cross az charges for IPSec VPN

0

Dear Team - As per https://docs.aws.amazon.com/vpn/latest/s2svpn/disaster-recovery-resiliency.html,

A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted

and As per https://www.youtube.com/watch?v=qmKkbuS9gRs, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.

We have below scenario.

  • IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing
    -Two Endpoints are deployed in AZ-1 and AZ-2

Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises. In this case, traffic path would be below ?

EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...

Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?

Thanks,

JD
已提问 1 个月前117 查看次数
1 回答
2
已接受的回答

I could be wrong here but as AWS manage the VPN across 2 AZ's which you cant configure or ever find out, I've a feeling they will not charge you for the Cross AZ because its a managed service.

Dont quote me but thats my theory..

This repost by Tushar_J explains it a little https://repost.aws/questions/QUVfEIk2sHT22u4Oww88aNKg/how-to-find-availability-zone-of-site-to-site-vpn-outside-ip-address

profile picture
专家
已回答 1 个月前
profile pictureAWS
专家
iBehr
已审核 1 个月前
  • I agree that this would be in line with AWS's general pricing philosophy: if you can't control (or in the case of site-to-site VPN, even know) whether you're crossing an AZ boundary, you won't be charged for cross-AZ traffic.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则