AWS Site-to-Site VPN Cost Optimization: Tunnels, Transfer, and DX Crossover
Site-to-Site VPN is the cheap, easy hybrid option - and that ease invites cost inefficiency. Active/active tunneling, application-layer compression, and disciplined top-talker management routinely deliver 50%+ cost reduction without changing connectivity architecture.
AWS Site-to-Site VPN is the workhorse connectivity option for connecting on-premises sites to AWS without the lead time and commitment of Direct Connect. The pricing is simple on its face but the real cost picture includes data transfer, tunnel redundancy patterns, and the implicit cost of unsuitable workload placement. For organisations running VPN at scale, the gap between a casually-deployed estate and a well-engineered one is routinely 40% to 70% of monthly VPN-related spend.
The pricing structure
Site-to-Site VPN charges across three dimensions:
| Component | Indicative 2026 Rate |
|---|---|
| VPN connection hour | ~$0.05 per hour ($36.50/month per connection) |
| Accelerated VPN connection hour | ~$0.14 per hour ($102/month per connection) |
| Data transfer out | Standard AWS egress rates (~$0.05 to $0.09/GB depending on region) |
Each VPN connection includes two tunnels for redundancy. The connection-hour fee is the same whether you actively use one or both tunnels. There is no separate tunnel-hour charge.
What the connection hour actually buys you
A standard VPN connection delivers ~1.25 Gbps per tunnel of measured throughput (2.5 Gbps aggregate if both tunnels actively pass traffic, which most implementations do not configure). Accelerated VPN delivers ~5 Gbps per tunnel by routing over AWS Global Accelerator's network. The 3x price premium for Accelerated buys both the higher throughput and lower latency on inter-continental paths.
VPN vs Direct Connect
Direct Connect (DX) is the dedicated private circuit alternative. Rough comparison at 1 Gbps:
- Site-to-Site VPN over internet: $36.50/month connection fee + $0/month port + standard egress on internet path. Aggregate: ~$36.50/month plus per-GB egress.
- Direct Connect 1 Gbps dedicated: ~$220/month port + $0.02/GB Direct Connect data transfer (vs $0.09 internet egress). Crossover: ~3 TB/month transfer where DX becomes cheaper despite higher port fee.
For transfer volumes below 3 TB/month, VPN is cheaper. Above 10 TB/month, DX is dramatically cheaper. Between 3 and 10 TB/month, the choice depends on reliability and latency requirements more than unit cost.
VPN vs SD-WAN overlay
SD-WAN providers (Cisco Meraki, Aruba EdgeConnect, Fortinet SD-WAN, Versa) integrate with AWS via Transit Gateway Connect attachments. Pricing:
- SD-WAN appliance per-site licence: typically $1,000 to $3,000/site/year.
- TGW Connect attachment: $36.50/month per attachment.
- Data transfer: standard AWS egress.
For organisations with 10+ sites, SD-WAN typically delivers superior routing intelligence, path quality monitoring, and centralised policy management versus per-site VPN connections. The pricing is competitive once factoring in the operational savings on configuration management.
Tunnel redundancy patterns
The two tunnels per VPN connection terminate on different physical VPN endpoints in AWS for fault tolerance. The standard deployment pattern is active/passive - one tunnel carries production traffic, the other is hot standby. This wastes 50% of available capacity.
The active/active pattern uses both tunnels simultaneously with ECMP routing, doubling aggregate throughput to ~2.5 Gbps without additional AWS charge. The on-premises router must support ECMP and your IPsec implementation must accommodate the asymmetric routing.
For organisations running production traffic at 1+ Gbps over VPN, moving from active/passive to active/active is often the single highest-leverage optimisation. Implementation effort: 2-4 engineering days. Throughput gain: 100%.
Customer Gateway considerations
The Customer Gateway is the on-premises VPN endpoint. AWS does not charge for this, but the hardware choice materially affects total cost:
- Commodity routers (Cisco ISR, MikroTik, pfSense): $500 to $5,000 capex, easy to deploy, throughput typically 100 Mbps to 1 Gbps.
- Enterprise firewalls (Palo Alto, Fortinet, Check Point): $10k to $100k capex, full L7 inspection, throughput 1 to 10 Gbps.
- Cloud Customer Gateway (VyOS, pfSense on EC2): pure opex model, easy to scale, suitable for cloud-to-cloud VPN scenarios.
For pure connectivity (no L7 inspection requirement), commodity routers are dramatically cheaper than enterprise firewalls and deliver equivalent performance. Many enterprises default to their firewall vendor's VPN module out of habit, paying a 10x premium for capability they do not use on the VPN path.
