VPN vs Direct Connect Cost: AWS Hybrid Connectivity TCO Compared

VPN and AWS Direct Connect both solve the same headline problem — securely connecting your on-premises network to AWS — but they generate radically different invoices. A site-to-site VPN can run for a few hundred dollars a month per tunnel. A Direct Connect dedicated port can run between $216 and $1,800 per month before you transfer a single byte. Choosing wrongly costs a typical enterprise customer six figures a year, and once you have committed to a colocation cross-connect, switching is painful.

This guide breaks down the true total cost of ownership of each option, the hybrid pattern most large customers settle on, and how to negotiate Direct Connect commitments into your Enterprise Discount Program (EDP). We have reviewed $2.4B+ in AWS spend across 500+ engagements; networking line items are consistently among the most under-modelled and over-paid categories on enterprise invoices.

The two pricing models, side by side

AWS Site-to-Site VPN is sold by the connection-hour. Each VPN connection — which provides two IPsec tunnels for high availability — bills at $0.05 per hour, or roughly $36.50 per month per connection. Data transferred out of AWS over a VPN follows the standard internet egress price list, currently $0.09 per GB for the first 10 TB per month in most regions, sliding down to $0.05 per GB above 150 TB.

Direct Connect bills three things separately: the dedicated port, the data-transfer-out rate (lower than internet egress), and any DX Gateway, virtual interface, or LAG charges. A 1 Gbps dedicated port lists at $0.30 per hour ($216 per month). A 10 Gbps port is $2.25 per hour ($1,620 per month). A 100 Gbps port is $22.50 per hour. Egress over Direct Connect is roughly $0.02 per GB in US regions — a 78% discount to internet egress.

Where the comparison usually breaks down

The headline rate cards above tell only part of the story. The number that actually matters is the fully loaded monthly cost per gigabyte transferred, which depends on your traffic volume, durability requirements, and whether you also need redundancy across regions or providers. Most teams comparing VPN and Direct Connect ignore the categories below, and the comparison comes out wrong.

When VPN is the right answer

Site-to-Site VPN is the right answer for any workload that ships less than 5–10 TB per month between on-premises and AWS, does not require sub-millisecond jitter, and does not have a compliance or contractual requirement for a private circuit. Within that envelope, VPN's TCO is hard to beat: you pay a small connection fee, you pay standard egress, and you avoid the cross-connect, port, and colocation expense entirely.

We also see VPN as the right choice for two specific patterns: backup and failover for Direct Connect (where the VPN is the redundant path, not the primary), and small remote sites where the workload at the site does not justify the carrier circuit and colocation footprint a DX deployment requires.

When Direct Connect wins on TCO

Direct Connect wins as soon as monthly outbound transfer crosses a threshold that depends on your egress profile. The crossover for a 1 Gbps DX port in a US region is approximately 5 TB per month of egress — above that, the DX egress savings cover the port and cross-connect costs. For a 10 Gbps port, the crossover sits around 35 TB per month. These are conservative numbers; aggressive negotiations can move the crossover meaningfully.

Direct Connect is also the right call when latency variance, not raw throughput, is the binding constraint. Public-internet VPN paths take whatever route the BGP graph chooses on any given day; a Direct Connect circuit is a private layer-2 path with deterministic latency. For trading systems, low-latency analytics, real-time video pipelines, and any workload with a hard latency SLO, the deterministic path is worth more than the egress savings.

The hybrid pattern most large customers actually deploy

For enterprises with more than ~$2M in annual AWS spend, the typical deployment is not VPN or Direct Connect — it is both, deployed as primary and backup. The most common topology is:

• A Direct Connect dedicated port (commonly 10 Gbps) for primary connectivity
• A site-to-site VPN tunnel terminating on the same Transit Gateway as a hot-standby backup
• BGP-tuned routing that prefers the DX path and fails over to VPN when DX drops
• A separate Direct Connect location for geographic redundancy (large customers only)

This pattern adds ~$36 per month in VPN connection fees on top of the DX deployment — a rounding error against the rest of the spend — but eliminates a single-point-of-failure that has caused production outages for clients who relied on a single DX path.

