Enimbos.com
Close

AWS Secure Environment – Data Transfer Costs

Usually, when we want to price our services \ resources in the different Clouds, we do not usually take into account the cost that our Data Transfer may have within the Cloud itself or even outside.

In this post, I will try to explain the cost that Data Transfer can have in the AWS Ireland region within a secure environment with firewalls, interconnected through a Transit Gateway, and connected to a local environment through Direct Connect.

In this environment we will use two AWS accounts as primary accounts:

  • Security Account → In this account we will create several VPCs where the different Firewalls will be deployed to control the traffic between VPCs \ On-prem and Inbound \ Outbound to the Internet.
  • Networking Account → In this account we will deploy the Transit Gateway (that will be distributed to the rest of the AWS accounts through Resource Manager) and Direct Connect.

Environment connectivity

We will configure the environment connectivity using routing as follows:

  • Connectivity between VPCs through 2 x Firewall to provide higher throughput \ HA through ECMP and 2 x Vpn against Transit Gateway through Firewall (1.25Gb throughput per Vpn).
  • Internet Outbound through 2 x Firewall to provide higher throughput \ HA through ECMP and 2 x Vpn against Transit Gateway by Firewall (1.25Gb throughput per Vpn).
  • Internet Inbound via 2 x Firewall to provide HA and 2 x Transit Gateway Attachment VPC (1 x Fw)
  • Transit Gateway Attachment VPC will be used for Inbound Internet traffic through AWS services.

 

Routing

For the environment work properly we would have to configure routes in the different VPCs and the Transit Gateway.

In VPCs with Internet access, we have to configure a default route to an Internet Gateway and routes to internal VPCs through the Transit Gateway.

In internal VPCs, the default route to the Transit Gateway should be configured

In the Transit Gateway we would have to configure the following route tables:

Route table for Internal VPCs:

  • Routes for each VPC through the Attach VPN FW East-West.
  • The default route (Internet exit) through Attach VPN FW Outbound Internet Traffic.
  • Through propagation, we would configure the routing towards the VPCs of incoming traffic from the Internet.
  • The route to on-prem through the Attach Direct Connect Gateway.

The routing table for FW East-West & Outbound Internet Attach VPNs and Inbound Internet Traffic VPCs:

  • Through propagation, we would configure the routing to each internal VPC.

 

Costs

In this scenario, the costs that we are going to handle (regardless of the FW that we deploy in our infrastructure) are the following:

  • Transit Gateway
    • Price per data processed $ 0.02 per Gb
    • Price per element associated with Transit Gateway (Ireland) $ 0.05 per hour
  • Direct Connect
    • Price per input processed data (Free)
    • Price per output processed data $ 0.02 per Gb
  • Internet
    • Price per input processed data (Free)
    • Price per output processed data $ 0.09 per Gb
  • VPN
    • $ 0.05 per Site-to-Site VPN connection per hour

Scenario 1 – Data Transfer between VPCs (East – West)

In this case, we are going to process 1 Tb of data between VPC C and VPC B.

Through the route tables that we have previously configured, we are going to “force” the traffic to leave VPC C towards the Transit Gateway. From the Transit Gateway, I sent it to the VPN Fw East-West and from the Fw back to the Transit Gateway. Finally, as the last jump, it will go from the Transit Gateway to VPC B.

Data flow summary:

VPC C → Transit Gateway → Vpn Fw → Transit Gateway → VPC B

Costs

In regards to costs, processing 1Tb of data between Internal VPCs in a month would have the following cost:

Scenario 2 – Internet Egress Traffic

In this case, we are going to process 1 Tb of data from VPC C to the internet, simulating a file upload.

Applying the default route that we have configured in the route table of the Transit Gateway for internal VPCs, we are going to send all the traffic that we do not know to send it through the Attach VPN Fw Outbound Internet with which the traffic will leave the VPC C towards the Transit Gateway. From the Transit Gateway it will send it to the VPN Fw Outbound Internet and from the Fw through the routes of the VPC itself it will send it to the Internet Gateway.

Data flow summary:

VPC  → Transit Gateway → Vpn Fw Outbound Internet → Internet

Costs

The cost of processing 1Tb of Outbound Internet Traffic from an Internal VPC in one month would be as detailed below:

Scenario 3 – On-Prem Outbound Traffic via Direct Connect

In this scenario, we are going to download a 1Tb file from a VPC to our PC at our headquarters through the Direct Connect that is associated with the Transit Gateway.

Through the route tables, we can send the traffic to On-prem through the Fw deployed in AWS before sending it through Direct Connect since it may be the case that we do not have a security device in the On-prem to filter traffic with AWS through Direct Connect.

To simplify this scenario we are going to directly route the traffic through the Attach Direct Connect Gateway.

As in the previous scenarios, the traffic leaves the VPC and goes to the Transit Gateway and the latter, through the route table, sends it to the TGW Attach Direct Connect Gateway.

Data flow summary:

VPC → Transit Gateway → Direct Connect → On-Prem

 

Costs

The cost of processing 1 TB of outbound data to on-prem via Direct Connect from an internal VPC in one month would be as follows:

Scenario 4 – Inbound Internet Traffic to a VPC

For Inbound Internet Traffic, we have 2 possible scenarios.

  1. Traffic through AWS services
  2. Traffic through the Fw deployed on AWS

In both scenarios, the traffic will essentially follow the same flow. The request will arrive over the Internet to the VPC of AWS services or to the VPC Fw Inbound Internet and from there it will go to the Transit Gateway that will send it to the VPC.

Data flow summary:

Internet → VPC AWS Services\VPC Fw Inbound Internet → Transit Gateway → VPC

Costs

The cost of processing 1Tb of Inbound Internet Traffic to an Internal VPC in one month would be the following:

Related Posts