Best Practices for Client VPN service for multiple accounts in an Organization-based structure
Our AWS Organization has been growing quite a lot (at least for us) in terms of Account numbers. VPN service has also added costs to the aggregated monthly total fee of USD 400 per account regarding the corresponding endpoint fixed price.
Is this supposed to happen that way? I mean, adding an extra account with the VPN endpoint enabled always add the base cost to the whole month, or is there a more efficient way of doing so?
PS: One of the main goals of having VPN access (if not the only one) is to have SSH access to EC2 instances in private subnets.
Second update:
We also use VPN access to our VPC as a tunnel to VPC peered services, such as Atlas' MongoDB or Redislabs instances.
Also another observation - if you are getting charged $400/account, depending on how many VPN connections you have, but the data transfer cost might be the primary factor. If that is the case, the main driver is not # of connections but the amount of data moving between on-prem and AWS. If that is the case, there might not be a easy way to significantly save on cost other than reducing amount of data transfers. One thing I can suggest is contact your account team, through AWS inquiry form below. The account Solutions Architect might be able to help with a high level review and provide specific recommendations. https://aws.amazon.com/contact-us/sales-support/
Considering the management and operational overhead, the high level answer is not really.
If your main goal is to simply networking management, one viable solution might be using a Transit Gateway (TGW) that can be shared with multiple accounts and VPCs, while connecting through VPN. However each VPC attachment would have the same or similar hourly pricing with your VPN connection.
Depends on how much data you want to transfer between accounts and VPCs, it might be possible to use your own VPN solution in a shared VPC and using VPN peering to establish connectivity. But generally because of the availability and operational consideration that approach is not recommended.
Thanks Jason for your feedback, after reading it, I've just added a PS note to present main type of usage.
I've added a second update to the original question
Since you stated one of your main goals here is SSH access to instances in private subnets, you may want to look into AWS Systems Manager Session Manager - this can remove the need to open SSH access for many use cases, and can be accessed via the AWS Console or using AWSCLI.
There are some limitations and specific requirements for this, so it may not necessarily work for your use case, but is the recommended approach where viable now.
Please review the documentation to see if this will work for you: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
I've added an extra update to que question for another use case
Relevant questions
AWS VPN Client - how does it open a browser for SSO ?
asked 4 months agoAddressable clients for Client VPN
Accepted Answerasked 3 years agoAWS Client VPN - Notification of new client connection to another AWS service (e.g. Lambda)?
Accepted Answerasked 2 months agoBest Practices for Client VPN service for multiple accounts in an Organization-based structure
asked 6 months agoWhich AWS Account or Organization Unit should be Account Management delegated admin
asked a month agoCentral ECR for ECS in multiple accounts
Accepted AnswerSES Best pratice to send a lot of emails
asked 7 months agoArchitecting for large number of site-to-site VPN connections
Accepted AnswerAWS VPN Client with fixed EIP for interfaces
asked a day agoBest practices for securing service to service REST communication in a microservices architecture
Accepted Answerasked 2 years ago
System manager would be able to provide access to EC2 instances without VPN if you install the SSM agent. Also system manager has the capability for you to automate maintenance and patching tasks. Hopefully that reduce the need for having VPNs for each VPC.