The Hidden Cost of AWS VPN and Finding Affordable Alternatives
What is AWS Client VPN?
AWS Client VPN is a managed service offered by AWS that lets organizations access AWS resources from remote locations using OpenVPN-based clients. AWS Client VPN is designed to make it easier to deploy a VPN server, as compared to the process of setting up, configuring, and self-hosting your own VPN server.
While AWS Client VPN may be simpler to set up in several aspects than a traditional VPN, one thing that is not as simple is its pricing model. Based on a long list of variables, AWS Client VPN’s pricing can be confusing, so in this article we’ll break down exactly how it works, provide a handy cost calculator, and review some alternatives to AWS Client VPN.
AWS Client VPN should not be confused with AWS Site-to-Site VPN, which is a service that’s used to connect different networks together - namely, an Amazon VPC with a separate remote network (such as an on-premises corporate network) over an IPsec connection. AWS Site-to-Site VPN has a different pricing structure and is not the focus of this article.
How AWS Client VPN Pricing Works
AWS Client VPN is charged based on a time-connected basis for each type of component that is required to use the service: Client VPN endpoint associations, and user connections to an endpoint.
Client VPN Endpoint Associations
The first step to setting up AWS Client VPN is to create a Client VPN endpoint. You can think of the VPN endpoint as equivalent to a VPN gateway in a traditional VPN setup. The second step is to associate that Client VPN endpoint with one or more subnets that are part of the same AWS account, representing the subnets in a VPC that you want to make accessible to people connecting through that Client VPN endpoint. One constraint is that each subnet associated with a VPN endpoint must belong to a different Availability Zone.
AWS charges an hourly fee for the time each endpoint association exists (remember that an endpoint can have multiple endpoint associations). The fee depends on the VPC region in which your endpoint is located, which generally ranges from $0.10 to $0.15 per hour (charges for partial hours are prorated). The meter starts running as soon as you establish an association.
- Each Client VPN Endpoint Association: $0.10-0.15 per hour
Client VPN Connections
Once your VPN endpoint and endpoint associations have been set up, you can now connect clients to that endpoint.
AWS charges an hourly fee for the time each client is connected to a VPN endpoint. Note that an individual user may have multiple clients - for example, if they use multiple devices. The hourly fee generally is $0.05 per hour (charges for partial hours are prorated).
- Each client, while connected to a VPN endpoint: $0.05 per hour
AWS VPN Pricing Calculator
Because there are a lot of variables to crunch when working out pricing, to help you estimate AWS Client VPN fees, we’ve made this handy AWS VPN Pricing Calculator.
We note that pricing changes from time to time. The information in this article is accurate to the best of our knowledge at the date of writing, but you should check the AWS website for the most up to date pricing.
Data Transfer Charges: One of the costs that’s perhaps obscured is the cost of bandwidth. While AWS Client VPN doesn’t charge for bandwidth sent through the Client VPN endpoint as such, the Client VPN does send traffic into your VPC. This traffic is charged at the prevailing rates for data transfers for your VPC. AWS doesn’t charge for ingress traffic, but it does charge for egress traffic. This may add material bandwidth costs if you are running your Client VPN in full tunnel mode, which sends all network traffic destined for the public internet through the Client VPN and VPC.
NAT Gateway Data Processing Charges: If you are using a NAT gateway in your VPC that handles full tunnel traffic, an extra NAT gateway processing fee is charged for each gigabyte of data processed through the NAT gateway (on top of the regular NAT gateway hourly charges).
In summary, the charges you can expect to pay include:
- Hourly fees for each Client VPN Endpoint Association
- Hourly fees for each Client while it is connected to a VPN endpoint
- Bandwidth fees for egress traffic from your VPC (representing an additional charge for full tunnel traffic that otherwise wouldn’t need to flow through your VPC)
- NAT gateway data processing charges if you use one in your VPC and it handles full tunnel traffic
Alternatives to AWS VPN
AWS Client VPN is not your only option for enabling secure remote access to your AWS VPC environments.
AWS Marketplace Products
The AWS Marketplace contains a wide variety of vendors offering their own VPN solutions that integrate with AWS. Each of these vendors offers their own pricing models. For example, Cisco Adaptive Security Virtual Appliance (ASAv) is a virtual firewall appliance that allows a remote access VPN to be set up. The software is licensed on a time-based model that is also tied to the tier of AWS infrastructure that the software is run on. Administratively, fees for these third party products are charged via AWS, so you can benefit from consolidated billing.
Manually Installed Products
On the other side of the spectrum, you could manually install and configure an open source solution like OpenVPN within your AWS environment. Although there is no software licensing fee associated with this route, it does require a lot more effort and expertise in terms of setup and maintenance. Additionally, support is not provided, so you may have to seek third party help if you run into problems (either paid, or from free sources like community forums).
Zero Trust Alternative
If you are ultimately looking for a remote access solution, also consider Zero Trust Network Access products that aren’t based on VPN technology, such as Twingate. Twingate can be installed in an AWS VPC with a single line of code. Additionally, deployment can be automated in a variety of ways.
Another advantage of Twingate is that, unlike VPN technologies, there’s no concept of setting up site-to-site VPN tunnels to establish connectivity to your various network subnets. That reduces deployment complexity, as well as pricing complexity. (As mentioned above, AWS Site-to-Site VPN is its own AWS product that comes with its own pricing model.)
Twingate’s Pricing Model
A key advantage of using Twingate to secure remote access to your AWS environment is that the pricing model is very straightforward. Twingate’s pricing is based on a per user flat fee model. That means costs are predictable - and you don’t need a spreadsheet to work them out!
The only variables that impact Twingate’s pricing are the number of users you have, the months or years you subscribe to the service (depending on whether you are billed monthly or annually), and the Twingate plan you select (Teams, Business or Enterprise). Twingate does not charge for bandwidth used or time connected.
If you use Twingate with other non-AWS environments, support for AWS comes at no extra cost. In fact, Twingate secures access to all major types of environments (AWS, GCP, Azure, and on-premises) you may have for the same fee, and the setup process is similar for each environment.
Simplify Your AWS Secure Remote Access Needs
Twingate aims to provide the security benefits of a non-VPN Zero Trust solution while making deployment and management of that solution as simple as possible. Part of this is providing a simple to understand pricing model that won’t unexpectedly blow out your budget.
Contact us to learn more about how easy and cost effective implementing a modern zero trust solution can be.