cross az charges for IPSec VPN


Dear Team - As per,

A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted

and As per, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.

We have below scenario.

  • IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing
    -Two Endpoints are deployed in AZ-1 and AZ-2

Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises. In this case, traffic path would be below ?

EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...

Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?


preguntada hace un mes122 visualizaciones
1 Respuesta
Respuesta aceptada

I could be wrong here but as AWS manage the VPN across 2 AZ's which you cant configure or ever find out, I've a feeling they will not charge you for the Cross AZ because its a managed service.

Dont quote me but thats my theory..

This repost by Tushar_J explains it a little

profile picture
respondido hace un mes
profile pictureAWS
revisado hace un mes
  • I agree that this would be in line with AWS's general pricing philosophy: if you can't control (or in the case of site-to-site VPN, even know) whether you're crossing an AZ boundary, you won't be charged for cross-AZ traffic.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas