Compare VPN gateway options, pricing, and bandwidth across providers.
Last verified: April 2026
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Service Name | AWS Site-to-Site VPN | Azure VPN Gateway | Cloud VPN |
| Protocols | IPSec / IKEv1 / IKEv2 | IPSec / IKEv1 / IKEv2 | IPSec / IKEv1 / IKEv2 |
| Max Tunnels per Gateway | 10 VPN connections per VGW; 2 tunnels each (20 tunnels total) | 30 tunnels (Basic/VpnGw1); up to 100 (VpnGw4/5) | 8 tunnels per HA VPN gateway interface (16 total for HA pair) |
| Max Bandwidth per Tunnel | 1.25 Gbps per tunnel; up to 5 Gbps with ECMP over Transit Gateway | 1.25 Gbps (VpnGw1); up to 10 Gbps (VpnGw5) | 3 Gbps per tunnel; up to 24 Gbps aggregate with 8 tunnels |
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| HA Option | Yes; dual-tunnel per connection with separate AZ endpoints | Yes; active-active mode with two gateway instances in an AZ | Yes; HA VPN with 99.99% SLA using two interfaces and four tunnels |
| BGP Support | Yes; dynamic routing with BGP ASN configuration per VGW | Yes; BGP supported on all SKUs except Basic | Yes; Cloud Router with BGP for dynamic route exchange |
| Custom Routing | Static routes or BGP propagation; route tables on VGW and TGW | Static routes, BGP, or policy-based routing; UDR integration | Cloud Router custom route advertisements; static or dynamic |
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Pricing Model | Per VPN connection-hour ($0.05/hr) + data transfer out | Per gateway-hour by SKU ($0.04-$1.25/hr); data transfer out | Per tunnel-hour ($0.075/hr classic, $0.05/hr HA) + data egress |
| Typical Monthly Cost | ~$36/mo per connection (2 tunnels) + ~$0.09/GB egress | ~$140/mo (VpnGw1) to ~$913/mo (VpnGw5) + ~$0.087/GB egress | ~$36/mo per HA tunnel + ~$0.085/GB egress; ~$55/mo Classic |
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Setup Complexity | Moderate; VGW + customer gateway + VPN connection config needed | Moderate; VNet gateway subnet + public IP + gateway + connection | Moderate; HA VPN gateway + Cloud Router + peer gateway + tunnels |
| Monitoring Integration | CloudWatch metrics (TunnelState, bytes in/out); VPN log groups | Azure Monitor metrics and diagnostics; connection health dashboard | Cloud Monitoring metrics; Cloud Logging for tunnel status and events |
| Certificate Auth | Yes; AWS Certificate Manager Private CA for IKEv2 authentication | Yes; certificate-based auth for point-to-site; PSK for site-to-site | Pre-shared key (PSK) only; no native certificate-based tunnel auth |
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Route-based vs Policy-based | Route-based (default); policy-based supported with limitations | Route-based (RouteBased SKU) or policy-based (PolicyBased SKU) | Route-based only; Classic VPN supported policy-based (deprecated) |
| Multi-site Support | Yes; multiple VPN connections per VGW or TGW; hub-spoke with TGW | Yes; multiple connections per gateway; Virtual WAN for hub-spoke | Yes; multiple tunnels and peer gateways per Cloud VPN gateway |
| Private Connectivity Alternative | AWS Direct Connect (dedicated 1/10/100 Gbps; hosted 50 Mbps-10 Gbps) | Azure ExpressRoute (50 Mbps-100 Gbps; Global Reach; private peering) | Cloud Interconnect (Dedicated 10/100 Gbps; Partner 50 Mbps-50 Gbps) |
{
"features": [
{
"feature": "Service Name",
"category": "Service Overview",
"aws": "AWS Site-to-Site VPN",
"azure": "Azure VPN Gateway",
"gcp": "Cloud VPN"
},
{
"feature": "Protocols",
"category": "Service Overview",
"aws": "IPSec / IKEv1 / IKEv2",
"azure": "IPSec / IKEv1 / IKEv2",
"gcp": "IPSec / IKEv1 / IKEv2"
},
{
"feature": "Max Tunnels per Gateway",
"category": "Service Overview",
"aws": "10 VPN connections per VGW; 2 tunnels each (20 tunnels total)",
"azure": "30 tunnels (Basic/VpnGw1); up to 100 (VpnGw4/5)",
"gcp": "8 tunnels per HA VPN gateway interface (16 total for HA pair)"
},
{
"feature": "Max Bandwidth per Tunnel",
"category": "Service Overview",
"aws": "1.25 Gbps per tunnel; up to 5 Gbps with ECMP over Transit Gateway",
"azure": "1.25 Gbps (VpnGw1); up to 10 Gbps (VpnGw5)",
"gcp": "3 Gbps per tunnel; up to 24 Gbps aggregate with 8 tunnels"
},
{
"feature": "HA Option",
"category": "High Availability",
"aws": "Yes; dual-tunnel per connection with separate AZ endpoints",
"azure": "Yes; active-active mode with two gateway instances in an AZ",
"gcp": "Yes; HA VPN with 99.99% SLA using two interfaces and four tunnels"
},
{
"feature": "BGP Support",
"category": "High Availability",
"aws": "Yes; dynamic routing with BGP ASN configuration per VGW",
"azure": "Yes; BGP supported on all SKUs except Basic",
"gcp": "Yes; Cloud Router with BGP for dynamic route exchange"
},
{
"feature": "Custom Routing",
"category": "High Availability",
