Comparing Amazon VPC Connectivity Options

In August 2009 Amazon announced its Virtual Private Cloud (VPC) service, essentially giving enterprise customers worried about security and control in the cloud a solution to that concern. Since then the Amazon VPC has matured as more and more services have become available from within the VPC.

Amazon Virtual Private Cloud allows IT administrators to provision a private, isolated section of the Amazon Web Services (AWS) Cloud where they can launch AWS resources in a virtual network that they define. They can have complete control over the virtual networking environment, including selection of IP address ranges, configuration of routing tables, subnets and network gateways.

Furthermore customers can connect their existing data centers and branch offices to the Amazon VPC and access the AWS cloud as if it is an extension of the corporate network. This connectivity between the corporate offices and the Amazon VPC can be accomplished in several ways.

In this short blog, we will explore the options available for connecting the enterprise network to the Amazon VPC whilst we compare and contrast the advantages, disadvantages and associated costs.

Amazon Direct Connect

AWS Direct Connect is an AWS service that allows you establish a dedicated network connection between your WAN network and the Amazon Web Service global network. If your corporate network has presence in one of these locations, Direct Connect facilitates dedicated 1G or 10G connectivity between your network equipment at that location and Amazon’s routers.

Pricing information can be found here.

If connecting in London Telecity, a single 1G port will cost at least $223 per month for the port connection-hours. Additionally you pay $0.03 per GB for data transfers outbound from the VPC to the corporate network. Furthermore, if your corporate offices and datacenters are already reachable from the Direct Connect peering location across the enterprise WAN, only minimal configuration will be required to route traffic between the VPC and those offices.

Advantages

  • Reduces bandwidth costs for traffic-heavy applications.
  • Provides consistent network performance compared to other options.
  • Can be used for accessing AWS services outside the VPC.

Disadvantages

  • Requires existing network presence in a very limited set of locations.
  • Requires more complex network hardware and configuration, for example 802.1q VLANs, BGP ..etc.
  • If the traffic loads are not heavy enough, this is an expensive option.
  • Not very elastic, the options are 1G or 10G ports, there is nothing in between.

 

Amazon Hardware VPN

Amazon allows compatible customer VPN Gateways to access the VPC over an industry standard, encrypted IPSec hardware VPN connection.

Back in September 2012, Amazon added a new feature that allowed administrators to create Hardware VPN connections to the VPC using static routing. This means users can establish connectivity using VPN devices that do not support BGP such as Cisco ASA and Microsoft Windows Server 2008 R2. A list of devices that have been tested by AWS can be found here.

Pricing information can be found here.

You are charged for each "VPN Connection-hour" that your VPN connection is provisioned and available. You also incur standard AWS data transfer charges for all data transferred via the VPN Connection.

For example, in the eu-west-1 region, a single VPN connection will cost $37 per month for the connection-hours. Additionally you pay $0.12 per GB for data transfers outbound from the VPC to the corporate network over the internet.

Advantages

  • Easier to configure and install.
  • Compatibility with any IPSec VPN implementation.
  • Hardware VPNs are more reliable than their software based counterparts.
  • Highly available on the Amazon side. By default, two tunnels are configured in an active/standby.

Disadvantages

  • In general, VPN hardware frequently can’t support data transfer rates above 4 Gbps.
  • More expensive than network appliances running as EC2 instances.
  • By default only supports a maximum 10 VPN connection per VPC.

 

EC2 instance network appliance

Another method for connecting to Amazon VPC is to a standard EC2 instance as a software based network appliance. These vary in complexity from a DIY Linux instance with manual packages to Linux based packaged network appliances – e.g. Vyatta – that offer a comprehensive set of features including site to site IPsec VPN.

Depending on the instance size and reservation the monthly cost will vary.

Advantages

  • The cheapest option for VPN connectivity, especially for a large number of remote sites.
  • Can handle a very large number of remote sites, 10’s of tunnels on m1.small.
  • Can scale vertically by simply scaling the instance size.
  • Can offer additional service such as NAT, web proxy, remote user VPN and more.

