Dear Team - As per https://docs.aws.amazon.com/vpn/latest/s2svpn/disaster-recovery-resiliency.html,
A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted
and As per https://www.youtube.com/watch?v=qmKkbuS9gRs, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.
We have below scenario.
- IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing
-Two Endpoints are deployed in AZ-1 and AZ-2
Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises. In this case, traffic path would be below ?
EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...
Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?
Thanks,
I agree that this would be in line with AWS's general pricing philosophy: if you can't control (or in the case of site-to-site VPN, even know) whether you're crossing an AZ boundary, you won't be charged for cross-AZ traffic.