Is Client VPN Bandwidth Really Only 100Mbps?

0

I expected to get around 1Gbps bandwidth from a Client VPN connection, but am only in practice getting 100Mbps. If I repeat the same bandwidth test reaching to the same EC2 instance over it's public internet connection, I get around 900Mbps, which is more what I'd expect. So it seems Client VPN is severely limiting my bandwidth. Has anyone else figured out why? Or what to do about it? I've found a few comments suggesting others are seeing similar slow rates.

asked 2 months ago277 views
2 Answers
2

Hi There

A minimum bandwidth of 10 Mbps is supported per user connection. The maximum bandwidth per user connection depends on the number of connections being made to the Client VPN endpoint. See https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is-best-practices.html

ClientVPN is a managed service and does not publish a maximum bandwidth as it is affected by multiple factors. For example, any VPN will introduce overhead to handle the encryption, so you should not expect the same bandwidth as you would an unencrypted connection (like connecting directly to a public IP in your example).

Another option might be to use a Site-to-site VPN which would provide you with up to 1.25Gbps

profile pictureAWS
EXPERT
Matt-B
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

Documentation is inconsistent. This page says that the minimum bandwidth per connection is 10 Mbit/s: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is-best-practices.html

A minimum bandwidth of 10 Mbps is supported per user connection. The maximum bandwidth per user connection depends on the number of connections being made to the Client VPN endpoint.

Whereas another page in the same documentation, https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#test-throughput, says the opposite:

The throughput depends on multiple factors, such as the capacity of your connection from your location, and the network latency between your Client VPN desktop application on your computer and the VPC endpoint. There is also a 10 Mbps bandwidth limit per user connection.

I would guess that there may very well be a maximum limit set. The general reasoning would be to avoid heavy variations in the perceived available capacity. For example, if one VM or container task that might serve as the platform for the VPN endpoint were capable of the same 1.25 Gbit/s of throughput as a site-to-site VPN in AWS, it could very well be nearly fully utilised by a single heavy user. When a few other heavy users also started their data transfers, the same capacity would be shared between them, causing throughput to plummet to a fraction of the level any one of them would get during quiet hours.

Imposing a hypothetical 100-Mbit/s limit, neatly just 10x the 10 Mbit/s (some of the) documentation says is the minimum, would deliver consistent throughput for up to a dozen users fully utilising the available bandwidth, and even going a bit above that number, the throughput would only be reduced incrementally, until the endpoint scaled out to provide another hypothetical 1.25 Gbit/s for the next dozen-or-so users.

In terms of architectural design principles, this is known as the "noisy neighbour" problem, and one strategy for mitigating it is to enforce bandwidth or throughput limits and/or guarantee minimums for each user needing the issue minimised.

If you have Enterprise support, I'd suggest raising a support ticket to get an official statement. I have no inside information, but I wouldn't be surprised if support or the service team might have the ability to adjust the limit, even if it isn't publicly documented, for customers needing throughput to be high more than for it to be stable and predictable. Most likely, there's a dedicated VM or container for each increment the service uses for scaling, separated from other customers.

EXPERT
Leo K
answered 2 months ago
  • Thanks for your response. Is there any other way to ask AWS to increase the speed besides an enterprise support plan?

  • You can raise a support ticket with a lower level support plan, but I only have experience making similar requests with Enterprise level support.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions