- Newest
- Most votes
- Most comments
Yes — A Single VPN Entry Point for 7 Regions Is Achievable.
The recommended architecture is a Hub-Spoke model using AWS Transit Gateway with inter-region peering. You terminate a single Site-to-Site VPN in one "hub" region, then use Transit Gateway peering to reach the other 6 regions.
Recommended Architecture
The traffic flow is:
On-Premises → (Site-to-Site VPN) → Hub Region Transit Gateway → (TGW Inter-Region Peering) → Spoke Region Transit Gateway → Spoke VPCs
Here's how to set it up:
- Pick a hub region (e.g., the one closest to your office for lowest latency).
- Create a Transit Gateway in each of the 7 regions.
- Create one Site-to-Site VPN connection from your on-premises router to the hub Transit Gateway. AWS recommends TGW-based VPN over VGW for scalability and ECMP support (source (https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpn.html)).
- Create Transit Gateway inter-region peering from the hub TGW to each of the 6 spoke TGWs.
- Attach your VPCs in each region to their local Transit Gateway.
- Configure route tables: the hub TGW routes each spoke region's CIDRs to the corresponding peering attachment. Each spoke TGW routes on-premises CIDRs back through the peering attachment to the hub.
This is the pattern described in the AWS hybrid connectivity whitepaper for multi-region (>3 regions) (https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/aws-dx-dxgw-with-aws-transit-gateway-multi-regions-more-than-3.html).
Client VPN vs. Site-to-Site VPN
Site-to-Site VPN is for permanent network-to-network links (office/data center to AWS). It provides 1.25 Gbps per tunnel, supports BGP routing, integrates with TGW route tables, and costs ~$0.05/hr per connection plus data transfer. It reaches all 7 regions through TGW peering from the hub.
Client VPN is for individual user remote access (laptops, remote workers). It costs $0.10/hr per endpoint plus $0.05/hr per active connection. To reach multiple regions, you'd need either an endpoint in each region or VPC peering — neither is ideal for site-level connectivity.
Recommendation: For "office accessing resources across 7 regions," use Site-to-Site VPN on Transit Gateway. Client VPN is the wrong tool for this use case.
Cost Breakdown for 7 Regions
Using US East pricing as reference:
Fixed monthly costs:
- 1 Site-to-Site VPN connection: ~$36 ($0.05/hr × 730 hrs)
- Hub TGW — 1 VPN attachment: ~$36.50 ($0.05/hr)
- Hub TGW — 6 peering attachments (one per spoke): ~$219
- 6 Spoke TGWs — 1 peering attachment each: ~$219
- 6 Spoke TGWs — 2 VPC attachments each (12 total): ~$438
- Hub TGW — 2 VPC attachments (hub VPCs): ~$73
- Fixed total: ~$1,021.50/month
Variable costs:
- TGW data processing: $0.02/GB
- Inter-region data transfer via TGW peering: $0.02/GB (most regions)
The dominant cost is TGW attachments (~$36.50/month each), not the VPN itself. Minimize attachments by consolidating VPCs where possible.
Summary Recommendation
- Start with: Site-to-Site VPN → Hub Transit Gateway → TGW inter-region peering to 6 spoke TGWs
- If operational complexity grows: Migrate to AWS Cloud WAN for policy-driven management
- If performance/reliability demands increase: Add Direct Connect with DX Gateway, keep VPN as backup
- Minimize costs by: Using route summarization, placing the hub in the region closest to your office, and consolidating shared services (DNS, inspection) in the hub to reduce inter-region traffic
References: · AWS VPN Pricing (https://aws.amazon.com/vpn/pricing/) · AWS Transit Gateway Pricing (https://aws.amazon.com/transit-gateway/pricing/) · Building a Scalable and Secure Multi-VPC Network Infrastructure
