cross az charges for IPSec VPN

Question

Dear Team - As per https://docs.aws.amazon.com/vpn/latest/s2svpn/disaster-recovery-resiliency.html,

`A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted`

and As per https://www.youtube.com/watch?v=qmKkbuS9gRs, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.

We have below scenario.

- IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing                                    
-Two Endpoints are deployed in AZ-1 and AZ-2

Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises.  In this case, traffic path would be below ?

**EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...**

Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?

Thanks,

Gary Mclean · Accepted Answer

I could be wrong here but as AWS manage the VPN across 2 AZ's which you cant configure or ever find out, I've a feeling they will not charge you for the Cross AZ because its a managed service.

Dont quote me but thats my theory..

This repost by Tushar_J explains it a little https://repost.aws/questions/QUVfEIk2sHT22u4Oww88aNKg/how-to-find-availability-zone-of-site-to-site-vpn-outside-ip-address

cross az charges for IPSec VPN

Add your answer

Relevant content