To provide network connectivity between AWS VPCs and external networks or potentially between VPCs in certain use-cases you must create a Virtual Private Gateway. VPGs can be attached to a VPC or for some advanced architectures can be detached and are the Amazon managed end-point for terminating IPSEC VPN and AWS Direct Connect connections into your AWS infrastructure.

The VGW behaves like a next-hop router and provides edge routing for external access, this routing is separate from the VPC routing tables. A VGW is the termination point of VPN connections at the AWS end of the tunnel, the VGW does not initiate connections, connections must be initiated from the customer premises. VGWs support two methods of routing static routing and dynamic routing using BGP4.