Networking Costs for VPN-Based Hybrid Architectures


Networking Costs When Building A Hybrid Cloud
2m 44s
Networking Costs for VPN-Based Hybrid Architectures

In this course, we will analyze the most cost-effective connectivity options between AWS and on-premises environments and the key networking cost contributors in these architectures. 

Learning Objectives

  • A greater understanding of networking costs in hybrid architectures, including:
    • The costs of connectivity services like Direct Connect, Site-to-Site VPN, and Transit Gateway
    • How to select the most cost-effective connectivity option considering your business requirements

Intended Audience

  • Those who are planning on implementing and managing hybrid architectures on AWS and need to better understand the cost implications of the different connectivity options


  • You should have a fundamental understanding of networking services on AWS, including VPCs, Direct Connect, Site-to-Site VPNs, and Transit Gateway.
  • For more information on these services, please see our existing content titled: 



Let’s look at a hybrid architecture that uses a Site-to-Site VPN to connect to an AWS environment from an on-premises data center. In this architecture, the on-premises resources are on the left side and the AWS workloads are on the right side with two Site-to-Site VPNs in the middle. Each Site-to-Site VPN is highly available by default, consisting of two lines. Each of the cost factors for this hybrid architecture are labeled 1 through 4. 

In this architecture, there are two endpoints for this IPsec VPN connection. The first endpoint anchors the connection at the data center through a customer gateway. This customer gateway is the first cost factor in any hybrid architecture. This cost depends on the vendor, whether it is Juniper Networks, Palo Alto Networks, Cisco Systems, or another option. It also depends on your specs and what level of performance you require. You may already own a device that can be used as an endpoint, or you may have to buy one, which could cost you thousands of dollars. 

You then have to multiply that cost by two, as it’s encouraged to have at least two customer gateway devices for high availability. 

The second endpoint terminates the connection on the AWS side of the architecture. You have multiple options for this endpoint: 

You can select between a virtual private gateway, a Transit Gateway, or an EC2 instance within your VPC using software from a vendor. This is considered the second cost factor in the architecture, depending on which option you choose. Let’s go through the cost of each option. 

An EC2 instance within your VPC that runs vendor software is priced based on the size and family of the instance and the price of the software. This is an unmanaged option, so you also have to factor in the price of maintenance and configuration of the instance. 

The second option is the virtual private gateway, which is a fully managed VPN endpoint. Virtual private gateways have no extra cost associated with them. However, they do have a few limitations. They only support a one-to-one relationship between a VPN connection and a VPC, meaning 1 VPN connection can only access one VPC using a virtual private gateway. These gateways also support throughput of up to 1.25 Gbps per tunnel, and they do not support ECMP. 

The last way to terminate this endpoint is through AWS Transit Gateway. By using this service, you do introduce extra cost into your architecture. However, it makes up for some of the limitations of a virtual private gateway. For example, it can have attachments of up to 5000 VPCs, meaning it supports a one-to-many relationship between a VPN connection and VPCs. This is important in terms of management as you scale. It ensures less maintenance and less connections in the long run. Additionally, while the throughput is still limited to 1.25 Gbps, you can use ECMP with dynamic routing and make use of both lines of your VPN to horizontally scale.

Let’s look at the cost introduced by Transit Gateway. In this architecture, the Transit Gateway is attached to two VPCs and the VPN connection. You pay for each connection per hour. The fixed rate for this depends on your Region - for example, in the Ohio Region, the cost is $0.05 per attachment. You additionally pay a data processing charge for each GB that was sent from a VPC or VPN connection to the Transit Gateway. This is priced at around $0.02 per GB, depending on your Region. 

So for a full month of utilization, which would be around 730 hours, you would pay $0.15 per hour total service charge for the three connections. This comes out to be $109.50. And if you process 1024 GB, which is 1 TB, across all connections, the data processing cost would be $20.48, for a total monthly Transit Gateway cost of $129.98. 

Regardless of which endpoint you choose, you then have to add in the costs for the VPN connection itself. This is cost factor number three. For each connection hour that the line is provisioned and available, you pay $0.05 an hour per Site-to-Site VPN.

Considering 730 hours of utilization, and two Site-to-Site VPN connections, the total cost of this service fee would come out to be $73 dollars per month. 

Then you have to consider data transfer. This is cost factor number four. Data transfer into AWS through the VPN is free, however, data transfer out does eventually come at a cost. It uses a tiered pricing model, based on how many GB you send out of the VPN connection. This depends on your Region, however, we’ll use the Ohio Region as an example. For this Region, the first 100 GB are free each month, then the next 10 TB of data transfer is priced at $0.09 per GB. After that, there are different costs based on the amount of data you transfer out. 

So let’s say you transfer 500 GB of data out of the Region. The first 100 GB of data are free, leaving 400 GB of data to be priced at $0.09 per GB, which costs $36 total monthly.  

If you’re transferring large amounts of data out of AWS consistently over a long period of time, this data transfer rate can end up increasing your total bill and potentially make VPN more expensive than a more permanent option like Direct Connect. That’s why Site-to-Site VPNs are best for temporary connectivity, where you're transferring smaller amounts of data between your environments. 

Outside of the basic cost factors, you have optional costs based on the features you enable. 

For example, as an optional cost factor, you can choose to enable Accelerated Site-to-Site VPN. This is only available if you terminate your VPN connection through Transit Gateway - not EC2 or virtual private gateway. 

This enables you to route traffic over edge locations using the AWS Backbone to reach your AWS resources. The idea is it provides better performance than your VPN - however, anything with better performance usually comes at a price increase and that’s true with this feature as well. 

To route traffic over the Backbone, this feature uses two Global Accelerators. You pay for both of these Global Accelerators each hour the connection is active. For both Global Accelerators, the hourly fee is $0.05. That means, for a full month of utilization, you will pay another $36 dollars on top of your existing Transit Gateway and Site-to-Site VPN fees. 

You will additionally have to pay a data transfer premium fee with Accelerated Site-to-Site VPN. These fees depend on the source Region and the destination. For example, if you’re routing traffic between Regions in America and Europe, you pay $0.015 per GB for 1,000 GB of traffic. So if you transfer 1000 GB of data, you pay $15. 

That brings us to the end of the video. In summary, the four main cost factors were: the Customer Gateway, the AWS Gateway if you select either the unmanaged EC2 instance or Transit Gateway, the Site-to-Site VPN service charge, and data transfer. That’s it for this one - see you next time. 

About the Author

Alana Layton is an experienced technical trainer, technical content developer, and cloud engineer living out of Seattle, Washington. Her career has included teaching about AWS all over the world, creating AWS content that is fun, and working in consulting. She currently holds six AWS certifications. Outside of Cloud Academy, you can find her testing her knowledge in bar trivia, reading, or training for a marathon.