Packets per second (pps) | 120,000 pps per VPN gateway instance (shared across all connections) | 120,000 pps per tunnel in dual-tunnel mode |
| SSL-VPN | Supported (standard only) | Not supported |
| BGP dynamic routing entries | Enhanced: 200; Standard: 50⁴ | 1,000 per tunnel, 2,000 total⁴ |
¹ If you need more than 1 Gbps per connection, use Transit Router instead. ² If you need more than 2 Gbps total, use multiple ECMP connections with Transit Router to scale beyond this limit. ³ Legacy single-tunnel connections support up to 1 Gbps. We recommend deleting and recreating them as dual-tunnel connections; new IPsec connections default to dual-tunnel mode. ⁴ If you need more than 200 BGP routes per connection, use Transit Router (supports up to 2,000 total).
Enhanced and standard VPN gateways differ in key areas:
Enhanced: 1 Gbps dedicated bandwidth per IPsec connection; no support for policy-based routing or Chinese cryptographic algorithms.
Standard: shared bandwidth across all connections (up to 1 Gbps); supports policy-based routing and Chinese cryptographic algorithms.
For new deployments, use enhanced VPN gateway. For a detailed comparison, see Choose a VPN gateway type.
Choose a tunnel mode
Dual-tunnel mode (recommended)
Dual-tunnel is the current default. All new IPsec connections use dual-tunnel mode automatically.
Each IPsec connection includes two tunnels deployed in different zones.
Provides zone-level disaster recovery and link redundancy.
When associated with a VPN gateway: uses active-passive mode.
When associated with a Transit Router: uses ECMP mode.
Configure both tunnels as active. Using only one tunnel removes redundancy and voids the SLA.
Single-tunnel mode (legacy only)
Single-tunnel mode is from an earlier version. New IPsec connections no longer support it.
Only legacy VPN gateway instances may have single-tunnel IPsec connections.
Lacks zone-level disaster recovery.
Upgrade to dual-tunnel mode to restore redundancy.
Choose a network type
This setting applies only to IPsec connections associated with a Transit Router.
| Network type | Description | Use case |
|---|---|---|
| Internet | Establishes an IPsec tunnel over the public Internet | No Express Connect circuit available; or using Express Connect + VPN as an active-passive backup |
| Private network | Establishes an IPsec tunnel over an existing Express Connect circuit to encrypt traffic | Already have an Express Connect circuit; compliance requires encrypted transmission |
Choose a routing method
IPsec-VPN supports three routing methods that control how cloud traffic is forwarded to your on-premises network.
BGP dynamic routing (recommended)
The cloud gateway and your on-premises gateway automatically exchange and update routes using Border Gateway Protocol (BGP). Routes converge automatically as your network changes.
When to use: Medium to large networks, multi-site deployments, or any environment where subnets change frequently.
Requirements:
Your on-premises gateway must support BGP.
Configure a BGP Autonomous System Number (ASN) and BGP peer IP for each tunnel.
Benefits:
No manual route table maintenance—routes are learned and converged automatically.
Adapts to network topology changes such as adding or removing subnets.
Fails over routes faster during link failures.
Static destination-based routing (simple scenarios)
Manually configure static routes pointing to your on-premises CIDR blocks.
When to use: Small networks, proof-of-concept (PoC) deployments, or stable topologies with few subnets.
Benefits:
Simple setup with no BGP dependency.
Limitations:
Update routes manually whenever your on-premises network changes.
Enhanced VPN gateway: up to 50 routes. Standard VPN gateway: up to 30 routes.
Policy-based routing (standard VPN gateway only)
Define routing policies based on source and destination CIDR blocks to control precisely which IPsec connection handles different traffic flows.
When to use: Scenarios that require traffic splitting across multiple connections based on source and destination addresses.
Limitations:
Supported only by standard VPN gateway—not enhanced.
Default limit of 20 policy-based routes.
Higher configuration and maintenance complexity.
Routing method comparison
| Criterion | BGP dynamic routing | Static destination-based routing | Policy-based routing |
|---|---|---|---|
| Route management | Automatic | Manual | Manual |
| Association mode | VPN gateway, Transit Router | VPN gateway, Transit Router | Standard VPN gateway only |
| Best for | Most deployments | Simple or PoC setups | Fine-grained traffic control by source/destination |
Decision summary
Choose VPN gateway when
Connecting to a single VPC.
Need SSL-VPN for client-to-site remote access (use standard VPN gateway).
Active-passive failover is sufficient for your availability requirements.
Choose Transit Router when
Connecting to multiple VPCs in the same region or across regions.
Need ECMP-based load balancing where both tunnels carry traffic simultaneously.
Need to encrypt traffic over an existing Express Connect circuit.
Require more than 1 Gbps bandwidth per connection.
Operating a large-scale network with full interconnectivity across multiple sites.
Need to handle a high volume of BGP routes (up to 2,000 entries total).