Amazon Web Services (AWS) VPN

AWS instances, by default, cannot connect to private campus networks. AWS VPN allows a secure connection from instances to U-M campus private networks. The VPN consists of two tunnels for automatic failover to avoid access interruption to your AWS VPC. ITS provides an option to increase redundancy by using two pairs of VPN nodes over sites. Should one site go offline, the other site will accept traffic. Customers providing a customer facing application or need production availability should use two tunnels.


AWS charges $0.05 per VPN Connection-hour
$36.50 / month for single tunnel (without discounts)
$73.00 / month for multi tunnel redundancy (without discounts)

Request AWS VPN

Use the AWS Request Form. to request a new account. To add VPN to an existing account, use the AWS Modify Account form.

AWS Internet Access

Our VPN to AWS only provides access to U-M campus private networks. There are two ways to access the internet via AWS’s Internet Gateway :

  • Use a public IP address, which allows outbound traffic to the internet and inbound traffic from the internet to an instance.
  • Use a Network Address Translation (NAT) gateway, which enables an instance in a private subnet to access the internet without attaching a public IP to the instance.

Troubleshooting AWS VPN

The most common AWS VPN issue is typically caused by the VPN tunnel going down due to idle timeout. (There is no traffic going through the VPN tunnel for about 10 seconds). To bring the connection back, generate traffic to the instance from a campus network (i.e. pinging the instance). See AWS VPN Connections for more information.

Another issue is caused by asymmetric routing when users on campus try and access an instance in AWS behind the VPN using a public IP. On campus, private routes takes precedence over the default internet route so traffic destined for an instance’s public IP will be delivered but will return traffic will go over the VPN tunnel and be dropped. We recommend using private IPs to connect from campus. Additionally we can work with hostmaster to set up split view DNS.

AWS Compatible Networks

A List of U-M Private Networks allowed through VPN has been compiled. Check the list to see if a network will work with AWS. Routes are also advertised in your route table once a vpn has been setup. 

Last Updated: 
Tuesday, May 28, 2019