Many AWS billing horror stories start with provisioned resources that were not terminated or forgotten. AWS's product offerings are vast, so how you're billed can often be complex. This is no exception for AWS VPN, which has 5+ variables that factor into your monthly bill.
The team at Firezone often helps companies through budgeting decisions regarding their remote access. We wrote this article to share the learnings. Below we break down the cost in a couple of common scenarios and provide a simple calculator to help project and visually illustrate the main contributors to your monthly bill. Hopefully, it's helpful!
As security breaches become common place, properly managing remote access to your VPC is more critical than ever. AWS VPN lets you set up encrypted connections between your network or device and your AWS resources. AWS VPN consists of two products: Site-to-site VPN and Client VPN.
AWS site-to-site VPN allows you to create a secure connection between AWS and your on-prem servers, data centers, and other remote sites.
If you've looked for a point-to-site way to access your cloud resources on AWS securely, chances are you've looked at AWS Client VPN. AWS Client VPN is a managed solution that lets you securely access your resources on AWS. It uses the OpenVPN protocol and supports most features you'd find in a VPN (SSO, MFA).
Sample scenarios are the main section lacking from AWS' documentation. For those that want a rough budget of how much AWS VPN will cost each month, here are a few examples. To create your own, use our price calculator (make a copy).
Scenario 1 - Small team or personal project (1 VPC, 1 subnet, 3 users)
Cost: $96 per month ($1,152 annually)
This is likely the most simple use case for AWS VPN. It highlights the high fixed cost of target network associations, which for smaller teams will make up the majority of your cost each month.
With such a small group of users, a bastion host or self-managing something like WireGuard can be a good low-cost option. In theory, if your VPN demands are infrequent, you can remove any target-network associations when you are not using the VPN.
Scenario 2 - Medium sized team (2 VPCs, 3 subnets, 10 users, split tunnel)
Cost: $368 per month ($4,416 annually)
This is a more likely scenario for a team or small company. If you’re building software, your resources will be split across production, test, and dev environments. AWS themselves recommend splitting your environment across multiple accounts as your workloads become more complex.
Segregating your environments is great for your development processes and security, but it will increase your costs with AWS VPN. Each account requires a separate AWS Client VPN endpoint, and each subnet will require its own target network association. In this example, we’ll use 4 to represent dev, test, and prod split across 2 availability zones.
Scenario 3 - Larger company (50 users, 1 on-prem environment, 4 subnets, full-tunnel)
Cost: $850 per month ($10,200 annually)
The data egress costs will vary greatly depending on the company. In this example, we assumed 10 GB per user. That’s about 12 Zoom calls - maybe a bit conservative in today’s remote workplace.
Client VPN target network association - $0.10 to $0.15 per hourI asked my AWS rep if this can be disassociated when not used to save cost since it's the most significant contributor to fixed costs for smaller teams. I didn't get a straight answer, but let me know if you've tried this before.
Client VPN connection time - $0.05 per hourConnection time is the aggregate time your VPN users have connected to the VPN (rounded up to the nearest hour).
Site-to-site connection time - $0.05 per hourYou are charged for each hour that your VPN connection is provisioned and available. A common use case is creating a connection between your data center or on-prem network with the AWS VPC.
Egress traffic - $0.05 to $0.09 per GB for more North American + Europe regionsData egress is not usually a huge contributor to cost (for VPNs anyway) unless you turn on "full tunnel" traffic for clients. For the calculator, I ignored intra-region transfers. Those are priced at $0.01 per GB. Here's a useful resource from AWS on different types of data-transfer costs.
Site-to-site global accelerator premiums - $0.05 per hour + $0.015 to $0.091 per GBReleased in 2019, this feature improves VPN performance by routing VPN traffic through the AWS network instead of the public internet. This could be helpful when running latency-sensitive applications or workloads.
When setting up your Client VPN Endpoint, the default config option is to use a full tunnel (split tunneling disabled). This means all traffic from your end users will be routed through the endpoint - even traffic destined for the public internet. Ingress is free, but with zoom calls (up to 3.8 Mbps up) being commonplace, the costs can rack up quickly.
Terminate unused endpoints and associationsTarget network associations are the main fixed cost of AWS VPN. *If your usage is infrequent, you could disassociate the target networks until the route is needed again. Since AWS provides a CLI command and an API endpoint *for configuring target networks, you could even set up a script to “shut down” the VPN when it is not needed.
Set up a billing alarmUsing CloudWatch you can create an alert that triggers when current spending passes above a set threshold. Take a look at the AWS docs on how to set this up.
It depends. At a minimum you should probably ask yourself:
- What’s my budget? Use the price calculator to figure out what your bill will likely be each month. There are plenty of other VPNs to pick from, though some may take more time to deploy and manage.
- Where are my private resources? It makes more sense to use AWS VPN if most of your resources are located on AWS. For multi-cloud environments, you may want to consider a vendor agnostic solution.
- What features do I need? The AWS docs do a pretty good job at answering this question.
Even with the potential costs, AWS VPN is a great product. It’s fully managed, highly available, and seamlessly ties into AWS IAM (federated to the IdP of your choice). How to pick the right remote access solution is a broad topic and deserves its own post. We'll leave that up to the reader for now.
Firezone is an open-source alternative to legacy corporate VPNs. Firezone runs on your infrastructure. It's painless to deploy, easy to manage, and built on WireGuard® to be 4x-6x faster than OpenVPN. We wrote this post because we often help our users understand the impact of different remote access products to their IT budget. AWS is always particularly tricky to forecast.