I know that site-to-site is using IPSec (layer 3), but client is using TLS (application layer). It seems like both are actually site to site vpns after reading articles/ docs online.
I guess the protocol (IPSec vs TLS) is their only difference, which has implications on when you would use which one. I would guess that both are equally good, and you should always use TLS on the application layer anyway, even on top of client VPN.
How do you decide which one to use, and why?
In general the protocol doesn't have much to do with it. You can have IPSec tunnels in both site-to-site or client (aka road warrior) configurations, just like you can have OpenVPN (TLS) tunnels in both site-to-site or client setups. It's a matter of configuration and purpose, not the protocol used.
Site-to-Site VPN
Client-to-Site VPN
That's roughly the difference between site to site and client to site VPNs.
In AWS the VPN Gateway uses IPsec protocol and the Client VPN uses OpenVPN protocol but that's just how AWS implemented the services. However in general it's perfectly possible to use either protocol in either setup.
Hope that helps :)
TLS is a protocol that has many different uses. The most common one is in HTTPS but many other protocols use it too as it's a standard way to encrypt network traffix. That's the application level.
In AWS Client VPN it's being used one level down - to encrypt the actual network layer traffic (level 3), regardless of what's passing through the tunnel. They chose to use TLS because it's a standard well known protocol.
Amazon could have implemented Client VPN with IPsec or even invent their own protocol but they chose TLS because it's a proven technology.
And yes, you can indeed use HTTPS over this VPN which is technically TLS over TLS but with different endpoints and certificates.
This does appear to be the case.
Not sure where you are reading that? the documentation seems to indicate that AWS client VPN is openvpn based
OpenVPN uses TLS for negotiation, but does not use it for the actual data.
Openvpn is capable of performing both client and site to site VPN tasks, but AWS seems to be using it as a client VPN, I don't see anything in the documentation that would allow you to say allocate a whole netblock to an individual VPN client.
Of course you could run a NAT on the VPN client, to allow all the devices behind it to use the VPN, but that would not be using the service as-intended.
Site to site and client VPNs have different priorities, which drives different typical protocol choices.
The problem with ipsec is it was designed in an era before pervasive NAT. The result is it runs directly on top of IP and does not have anything analagous to TCP/UDP port numbers that NATs can use to disambiguate multiple client sessions.
So using an IPsec VPN from behind a NAT is a dicey proposition. It may not work at all, or more insidiously it may work, but only for one client at a time.
For a site to site VPN this is not usually a big deal, your edge device will most likely have a public IPv4 from a consistent ISP.
For a client on the go, it's a big issue. So using a VPN soloution that runs on top of UDP or even TCP (openvpn can do either, I'm not sure which configuration amazon use) is likely a good idea. Even if it is less efficient.