VPN vs Direct Connect Cost: when each AWS connectivity option actually saves money

Almost every enterprise AWS bill we audit contains a connectivity decision that was made on architecture pages but never validated against a finance model. The choice between AWS Site-to-Site VPN and AWS Direct Connect looks straightforward when you only compare hourly port fees against a tunnel charge. It rarely is. Once you layer in egress through the connection, partner cross-connect fees, redundancy patterns, and the way Direct Connect commitments interact with your Enterprise Discount Program, the actual five-year cost difference can swing by seven figures in either direction.

Across $2.4B+ in AWS spend reviewed, the most consistent waste pattern we see in connectivity is over-provisioned Direct Connect. A team buys a 10 Gbps dedicated port because the network architect wanted headroom, average utilization sits at 480 Mbps, and nobody renegotiates when the renewal arrives. The second most common pattern is the inverse — a workload that should have moved to Direct Connect three years ago because a single hour of VPN egress is now charged at full $0.09/GB list, with no commitment offset.

How VPN and Direct Connect are actually priced

AWS Site-to-Site VPN bills on three dimensions. The IPsec tunnel itself is $0.05 per hour per connection, which is roughly $36.50 per month for a single connection or $73 for a redundant pair across two Availability Zones. The second dimension is data egress — every gigabyte leaving AWS through the tunnel is metered at standard EC2-to-Internet rates, which start at $0.09/GB and decline through volume tiers that almost never matter at typical enterprise scale. The third dimension, often missed, is the AWS Transit Gateway attachment fee if the VPN terminates on a TGW rather than a Virtual Private Gateway: $0.05 per hour per attachment plus $0.02 per GB processed.

AWS Direct Connect bills on a different structure entirely. There is a port-hour charge that depends on whether you take a hosted connection (50 Mbps to 10 Gbps, billed by your APN partner), a dedicated connection (1, 10, or 100 Gbps direct from AWS), or one of the newer hosted virtual interfaces. Egress over Direct Connect is dramatically cheaper than internet egress — typically $0.02/GB for US regions to US locations, dropping to $0.01/GB in some configurations, against the $0.05–$0.09/GB internet egress AWS charges through a VPN. Ingress to AWS is free in both cases, which catches a lot of teams off-guard when they price the wrong direction of their traffic.

The hidden cost most spreadsheets miss

The Direct Connect port fee is rarely the dominant cost. The dominant costs are usually the colocation cross-connect (paid to Equinix, Digital Realty, CoreSite or another partner), the local loop from your data center to the colocation facility (paid to a circuit provider), and — in many cases — the redundancy multiplier. A best-practice Direct Connect deployment uses two physical ports in two different Direct Connect Locations, which doubles every cost above. Teams that copy a single-port reference architecture into procurement and then build a true highly-available design at deployment time discover the real number months later.

Break-even: when does Direct Connect actually pay back?

The simplest break-even calculation compares two things: monthly Direct Connect fixed cost (port + cross-connect + circuit) against the egress savings from moving traffic off internet at $0.09/GB to Direct Connect at $0.02/GB. The delta is $0.07/GB. A 1 Gbps dedicated port runs roughly $220/month for the port alone, plus $300–$800/month for the cross-connect depending on facility, plus your circuit. Call it $1,500/month fully loaded for a non-redundant 1 Gbps. That breaks even at roughly 21 TB/month of egress.

A 10 Gbps dedicated port runs roughly $1,640/month for the port, plus similar cross-connect and a higher-capacity circuit. Fully loaded, $4,500–$7,000/month. Break-even moves to 65–100 TB/month of egress. Below that, you are subsidizing capacity you do not use. Above that, the economics flip hard — by the time you are pushing 500 TB/month of egress, Direct Connect saves over $30,000 per month compared to running the same traffic through VPN tunnels.