Disadvantages

  • In general, VPN hardware frequently can’t support data transfer rates above 4 Gbps.
  • Is more complex to setup in a highly available configuration. Traditional HA solution require broadcast or multicast in order to attach a virtual IP to the master node. AWS like any other cloud platform doesn’t allow broadcast or multicast traffic on its network. In Cloudreach we use a custom set of scripts and services that uses the Amazon Web Services API’s to maintain high availability.
  • Extra operational overheads to cover monitoring and support.

 

Cost comparison

Assumptions

Number of remote sites: 100.
High availability: Active/Standby.
Data transfer: Not included (The costs will be the same regardless of the connection method).
Region: EU West(Ireland).

Case 1: AWS Direct Connect

Direct Connect is only suitable for larger enterprises who have existing presence in a Direct Connect peering location, for the EU region these are in London. Also, data transfer rates to AWS have to be  big enough to justify the additional costs.

Comparing the costs between Direct Connect and the other options is not possible since the costs associated with the WAN presence in an Amazon Direct Connection peering location are difficult to estimate.

Case 2: Hardware VPN

The per-hour cost of Hardware VPN is $0.05 per hour per VPN connection. The total per-hour cost for a 100 vpn connections will be 100 * 0.05 = $5.00 per hour.

For customers with a relatively small number of sites, hardware VPN has to be the way to go. It moves the day to day operations and support to Amazon alongside all the other cloud infrastructure services.

For customers who require connecting a large number of remote sites, Hardware VPN is a very costly option. Based on 100 VPN connections, this will cost $3720 per month – not including the data transfer costs.

Case 3: Using Vyatta Software VPN

If we assume the hourly running cost of on-demand m1.small instance of $0.085, then the running cost per hour for hosting 100 VPN connections in two instances configured in active/standby is 0.085 * 2 = $0.17 per hour. Furthermore, if you consider a 1 year heavy reservation for these instances, then the effective hourly rate – including the upfront fee – is dramatically reduced to approximately $0.095 per hour for the two instances.

Finally for enterprises who do not feel comfortable with the free and open source  software, commercial options are available under AWS Marketplace, for example Vyatta. This additional cost amounts approximately to $0.31 per hour, taking the total cost in this case to 0.31 + 0.095 = $0.40 per hour for connecting all 100 sites to Amazon VPC.

Cloudreach have a number of customers currently running an m1.small instance to handle 100+ VPN connections successfully – with moderate data throughput. Furthermore, if the amount of data transferred over the VPN increases significantly, an m1.small instance will not be enough and a larger instance has to be used. The efforts required to make this transition is minimal as the upgrade to a larger instance is very straightforward.

Finally, adding a NAT instance to VPC is now becoming a necessity for instances that need access the Internet. Instances inside the VPC can only do that through a NAT instance or an Elastic IP. The Elastic IP requires adding a 0.0.0.0/0 route to the Internet gateway which might not be possible depending on the customer’s network topology. Vyatta is great as a NAT instance but it can offer many other great features at the same price of the Amazon provided NAT instance which is practically just Amazon Linux instance with some default iptables masquerade rules. This means you can implement NAT alongside the IPsec VPN, which eliminates the need for a separate NAT instance.

 

Conclusion

The difference in cost between hardware VPN and Vyatta is follows:

Vyatta cost per hour for 100 VPN: $0.095
Hardware VPN cost per hour for 100 VPN: $5.00

This is a significant difference in cost. Even if an m1.small instance is not sufficient and a larger instance has to be used, the cost difference is so big that for customers with a large number of remote sites I do not think that the hardware VPN is an option.

However for a small number of sites, hardware VPN is still the way to go. Its very simple to configure and now supports a range of devices.

As usual, please reach out to us if you need any help or advice using AWS!