Quick rule: Site-to-Site for networks; Client VPN for users. In both cases, scope routes, rotate secrets, log connections, and alarm on tunnel state.

1) Site-to-Site VPN guardrails

• Use both tunnels; alarm on TunnelState changes.
• DPD enabled; strong ciphers; rotate PSKs regularly (or use certificates).
• Route only required prefixes; propagate to the right route tables.
• Flow logs and firewall logs enabled on both sides.

2) Client VPN guardrails

• MFA via IdP; per-group authorisation rules; split-tunnel only if justified.
• Restrict to specific subnets/SGs; log connections to CloudWatch.
• Rotate client certs/keys; disable old clients.

3) Monitoring & costs

• CloudWatch metrics/alarms for tunnel up/down and auth failures.
• Keep endpoints in the right AZs; tidy idle endpoints.