2

I want to set up an AWS client VPN for managing remote access. There are around 100 users who need to access the VPN on daily basis. For this, I am assuming that all users would be connected to a VPN for 12 hrs per day. There are around 8 subnets that I need to associate with this VPN. As per AWS official pricing, the pricing is based on two criteria:

AWS Client VPN endpoint association: $0.15 per hour (ap-south-1)

AWS Client VPN connection: $0.05 per hour (ap-south-1)

The total amount will be charged for the number of active client connections per hour and the number of subnets that are associated with Client VPN per hour. So with this my total amount is estimated as:

100(no. of active clients) * 12(total hrs/day) * 30(monthly) *  0.05(connection cost) + 8(total 
subnets) * 1(endpoints) * 12(total hrs/day) * 30(monthly) * 0.15(endpoint cost) = $2232/month

My question is, this cost is too much as compared to other external VPN providers. Is my understanding of the VPN pricing wrong or this is what exactly it costs me as this pricing is not justifiable to me.

darkKnight
  • 23
  • 1
  • 3
  • 1
    I don't think it's necessary to associate 8 subnets. 1 subnet per availability zone would suffice, no? You can route the traffic to the rest via Route Table Routes and VPC Peering Connections – dimisjim Feb 12 '21 at 09:35

1 Answers1

3

My interpretation of the pricing is:

AWS Client VPN endpoint association @ $0.10hr $0.15 * 24 (hours) * 30 (days) * 8 (subnets) = $864

AWS Client VPN connection @ $0.05 per hour $0.05 * 100 users * 12 hours * 20 days per month = $1200

Total $2064 per month, which is close to what you said, maybe because I used 20 business days per month rather than 30 days. The pricing page doesn't say you're charged for bandwidth, but it wouldn't surprised me if AWS charge for that as well anyway.

It seems fairly expensive, but I don't know how it compared with standard remote access setups. I suggest integrating it with Active Directory and MFA for security, you can use a Client Certificate but that's a single factor with no password.

The calculations make it easy how to see how to reduce cost:

  • Associate with fewer subnets - maybe you can proxy / route something differently, perhaps by using a bastion, but that makes it less usable
  • Turn it off outside business hours by removing subnet associations - this is easy to automate but means no-one can log in at all outside business hours
  • Reduce user numbers or connection time - perhaps there's a way to drop idle connections?
Tim
  • 30,383
  • 6
  • 47
  • 77
  • Perfect! That means I am doing the right estimation. I know this is fairly expensive and I cannot put a bar on subnets or users. So I will explore any external tool. – darkKnight Nov 01 '20 at 11:26
  • I agree with these estimations. Can someone here confirm them? My main doubt is whether the endpoint association charge is per subnet or per VPC. BTW, aws will charge for outgoing traffic for sure. – Federico Dec 31 '20 at 00:57
  • @Federico You can use split tunneling to only route VPC traffic through the VPN. – dimisjim Feb 12 '21 at 09:37