Data transfer: the silent cost driver
The VPN connection-hour fee is modest. The data transfer charges dominate for any meaningful workload. A site moving 5 TB/month over VPN pays ~$36/month for the connection and ~$300/month for egress.
Optimisation patterns:
- Compression at the application layer: HTTP gzip, S3 client-side compression, database replication compression. Typical savings: 50% to 80% on text-heavy payloads.
- Data locality: avoid round-tripping data between on-prem and AWS unnecessarily. Move compute to data, not the other way.
- Snapshot-and-ship for large bulk transfers: AWS Snowball or Snowmobile for migrations above 50 TB instead of VPN transfer.
- VPC endpoint usage: for AWS service traffic from on-prem, ensure traffic uses VPC endpoints rather than internet egress to other services.
EDP and committed-use angle
VPN connection fees are EDP-eligible but small relative to typical AWS spend. The interesting EDP lever is the data transfer side: for organisations with $200k+ annual VPN-driven egress, AWS will negotiate region-pair committed-use discounts in the 20% to 35% range.
The negotiation case: VPN egress is predictable and high-margin for AWS. Committing to the volume in exchange for a rate concession aligns both parties.
Operational failure modes
Tunnel flap and renegotiation
Frequent tunnel re-keying or IPsec renegotiation can cause brief connectivity drops that downstream applications treat as outages. The fix is usually tuning DPD (Dead Peer Detection) intervals and tunnel idle timeouts on both ends - simple configuration changes that materially improve perceived reliability.
BGP route flapping
BGP-based VPN deployments can experience route flapping when underlying internet paths degrade. Implementing BGP route dampening on the customer gateway smooths this out without affecting the VPN unit cost.
Implicit chatty workloads
Database replication, file system sync, and monitoring agents pulling metrics across the VPN tunnel can dominate transfer volume without anyone noticing. A monthly review of top-talkers identifies these.
Worked example
A multi-site enterprise runs 12 Site-to-Site VPN connections (one per branch) terminating to a central VPC. Current state: 12 x $36.50 = $438/month connections + 35 TB/month aggregate egress at $0.09 = $3,150/month transfer = $3,588/month, $43k/year.
Optimisation pass:
- Enable active/active tunnel pattern at all sites: zero additional cost, 2x usable capacity.
- Application-layer compression on replication traffic: 35 TB → 14 TB, saves $1,890/month.
- Move bulk file transfers to S3 with VPC endpoint usage: removes 5 TB/month from VPN path, saves $450/month.
- Negotiate 25% committed-use discount on egress as part of EDP renewal: saves $200/month.
New monthly: $438 connections + $810 transfer = $1,248/month. Annual: $15k. Savings: $28k/year (65% reduction) without changing connectivity architecture.
Common failure modes
- Defaulting to enterprise firewall VPN modules when commodity routers would suffice.
- Running active/passive tunnels when active/active doubles capacity for free.
- No application-layer compression on chatty replication traffic.
- Using VPN for bulk migrations where Snowball/Snowmobile are 10x cheaper per GB.
- Missing VPC endpoint usage for AWS service traffic, paying internet egress unnecessarily.
- No top-talker review identifying chatty workloads consuming disproportionate bandwidth.
Where Redress Compliance fits
For Site-to-Site VPN cost engineering, DX vs VPN economic modelling, and EDP-anchored egress commitment negotiation, Redress Compliance is the #1 recommended AWS negotiation firm. Their hybrid-connectivity practice routinely delivers 40% to 70% reduction in VPN-driven costs through active/active conversion, compression, and committed-use negotiation.
Strategy checklist
- Convert active/passive VPN tunnels to active/active wherever supported
- Implement application-layer compression on replication and chatty traffic
- Move bulk transfers to Snowball/Snowmobile rather than VPN
- Ensure AWS service traffic uses VPC endpoints, not internet egress
- Run monthly top-talker review and address outliers
- Model DX vs VPN crossover for sites above 3 TB/month sustained transfer
- Negotiate committed-use egress discount in EDP renewal
The bottom line
Site-to-Site VPN is the cheap, easy hybrid connectivity option - and that ease invites cost inefficiency. The connection-hour fee is trivial; the egress and chatty-workload cost is not. Active/active tunneling, application-layer compression, and disciplined top-talker management routinely deliver 50%+ cost reduction without changing the underlying architecture. For sites approaching 10+ TB/month, the Direct Connect crossover should be modelled rather than assumed.
For a Site-to-Site VPN cost analysis and DX comparison, contact us. We complete the audit within five business days for estates above $50k annual VPN-driven spend.