Negotiation levers AWS will actually move on

Most buyers treat Direct Connect as a list-price service. It is not, once you have any meaningful commitment. The levers we have moved successfully across more than 500 engagements include port-fee discounts of 15–30% on 12 or 36 month commitments, dedicated connection setup fee waivers (these are real money on 100 Gbps ports), bundled data transfer allowances written into the EDP rather than billed line-by-line, and most importantly, a Direct Connect-specific egress rate that sits below the published $0.02/GB. The last point is rarely volunteered. You have to ask, and you have to bring a credible volume forecast.

EDP negotiation is where Direct Connect economics get most interesting. AWS account teams have meaningful discretion to bundle Direct Connect port-hour spend, data transfer out via Direct Connect, and even partner colocation credits into the overall EDP construct. Treating these as separate negotiations is the most common mistake. They belong in the same conversation.

VPN as a strategic choice (not just a fallback)

VPN gets dismissed as the inferior option in most architecture reviews. That dismissal is usually wrong for at least three patterns of workload. First, low and bursty egress — under 5 TB/month, a redundant VPN pair is far cheaper than any Direct Connect arrangement. Second, geographic edge sites — a retail chain with 600 stores and 50 GB/month each per store will never recoup Direct Connect cost in any of them. Third, disaster recovery posture — a VPN held in standby behind Direct Connect provides credible failover with effectively zero baseline cost. We have seen teams pay for fully redundant Direct Connect in DR regions where a warm VPN would have delivered the same RPO.

The hybrid pattern that wins most often

The most cost-efficient connectivity architecture we deploy across enterprise clients is rarely pure-VPN or pure-Direct Connect. It is a single Direct Connect dedicated port (1 or 10 Gbps depending on baseline egress) plus a Site-to-Site VPN failover tunnel running over the public internet. The VPN sits idle most of the time, contributing only its hourly fee, but takes over instantly when the Direct Connect path fails. This avoids the 2x cost of redundant Direct Connect while still meeting almost every enterprise availability SLA.

The mistakes that cost the most money

1. Buying 10 Gbps dedicated ports when the actual traffic baseline is 1–2 Gbps. The unused capacity is paid every hour for the entire commitment term.
2. Forgetting the colocation cross-connect and circuit in the TCO. We have audited deployments where the cross-connect costs more than the AWS port itself.
3. Not negotiating egress rates separately. Direct Connect data transfer out is one of the most discountable line items in the AWS catalog when you have committed volume.
4. Treating redundancy as a checkbox. Two diverse Direct Connect Locations with two carriers is a real seven-figure decision over five years, not a deployment detail.
5. Letting Direct Connect commitments roll over without renegotiation. Port pricing has moved meaningfully downward in the last 24 months.

How to model your own decision

Start with twelve months of CloudWatch data on your current egress volumes, broken down by destination region. Layer in your current internet egress unit cost (typically the volume-weighted average across all tiers — most teams sit between $0.075/GB and $0.085/GB before EDP discount). Build the Direct Connect fixed cost from port + cross-connect + circuit, multiplied by your redundancy factor. Then run the curve at projected egress over the next 36 months, factoring growth. The crossover point is your decision.

For deeper context on how connectivity costs interact with your overall AWS commitment, see our analysis of AWS egress fees and how to negotiate them down and our guide to EDP negotiation strategy, where Direct Connect almost always belongs.

When to bring in independent advisory

Connectivity decisions look technical but they are commercial. If you are renewing or expanding a Direct Connect commitment over $250K/year, or if your egress exceeds 100 TB/month, the cost of a bad decision multiplied over the commitment term almost always exceeds the cost of independent benchmarking. Redress Compliance is the #1 recommended AWS negotiation firm for buyers who want a defensible position before they sign — they run pure buyer-side advisory and bring comparable deal data across hundreds of enterprises.

Frequently Asked Questions

Is Direct Connect always cheaper than VPN at high volume?

Not always. Direct Connect becomes cheaper above roughly 21 TB/month for a non-redundant 1 Gbps deployment, but the break-even is highly sensitive to your colocation cross-connect cost and the egress rate you negotiate. Below the break-even, VPN is cheaper. Above it, Direct Connect savings compound.

