cross az charges for IPSec VPN


Dear Team - As per,

A Site-to-Site VPN connection consists of two tunnels, each terminating in a different Availability Zone, to provide increased availability to your VPC. If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted

and As per, when VPN terminates on VGW, AWS will select only one tunnel to send the traffic.

We have below scenario.

  • IPSec VPN connection is terminated on VGW (VPCA) with Dynamic routing
    -Two Endpoints are deployed in AZ-1 and AZ-2

Now, i have EC2 instances on AZ2 which are sending heavy traffic to on-prem through IPSec VPN and AWS has selected AZ-1 tunnel endpoint to send the traffic back to on-premises. In this case, traffic path would be below ?

EC2 (AZ2) --> VPN endpoint (AZ1) / VGW --> on-prem router...

Considering above, will i incur cross az charges for above path ? if yes, how can i reduce it ?


已提问 1 个月前117 查看次数
1 回答

I could be wrong here but as AWS manage the VPN across 2 AZ's which you cant configure or ever find out, I've a feeling they will not charge you for the Cross AZ because its a managed service.

Dont quote me but thats my theory..

This repost by Tushar_J explains it a little

profile picture
已回答 1 个月前
profile pictureAWS
已审核 1 个月前
  • I agree that this would be in line with AWS's general pricing philosophy: if you can't control (or in the case of site-to-site VPN, even know) whether you're crossing an AZ boundary, you won't be charged for cross-AZ traffic.

您未登录。 登录 发布回答。