Back to Blog


TNSR High-Performance Router & VPN Concentrator in AWS

TNSR High-Performance Router & VPN Concentrator in AWS

The Lowest TCO VPN Concentrator in AWS Marketplace

When aggregating hundreds or thousands of mobile IPsec (remote workers) & site-to-site (Data Center to Cloud, Cloud to Cloud) VPNs to AWS, there has often been a trade-off of performance, cost, and manageability. There doesn’t need to be one.

The Netgate® TNSR High-Performance Routing & VPN Appliance for Amazon AWS is a powerful solution that connects thousands of mobile users, branch sites, and data centers. Customers are choosing the TNSR High-Performance Routing & VPN Appliance to get high performance, low TCO, and simple management, avoiding any trade-offs.


TNSR leverages vector packet processing (VPP) and acceleration technologies for high-speed routing and VPN performance. For more information on VPP, please peruse the link

AWS VPN tunnels are limited to 1.25 Gbps of throughput. There are other limits as well, such as maximum customer gateways, connection count, etc. Please see While customers may create multiple tunnels and leverage ECMP to overcome this limit, this can get complicated at scale and adds to the connection count. There is also no guarantee of equal distribution depending on the 5 tuple hash flows of customer traffic. TNSR software performance scales based on the underlying instance type and network, and Netgate has optimized the tunnel termination count to the optimal EC2 instances available. Right-sizing CPU core count allows the software to achieve higher performance.


Customers can use all standard BGP attributes to control traffic flows between their locations and the AWS edge. Customers may leverage route filtering, community strings, route maps, etc. The VPN connection may be IPsec or WireGuard®. Customers may also use OSPF between the branch and AWS TNSR Edge.


There are multiple ways to manage TNSR software, including Command Line Interface (CLI), RESTCONF API, and Graphical User Interface (GUI). TNSR software configuration through CLI and RESTCONF API enables the product to be managed by IT automation platforms like Ansible®, SaltStack®, Puppet®, or Chef™. TNSR software can export data to Prometheus, ERSPAN, and IPFIX, allowing customers to use their existing on-site & cloud-hosted monitoring solutions. Using the same configuration commands across platforms helps streamline operations. TNSR also supports SNMP.


Netgate has spent several decades curating, integrating, and improving open-source software. This ethos of efficiency and aggressive price performance is why pfSense software is the world’s most downloaded firewall. Netgate has replicated this model with the TNSR High-Performance Router & VPN Concentrator. When it comes to VPN performance and price, TNSR has the lowest TCO in the AWS Marketplace.

  • TNSR VPN appliances are categorized in tranches based on VPN count to help customers right-size software licensing and hardware for their specific needs.
  • 24x7x365 support is included with TNSR software purchased via the AWS Marketplace.
  • There are no hidden costs.
  • AWS infrastructure costs and data egress are separate costs from AWS.
  • There are several options to reduce costs further, as described in the cost-saving tips section.


Netgate support engineers have garnered a global reputation for their technical abilities, customer focus, and willingness to go the extra mile.

There are two levels of Netgate support for instances on AWS.




Technical Support and software updates are included with all TNSR AWS software subscriptions.

The 25 and 50 VPN appliances include TAC Pro. If phone support or a faster response time is desired, Netgate offers an upgrade path to receive TAC Enterprise support for an additional $399/year.

The 100 and 250+ appliances include TAC Enterprise.

TNSR software costs per VPN count:

Base TNSR Router (Ideal for proof of concept testing and low usage VPN).

(t3.micro & t3.nano are intended for POC or test implementations, not production)




Production-ready TNSR instances support predefined numbers of tunnels. These TNSR instances are available on larger instances sized to fully support expected data flow within the AWS infrastructure and across the boundary, supporting your edge-to-cloud network designs to support mobile IPsec (remote workers) & site-to-site (Data Center to Cloud, Cloud to Cloud) VPNs.












AWS infrastructure costs can quickly bloat as the need to connect more sites and/or remote workers drives increased VPN count. Below are some cost-saving tips to reduce the impact of scope creep.

  • Right-size the license for your VPN count.
  • Flexible EC2 instance types to meet specific customer needs.
  • Yearly TNSR software licensing can save up to 10%.
  • One year of reserved AWS instances can save up to 50% on EC2 VM costs.
  • Enterprise licensing and all-you-can-consume private offers yield substantial savings.

Action Plan

Netgate’s sales team,, and our value-added solution providers,, are eager to assist you with proof of value, network design, and deployment of the TNSR AWS solution.


This blog reviewed how TNSR VPN appliances in AWS can dramatically reduce costs for customers wishing to connect mobile users, branches, and data centers to AWS workloads while delivering unparalleled performance and feature sets. Netgate TNSR VPN Concentrator has the capability and scale to support multi-100 Gbps connectivity to your remote/branch offices, remote workforce, and multi-cloud. Each TNSR VPN appliance option includes support, popular management options, and ease of use. There is no need for compromise.