Links to related documentation for running XDCR in the cloud. Any VPN gateway can be used.
Setting up XDCR in the cloud
Blog – tutorial about XDCR in AWS
Data transfered by XDCR is sent unencrypted and when replicating between Amazon regions this means it is transitting the public internet.
You can use XDCR to connect clusters in different availability zones without transitting the public internet. This doesn't provide as much reliability but it avoids the potential security issue.
You can use a 3rd-party VPN service to tunnel data between your Amazon regions. AWS has pointed to these vendors.