This section provides an overview of several alternative architectures to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team develpment and workload hosting VPCs and your infrastructure shared services VPC. This information is intended to help you make a more informed decision as you considered the recommended approach of using AWS Transit Gateway.
We don’t recommend using the following architecture. It’s included only to demonstrate the implications of using more of a point-to-point approach to integrating site-to-site VPN connections with VPCs. We recommend that you consolidate such connections by using either the AWS Transit Gateway based architecture or, if conditions warrant, a transit VPC architecture that is introduced below.
In this architecture, you establish a site-to-site VPN connection to each of your VPCs and use VPC peering to provide network connecticity between your team development and workload hosting VPCs and an infrastructure shared services VPC.
We’ll use the same assumptions concerning the number of VPCs, their dependencies, and the amount of data transferred that are used in the Transit Gateway architecture Cost Example section.
Pricing
See the following resources for the most up-to-date AWS pricing information. Prices are subject to change.
Site-to-Site VPN Costs
Monthly site-to-site VPN cost = ((4 site-to-site VPN connections x $36.50/month) + (999 GB out/month x $0.09/GB) = $146 + $89.91 = $235.91/month
VPC Peering Costs
VPC Peering connections in the same AWS Region is charged at $0.01/GB in each direction. The same as inter-AZ pricing within the same AWS region.
Monthly VPC peering cost = 2,000 GB/month x $0.01/GB = $20/month
Combined Costs
Combined monthly cost for site-to-site VPN + VPC peering:
Services | Month Cost |
---|---|
Site-to-Site VPN | $235.91 |
VPC Peering | $20.00 |
Total monthly cost: | $255.91 (as compared to $348.91 for transit gateway-based example) |
See the AWS Global Transit Network solution for an architecture and solution that uses commercial router virtual appliances in a transit VPC. This architecture was a common pattern used by customers prior to the advent of AWS Transit Gateway.
In this architecture, you establish a site-to-site VPN connection directly from your on-premises network to several commercial router virtual appliances that you manage in a central infrastucture transit VPC. AWS Site-to-Site VPN is not used for the on-premises to commercial router integration.
AWS Site-to-Site VPN connections are established between the router virtual appliances and a virtual private gateway in each of your VPCs.
The AWS Global Transit Network solution documentation outlines cost considerations.