cross az charges for IPSec VPN


Dear Team - As per,

A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted

and As per, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.

We have below scenario.

  • IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing
    -Two Endpoints are deployed in AZ-1 and AZ-2

Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises. In this case, traffic path would be below ?

EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...

Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?


demandé il y a un mois127 vues
1 réponse
Réponse acceptée

I could be wrong here but as AWS manage the VPN across 2 AZ's which you cant configure or ever find out, I've a feeling they will not charge you for the Cross AZ because its a managed service.

Dont quote me but thats my theory..

This repost by Tushar_J explains it a little

profile picture
répondu il y a un mois
profile pictureAWS
vérifié il y a un mois
  • I agree that this would be in line with AWS's general pricing philosophy: if you can't control (or in the case of site-to-site VPN, even know) whether you're crossing an AZ boundary, you won't be charged for cross-AZ traffic.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions