AWS VPN's pricing is hard to understand, so I built a calculator

Hey everyone!

Sometimes I work with IT teams to budget the price of different remote access products. AWS VPN is always challenging to forecast since there are so many cost variables. For example, we found the minimum cost for a single endpoint is $70 a month (assuming it’s kept on 24/7), even if you don’t connect to it at all. Most of the cost comes from target network associations.

To help with visualizing the cost, I built a cost calculator spreadsheet. I wanted to share it here in case it helps save a few dollars off your monthly bill. It’s in Google Sheets, so please make a copy to use it yourself.

AWS has a pretty good cost calculator too, but having a few sample scenarios is the main section lacking from their docs.

A few example scenarios

The links go to nice charts in the spreadsheet.

Scenario 1 - Small team or personal project (1 VPC, 1 subnet, 3 users)

Cost: $96 per month ($1,152 annually)

This is likely the most simple use case for AWS VPN. It highlights the high fixed cost of target network associations, which for smaller teams will make up the majority of your cost each month.

With such a small group of users, a bastion host or self-managing something like WireGuard can be a good low-cost option. In theory, if your VPN demands are infrequent, you can remove any target-network associations when you are not using the VPN.

Scenario 2 - Medium sized team (2 VPCs, 3 subnets, 10 users, split tunnel)

Cost: $368 per month ($4,416 annually)

This is a more likely scenario for a team or small company. If you’re building software, your resources will be split across production, test, and dev environments. AWS themselves recommend splitting your environment across multiple accounts as your workloads become more complex.

Segregating your environments is great for your development processes and security, but it will increase your costs with AWS VPN. Each account requires a separate AWS Client VPN endpoint, and each subnet will require its own target network association. In this example, we use 4 to represent dev, test, and prod split across two availability zones.

Scenario 3 - Larger company (50 users, 1 on-prem environment, 4 subnets, full-tunnel)

Cost: $850 per month ($10,200 annually)

When the use case expands, so does the cost. Despite how much it costs, I think ultimately AWS VPN was built for this use case. It’s fully managed, highly available, and seamlessly ties into AWS IAM (federated to the IdP of your choice).

As the team gets larger, the client connection time will likely be the largest factor in cost. The data egress costs will also vary greatly depending on the company. In this example, we assumed 10 GB per user. That’s about 12 Zoom calls - maybe a bit conservative in today’s remote workplace.

What goes into the cost?

Costs are in $USD

Client VPN target network association ($0.10 to $0.15 per hour)
I asked my AWS rep if this can be disassociated when not used to save cost since it’s the most significant contributor to fixed costs for smaller teams. I didn’t get a straight answer, but let me know if you’ve tried this before.

Client VPN connection time ($0.05 per hour)
Connection time is the aggregate time your VPN users have connected to the VPN (rounded up to the nearest hour).

Site-to-site connection time ($0.05 per hour)
You are charged for each hour that your VPN connection is provisioned and available. A common use case is creating a connection between your data center or on-prem network with the AWS VPC.

Egress traffic ($0.05 to $0.09 per GB)
Data egress is not usually a huge contributor to cost (for VPNs anyway) unless you turn on “full tunnel” traffic for clients. For the calculator, I ignored intra-region transfers. Those are priced at $0.01 per GB. Here’s a useful resource from AWS on different types of data-transfer costs.

Site-to-site global accelerator premiums ($0.05 per hour + $0.015 to $0.091 per GB)
Released in 2019, this feature improves VPN performance by routing VPN traffic through the AWS network instead of the public internet. This could be helpful when running latency-sensitive applications or workloads.

Ways to reduce costs

Let me know if you have other suggestions

Split Tunneling
When setting up your Client VPN Endpoint, the default config option is to use a full tunnel (split tunneling disabled). This means all traffic from your end users will be routed through the endpoint - even traffic destined for the public internet. Ingress is free, but with zoom calls (up to 3.8 Mbps up) being commonplace, the costs can rack up quickly.

Terminate unused endpoints and associations
Target network associations are the main fixed cost of AWS VPN. If your usage is infrequent, you could disassociate the target networks until the route is needed again. Since AWS provides a CLI command and an API endpoint for configuring target networks, you could even set up a script to “shut down” the VPN when it is not needed.

Set up a billing alarm
Most costs with AWS VPN are unavoidable, so set up an alert to know what you’re spending. Using CloudWatch, you can create an alert that triggers when current spending passes above a set threshold. Take a look at the AWS docs on how to set this up.

-–

Thanks for reading! I know the calculator is not perfect, so please let me know how it can be improved, or give me a message if you’d like to work on the calculator directly.

I’m working on an open-source VPN called Firezone. It’s early in its development, but sometimes it could be a good alternative to AWS VPN. I hope it’s alright to plug it here.

Does this expense seem reasonable to anyone? Cloud pricing always seems insane to me. 50 users almost seems to be at the point where I’d say you’re reaching a decent pricing scale, and you’re still at $18/user/mo.

At 880/mo is about what a 1gbit dedicated fiber line cost in my area. Is the CPU load to handle 1gig that challenging? I thought most modern processors, we’re getting pretty good at handling the cryptographic operations needed for things like VPN.

Is the idea of your fire zone product to spin it up in VPS to save money versus AWS?

The aws vpn is a hard sell for minor usage due to the large attachment charge. I also hope they add saml auth support to the mobile vpn client as that is a killer feature but if you need to support mobile clients you are SOL.

This might sound contrary, but I use it because it’s integrated. It doesn’t have all the bells and whistles that some of these other providers do, but when I can put the terraform in the same shared services doc along with the rest of my supporting resources, it’s just one less thing I have to worry about…

OR OR OR… to avoid a tremendous amount of pain, we installed Sophos Virtual XGS Firewalls and pay a Nickle on the dollar what AWS was charging me.

$700 for VPN and SSL VPN Services with Key services?
$ 35 a month with Sophos Virtual Firewall

Can someone do this for Azure? I can not figure out how some of my clients are being charged so much for what’s supposed to be a fairly inexpensive service.

This is pretty cool!

you made a slight mistake I think with the small team example. you only actually ever need one VPN endpoint for client VPN. this is because you can peer the VPN VPC with all the other VPCs, even across accounts.

I will agree though that AWS VPN is probably overpriced, but setting up a reliable VPN using just EC2 is also a pain. I’ve experienced both and honestly I think it’s worth that cost just so that I don’t have to constantly babysit a VPN on EC2 that despite being a product from a big name networking company, had zero cloud compatibility meaning that we had to spend about a month just implementing basic failover and things like that in the cloud, and then after it was done had to constantly babysit it because God forbid we decide to have an all hands meeting.

Wow, thanks for doing this man. Saves me a lot of trouble! Cheers bro! I don’t have a Reddit award but i know a lot of us appreciate this!

Why use firezone when you could just run Netmaker in AWS for so much cheaper?

This is excellent, what a fantastic resource. Thanks for putting it together, I’ll be sure to share it. The team at enclave.io are also trying to help make sense of VPN and VPN alternatives. We’ve put together a list of Zero Trust Network Access (ZTNA) companies and their respective architectures at https://zerotrustnetworkaccess.info/ It may be useful to those who find your calculator useful and are considering options for private connectivity that aren’t based on traditional VPN servers.

Full disclosure: co-founder at enclave.io

Does this expense seem reasonable to anyone? Cloud pricing always seems insane to me. 50 users almost seems to be at the point where I’d say you’re reaching a decent pricing scale, and you’re still at $18/user/mo.

It seems reasonable to me when you have full context.

AWS is an a-la-carte no contract on-demand service, you can spin up a server, use it for an hour, and erase it for quite literally pennies. This is extremely attractive for tons of use cases, particularly start ups that don’t have capital to invest in expensive infrastructure.

The flip side of this flexibility is that AWS needs to price their stuff accordingly so that they don’t lose money by offering such granular flexibility. AWS is investing capital and converting it to operational expense for you, the customer, that comes at a premium unless you commit to AWS in the form of reserved instances etc. You can use that server for fractions of time but it sits on AWS’s accounting books as an asset for years whether it’s used or not. That is precisely why AWS has a spot instance market.

EDIT: Think of car rentals, their per-day costs are exorbitant if you actually break it down and well beyond what owning a car would cost per-day, even with an auto-loan. But, the car rental place put the money up, up-front, to capitalize that vehicle and you are using it for a few days so therefore you pay a premium for the luxury of using something temporarily that someone else invested the capital to have. Why? Because that car may sit there unused for a few days not earning any revenue and so to average out those $0 revenue days, the price has to be higher on the days it is being used.

Is the CPU load to handle 1gig that challenging?

It’s not, we have a firewall with OpenVPN on a mini PC with a basic i3 and 20 VPN clients (back in the lockdown days) barely make a dent on the CPU even when accessing files, RDP all day and SQL intensive apps.

The firewall costs a few hundred a year and the mini pc is just a basic thing with 2 network interfaces and lasts for years.

Amazon must be making gigantic margins on these services.

Re: Cost
Some of that cost in the last example is going towards the site-to-site VPN. If you assume most folks are working 8h days with the VPN on, that’s $8 per month. So, I suppose that’s the floor of what it could cost per user as the overall bill goes to infinity

Re: Firezone
Compared to most managed products like AWS VPN, self-hosting is probably cheaper in terms of direct cost (you’ll pay for the ec2 instance Firezone runs on), but you’ll need to support the service yourself. Our goal is to build a remote access platform that’s easy to manage so that the management burden is minimized. I think there will always be individuals and companies who will want the benefits of self-hosting (cost, third-party risk, uptime, lock-in, etc…).

the cloud is a scam of vendor lock.

Uptime is never guaranteed.

Costs can change on a whim.

Requires an insane amount of trust in a 3rd party who really has no vested interest in keeping your data secure.

Is pfsense /openvpn not an option? I set it up for a non profit years ago and they never had an issue

I understand the appeal of cloud systems, a software vendor or developer can spin up a server in a few clicks, but the pricing is astronomical. The only real use case is when you need a server for a few hours

If you want a VPN, colo something like a Sonicwall box. Hell, even Meraki would be cheaper than using AWS

I do think they support federated auth via SAML 2.0 (depending on what you mean). https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/. Luckily IAM is one of the few things that are free on AWS

That’s a feature of “The cloud”

AWS makes enough money to run Amazon the retailer as a literal non-profit business and still pay Bezos enough to launch penis rockets into space.

Those margins come from somewhere.