Best Practices for Client VPN service for multiple accounts in an Organization-based structure


Our AWS Organization has been growing quite a lot (at least for us) in terms of Account numbers. VPN service has also added costs to the aggregated monthly total fee of USD 400 per account regarding the corresponding endpoint fixed price.

Is this supposed to happen that way? I mean, adding an extra account with the VPN endpoint enabled always add the base cost to the whole month, or is there a more efficient way of doing so?

PS: One of the main goals of having VPN access (if not the only one) is to have SSH access to EC2 instances in private subnets.

Second update:

We also use VPN access to our VPC as a tunnel to VPC peered services, such as Atlas' MongoDB or Redislabs instances.

  • System manager would be able to provide access to EC2 instances without VPN if you install the SSM agent. Also system manager has the capability for you to automate maintenance and patching tasks. Hopefully that reduce the need for having VPNs for each VPC.

  • Also another observation - if you are getting charged $400/account, depending on how many VPN connections you have, but the data transfer cost might be the primary factor. If that is the case, the main driver is not # of connections but the amount of data moving between on-prem and AWS. If that is the case, there might not be a easy way to significantly save on cost other than reducing amount of data transfers. One thing I can suggest is contact your account team, through AWS inquiry form below. The account Solutions Architect might be able to help with a high level review and provide specific recommendations.

2 Answers

Considering the management and operational overhead, the high level answer is not really.

If your main goal is to simply networking management, one viable solution might be using a Transit Gateway (TGW) that can be shared with multiple accounts and VPCs, while connecting through VPN. However each VPC attachment would have the same or similar hourly pricing with your VPN connection.

Depends on how much data you want to transfer between accounts and VPCs, it might be possible to use your own VPN solution in a shared VPC and using VPN peering to establish connectivity. But generally because of the availability and operational consideration that approach is not recommended.

answered 2 years ago
  • Thanks Jason for your feedback, after reading it, I've just added a PS note to present main type of usage.

  • I've added a second update to the original question


Since you stated one of your main goals here is SSH access to instances in private subnets, you may want to look into AWS Systems Manager Session Manager - this can remove the need to open SSH access for many use cases, and can be accessed via the AWS Console or using AWSCLI.

There are some limitations and specific requirements for this, so it may not necessarily work for your use case, but is the recommended approach where viable now.

Please review the documentation to see if this will work for you:

answered 2 years ago
  • I've added an extra update to que question for another use case

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions