AWSAWS Site-to-Site VPNNetworking

aws_vpn_connection cost estimation

A site-to-site IPsec VPN connection between your VPC and on-premises network. $0.05/hour per active connection plus data transfer.

An aws_vpn_connection is a site-to-site IPsec VPN linking your VPC to an on-premises network or another cloud. Pricing has two main components.

First, connection-hours: $0.05/hour per active VPN connection ($36.50/month per connection). Each VPN attaches to either a Virtual Private Gateway (aws_vpn_gateway) or a Transit Gateway (aws_ec2_transit_gateway). Both endpoints count if you have multiple connections.

Second, data transfer. Bytes flowing through the VPN are billed at standard AWS egress rates. There's no per-GB VPN-specific fee on top of egress.

High availability typically requires two VPN connections in active/standby. That's $73/month minimum for production VPN infrastructure before any traffic flows through.

Compared to alternatives: - AWS Direct Connect: dedicated physical connection. Higher fixed cost ($300+/month for 1 Gbps port) but no per-hour VPN fee. Right for high-throughput steady traffic. - AWS Client VPN: per-endpoint-hour and per-connected-user pricing. Right for remote workers connecting to AWS, not site-to-site. - VPC peering or Transit Gateway: for AWS-to-AWS connectivity, not on-premises.

c3x reads the VPN connection and any attached transit gateway from Terraform. Data transfer through the VPN is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_vpn_gateway" "main" {
  vpc_id = aws_vpc.main.id
}

resource "aws_customer_gateway" "office" {
  bgp_asn    = 65000
  ip_address = "203.0.113.1"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "office" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.office.id
  type                = "ipsec.1"
  static_routes_only  = false

  tags = {
    Name = "office-to-aws"
  }
}

Pricing dimensions

What you actually pay for when you provision aws_vpn_connection.

DimensionUnitWhat's being charged
VPN connection hoursper connection per hourActive connection fee. Billed continuously while the connection is configured, regardless of traffic.
$0.05/hour ≈ $36.50/month
Data transfer through VPNper GBBytes transferred between AWS and on-premises via the VPN. Standard AWS egress rates apply.
Transit Gateway attachment (when applicable)per hour + per GB processedIf the VPN attaches to a Transit Gateway instead of VPN Gateway, TGW attachment fees apply separately.
Virtual Private GatewayfreeThe aws_vpn_gateway resource itself has no charge. Cost is in the VPN connections attached to it.
$0

Optimization tips

Common ways to reduce aws_vpn_connection cost without changing the workload.

Consolidate VPNs with Transit Gateway

$36.50/connection/month

Multiple VPCs each with their own site-to-site VPN multiplies connection-hours. Routing through a single Transit Gateway with one VPN connection per office saves $36.50/month per eliminated connection.

Use Direct Connect for high-throughput steady traffic

Volume-dependent

VPN is right for occasional or moderate traffic. For sustained high throughput (>500 Mbps), Direct Connect becomes cost-effective because there's no per-GB VPN data charge.

Remove dormant VPN connections

$36.50/month per removed

VPN connections from old offices, decommissioned customer gateways, or test setups continue to bill. Audit aws_vpn_connection resources periodically.

Single VPN for non-production

$36.50/month per non-prod

Production needs two VPN connections for HA. Non-production environments often don't need that resilience. Single-VPN cuts cost in half.

FAQ

Is the VPN Gateway free?

The Virtual Private Gateway (aws_vpn_gateway) is free. You pay only for VPN connections (aws_vpn_connection) attached to it. A VPC with a VPN Gateway and no connections costs nothing.

How does Transit Gateway change VPN pricing?

When VPN connections attach to a Transit Gateway instead of a VPN Gateway, you pay both: the VPN connection-hour ($0.05) plus the Transit Gateway attachment fee ($0.05/hour) plus TGW data processing ($0.02/GB). Total is higher per connection but TGW lets you connect more VPCs and accounts together.

Does c3x estimate VPN data transfer?

Connection-hours are estimated directly. Data transfer is usage-based; specify monthly_data_transferred_gb in c3x-usage.yml on the VPN connection.

Site-to-site VPN vs Client VPN?

Site-to-site is for permanent connections between AWS and an on-premises network. Client VPN is for individual users connecting laptops to AWS. Different resources, different pricing models. Client VPN is aws_ec2_client_vpn_endpoint with per-endpoint-hour and per-connected-user fees.

Related resources

AWS
aws_transit_gateway

Consolidates multiple VPN connections

AWS
aws_directconnect_connection

Higher-throughput alternative for steady traffic

AWS
aws_vpc

Endpoint of the VPN connection

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_vpn_connection.

Get StartedStar on GitHub
← Browse all AWS resources