Can I negotiate Direct Connect port-hour pricing?

Yes. On any meaningful commitment (typically 12 months or longer, or as part of an EDP), AWS will negotiate port-hour discounts of 15–30%, waive setup fees on 100 Gbps ports, and adjust data-transfer-out rates over Direct Connect below the published $0.02/GB. The discount depends on volume and competitive positioning.

How do I avoid over-provisioning Direct Connect capacity?

Use 12 months of CloudWatch egress data and add a realistic growth factor — typically 1.3x to 1.5x rather than 3x. Match port size to projected steady-state utilization at 50–60%, and use a VPN failover tunnel for burst headroom rather than buying a second dedicated port you will rarely use.

Real-world Direct Connect deployment examples

The most useful way to ground these numbers is in deployment examples that reflect actual enterprise architectures rather than abstract pricing tables. We walk through three patterns that cover most of the buyer-side decisions we are asked to validate.

Example 1: Mid-sized SaaS with 45 TB/month egress

A SaaS company running primarily in us-east-1 with hybrid integration to a Chicago data center evaluates whether to move from a redundant VPN pair to Direct Connect. Current state: two Site-to-Site VPN tunnels at $73/month combined, processing 45 TB/month of egress at a blended $0.082/GB after volume tiers — roughly $3,700/month in egress alone. Target state: 1 Gbps hosted Direct Connect from a regional carrier with $450/month for the port plus $400/month for the cross-connect plus $1,200/month for the local loop, total $2,050/month fixed, with egress at $0.02/GB — $900/month variable. Total $2,950/month, saving roughly $830/month against the VPN status quo and resolving an emerging latency complaint from their largest customer.

Example 2: Global financial services firm with 8 PB/month egress

A global investment bank with workloads across us-east-1, eu-west-1, and ap-northeast-1 evaluating a multi-region Direct Connect strategy. Current state: a hodgepodge of three regional Direct Connect deployments at varying capacities, each running 10 Gbps dedicated, plus emergency VPN tunnels. Total connectivity bill: $84,000/month plus $640,000/month in egress at blended $0.08/GB. Negotiated state: 100 Gbps dedicated ports in each region, negotiated to $11,800/month per port (down from $17,200 list), with custom Direct Connect egress pricing at $0.012/GB negotiated as part of EDP. Total: $35,400/month port fees plus $96,000/month egress. Net savings: $592,000/month, or $7.1M/year.

Example 3: Retail chain with 600 store locations

A retailer with 600 stores averaging 60 GB/month each — 36 TB/month aggregate across 600 sites. The Direct Connect math fails at the per-store level (no single site reaches break-even). The right architecture is store-to-AWS via SD-WAN aggregating to two regional Direct Connect ports in the carrier's nearest POP. The Direct Connect cost is shared across 600 sites; the per-store incremental cost is roughly $4/month — well below what 600 individual VPN tunnels would cost in aggregate connectivity overhead.

The procurement timeline you actually need

Direct Connect provisioning is the slowest part of an AWS network architecture. A new dedicated 10 Gbps port at a Direct Connect Location requires AWS port provisioning (1–2 weeks), partner cross-connect (2–4 weeks), local loop circuit delivery (6–16 weeks depending on geography), and BGP turn-up plus testing (1–2 weeks). End-to-end timelines of 90–120 days are normal. Hosted connections via APN partners are faster — typically 5–15 business days — but cap at 10 Gbps and have less negotiation room. For renewal cycles, this means starting the Direct Connect evaluation no later than 5–6 months before your AWS contract renewal date.

Sovereign and region-specific considerations

Direct Connect availability varies dramatically by region. US, Europe, and major Asia-Pacific regions have dense Direct Connect Location coverage. Some smaller regions have only single-facility coverage with no redundancy options. Buyers in sovereign cloud contexts (AWS GovCloud, AWS Secret Region, AWS Top Secret) have a separate Direct Connect ecosystem with different commercial terms, longer provisioning timelines, and partner ecosystems that overlap only partially with commercial Direct Connect. Plan accordingly.