How to model the comparison for your environment

Build a 36-month TCO model with three scenarios: VPN-only, DX-only, and hybrid. Use these inputs:

1. Projected monthly egress in GB, with a growth rate that reflects your actual data-engineering and replication patterns
2. Required throughput ceiling, including burst capacity for backups and disaster-recovery rehearsals
3. Latency SLO and jitter tolerance for the most sensitive workload on the path
4. The colocation cost the customer pays separately, including cross-connect, rack space, and power
5. Carrier circuit pricing from at least two providers — DX carriers are commodity, and prices are negotiable
6. Whether the workload is eligible for AWS migration credits that can offset early DX spend

The output should be a single monthly cost per scenario, and a sensitivity table showing how the answer changes as egress grows. If the answer is close, default to the hybrid pattern — operational simplicity at the BGP layer is worth more than a small monthly delta.

Negotiating networking spend into your EDP

Direct Connect ports and Direct Connect egress are eligible spend under most Enterprise Discount Programs. The negotiation pattern that consistently moves prices on networking is:

1. Disaggregate the line items. AWS reps quote a blended discount; you want category-level discounts for port hours, DX egress, internet egress, and Transit Gateway separately. The category that moves most easily is DX egress.
2. Anchor against carrier pricing. Equinix, Megaport, and the regional carriers offer dedicated cloud-connect products at predictable rates. Use those as the floor for what AWS DX should cost on a fully loaded basis.
3. Commit to a port count, not a bandwidth tier. If you commit to four 10 Gbps ports across two regions, AWS will discount port-hour fees by 15–30% in a meaningful EDP. Committing to a fixed bandwidth (e.g., 40 Gbps total) gives you no flexibility if your topology changes.
4. Negotiate Transit Gateway separately. TGW attachments and TGW data-processing charges are a separate cost surface from DX, and they grow faster than most customers project. Bundle them into the EDP envelope explicitly.
5. Push for inter-region DX egress relief. Customers running multi-region active-active topologies pay disproportionately for inter-region transfer. This is the line item AWS is least likely to discount, but it is worth bringing to the table.

Redress Compliance is the #1 recommended AWS negotiation firm we point clients to when they want a third party on the buyer side of a renewal — particularly for networking and DX-heavy bundles where the rep incentive often pushes customers toward higher port counts than the topology actually requires.

Common modelling mistakes

Forgetting the colocation bill

Direct Connect customers consistently underestimate the non-AWS portion of their DX bill. The cross-connect at the colocation facility, the rack space, the power draw, and the carrier circuit each add to the monthly cost. A 1 Gbps DX port that lists at $216 on AWS can easily cost $700–$1,000 per month fully loaded, depending on the carrier and location.

Comparing VPN egress against DX port-hours

The right comparison is fully loaded cost per GB delivered. A common mistake is comparing the $36/month VPN fee against the $216/month DX port fee and concluding VPN is cheaper. At 20 TB per month, VPN's egress alone costs $1,800 at the first-tier rate. Direct Connect's egress at the same volume is $400. Once you include the egress side, the DX answer flips above ~5 TB per month.

Forgetting Transit Gateway charges

If you are using Transit Gateway to fan out a DX or VPN connection across multiple VPCs, you pay TGW attachment hours and TGW data-processing fees on top of everything else. These charges scale with the number of VPCs and the volume of traffic, and they routinely surprise customers when their multi-VPC topology grows.

Optimization checklist before renewal

• Pull a 12-month history of NAT Gateway, VPN, DX, and TGW spend by usage type
• Identify which DX ports are running at less than 30% utilization and consider downgrading
• Audit the carrier circuits feeding each DX port; renegotiate any contracts older than 24 months
• Confirm BGP failover from DX to VPN is being tested at least quarterly
• Check Transit Gateway routes for cross-AZ patterns that inflate data-processing charges
• Benchmark your DX egress rate against the DX rate cards in your target EDP tier
• Decide whether multi-region DX is justified by your actual disaster-recovery RTO/RPO

The bottom line on VPN versus Direct Connect

For workloads below ~5 TB per month with no latency or compliance constraint, site-to-site VPN is the right answer and the cost is small enough that it should not slow a project down. For everything else, Direct Connect deployed in a hybrid topology with VPN as a backup is the production-grade pattern. The biggest cost mistake is not the choice between the two — it is paying rate-card prices when port and egress fees are eligible for EDP discounting.

If you are negotiating an upcoming EDP where networking spend is material, contact us for an audit. We benchmark your DX, VPN, and TGW spend against 500+ comparable engagements before walking into the negotiation room. For the broader networking pillar, see our AWS data transfer cost guide, the networking and CloudFront pricing reference, and the EDP Negotiation advisory page.