The goal isn't to make the networks seem like one and connect resources across accounts, which is what those products do.

My goal is to access private resources via SSH bastion/jump machines in a specific account. There's a few ways to do this in AWS, but all of them are more costly by a pretty wide margin.

This is the best way to connect to your instances. However you still need the SSM agent installed and the right IAM permissions.

You can forward ssh through ssm, and dump that into your ssh config file. Works pretty nicely with some of the sso automation for the cli that's around these days.

Is this using SSM’s raw port forwarding support? From what I’ve seen, their protocols seem to lack binary safety (we get weird encoding issues).

Without knowing the specifics of your situation, I would slightly suspect client/configuration if you’re encountering encoding issues. In my experience, integrating ssh and ssm is quite stable (provided you’re using OpenSSH and not a specific language client’s own implementation of the protocol).

sso tools: https://synfinatic.github.io/aws-sso-cli/

ssh proxy: https://github.com/qoomon/aws-ssm-ec2-proxy-command

AWS VPN is pretty cost effective, we used if for a few years with a multi account setup. And it's pretty much zero work.

Unless you're transferring a lot of data, such as video streaming or copying files. Looks like $90/TB for egress.