"aws": "Static routes or BGP propagation; route tables on VGW and TGW",
"azure": "Static routes, BGP, or policy-based routing; UDR integration",
"gcp": "Cloud Router custom route advertisements; static or dynamic"
},
{
"feature": "Pricing Model",
"category": "Pricing",
"aws": "Per VPN connection-hour ($0.05/hr) + data transfer out",
"azure": "Per gateway-hour by SKU ($0.04-$1.25/hr); data transfer out",
"gcp": "Per tunnel-hour ($0.075/hr classic, $0.05/hr HA) + data egress"
},
{
"feature": "Typical Monthly Cost",
"category": "Pricing",
"aws": "~$36/mo per connection (2 tunnels) + ~$0.09/GB egress",
"azure": "~$140/mo (VpnGw1) to ~$913/mo (VpnGw5) + ~$0.087/GB egress",
"gcp": "~$36/mo per HA tunnel + ~$0.085/GB egress; ~$55/mo Classic"
},
{
"feature": "Setup Complexity",
"category": "Operations",
"aws": "Moderate; VGW + customer gateway + VPN connection config needed",
"azure": "Moderate; VNet gateway subnet + public IP + gateway + connection",
"gcp": "Moderate; HA VPN gateway + Cloud Router + peer gateway + tunnels"
},
{
"feature": "Monitoring Integration",
"category": "Operations",
"aws": "CloudWatch metrics (TunnelState, bytes in/out); VPN log groups",
"azure": "Azure Monitor metrics and diagnostics; connection health dashboard",
"gcp": "Cloud Monitoring metrics; Cloud Logging for tunnel status and events"
},
{
"feature": "Certificate Auth",
"category": "Operations",
"aws": "Yes; AWS Certificate Manager Private CA for IKEv2 authentication",
"azure": "Yes; certificate-based auth for point-to-site; PSK for site-to-site",
"gcp": "Pre-shared key (PSK) only; no native certificate-based tunnel auth"
},
{
"feature": "Route-based vs Policy-based",
"category": "Architecture",
"aws": "Route-based (default); policy-based supported with limitations",
"azure": "Route-based (RouteBased SKU) or policy-based (PolicyBased SKU)",
"gcp": "Route-based only; Classic VPN supported policy-based (deprecated)"
},
{
"feature": "Multi-site Support",
"category": "Architecture",
"aws": "Yes; multiple VPN connections per VGW or TGW; hub-spoke with TGW",
"azure": "Yes; multiple connections per gateway; Virtual WAN for hub-spoke",
"gcp": "Yes; multiple tunnels and peer gateways per Cloud VPN gateway"
},
{
"feature": "Private Connectivity Alternative",
"category": "Architecture",
"aws": "AWS Direct Connect (dedicated 1/10/100 Gbps; hosted 50 Mbps-10 Gbps)",
"azure": "Azure ExpressRoute (50 Mbps-100 Gbps; Global Reach; private peering)",
"gcp": "Cloud Interconnect (Dedicated 10/100 Gbps; Partner 50 Mbps-50 Gbps)"
}
]
}The Multi-Cloud VPN Compare tool compares VPN gateway options, pricing, bandwidth capabilities, and configuration across AWS (Site-to-Site VPN), Azure (VPN Gateway), and GCP (Cloud VPN). It covers IPsec tunnel setup, high availability configurations, throughput limits, and pricing for connecting cloud networks to on-premises or multi-cloud environments.
Your company needs to connect its on-premises datacenter to both AWS and Azure with 99.99% availability. You use the comparison to design HA VPN on both clouds. AWS needs two VPN connections (4 tunnels total) at $0.05/hr each. Azure needs an active-active VpnGw2 at $0.57/hr for 1 Gbps throughput. The total VPN gateway cost is $490/month. You verify this is cheaper than dedicated interconnects at your current 200 Mbps average utilization, but flag that crossing 500 Mbps sustained would make Direct Connect/ExpressRoute more economical.
VPN throughput is the most misunderstood metric in hybrid cloud. AWS Site-to-Site VPN supports up to 1.25 Gbps per tunnel. Azure VPN Gateway throughput depends on SKU (from 650 Mbps on VpnGw1 to 10 Gbps on VpnGw5). GCP HA VPN supports 3 Gbps per tunnel. Always test actual throughput with iperf before committing to a VPN-only architecture.
BGP is strongly recommended for all production VPN connections. Static routing requires manual updates when subnets change and cannot support automatic failover between redundant tunnels. All three providers support BGP with their VPN gateways, and it adds zero cost.
For multi-cloud VPN mesh (e.g., AWS to GCP), you pay egress on both sides. A 1 Gbps sustained link between AWS and GCP generates roughly 324 TB/month, costing over $29,000 in combined egress fees. For high-bandwidth multi-cloud connectivity, dedicated interconnects or third-party SD-WAN solutions are dramatically cheaper.
The comparison normalizes VPN gateway specifications across providers into categories: gateway pricing, tunnel pricing, maximum throughput, tunnel limits, HA configuration, and BGP support. It maps equivalent SKUs and configurations to enable direct comparison of cost and capability for common hybrid connectivity scenarios.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.