Lower Your AWS Costs using VPC Endpoints
January 19, 2020
This post will focus on how you can leverage AWS VPC Endpoints to improve connectivity from VPC Resources to AWS Services that were previously being accessed via the public internet (and therefore incurring NAT Gateway Data Processing costs).
NAT Gateway Data Processing
Let’s say that your current AWS infrastructure consists of a Lambda function that runs in your VPC, and that this Lambda transfers files to an S3 bucket at a rate of 100 GB/day.
Since the S3 bucket lives outside of your VPC, traffic originating from within your VPC must travel through your NAT Gateway to hit the public S3 bucket endpoint.
Your NAT Gateway costs for 1 day of this work is broken down into NAT Gateway Hourly Charge and NAT Gateway Data Processing:
| Category | Rate | Total (1 Day) |
|---|---|---|
| NAT Gateway Hourly Charge | $0.045 / Hour | $1.08 |
| NAT Gateway Data Processing | $0.045 / 1 GB | $4.50 |
| NAT Gateway Total | $5.58 |
VPC Gateway Endpoint for S3
VPC Endpoints allow you to privately connect your VPC to certain public AWS Services, leveraging AWS PrivateLink instead of NAT Gateway for routing. AWS defines AWS PrivateLink as follows:
AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.
So in addition to a lower cost, we get a more secure networking setup by eliminating the data transfer’s exposure to the public internet.
For our scenario we want to create a VPC Gateway Endpoint in order to automatically route our VPC traffic via AWS PrivateLink to our S3 bucket. Creating endpoints for AWS Services can be done by selecting the pre-built configuration in the following list:
Once the endpoint is created, traffic from your Lambda to your S3 bucket will get automatically routed via AWS PrivateLink without any futher configuration. Let’s look at the costs related to our new VPC Endpoint:
| Category | Rate | Total (1 Day) |
|---|---|---|
| VPC Endpoint Hourly Charge | $0.01 / Hour | $0.24 |
| VPC Endpoint Data Processing | $0.01 / 1 GB | $1.00 |
| VPC Endpoint Total | $1.24 |
So while we’ve introduced a new daily cost of $1.24, we’ve removed the Data Processing portion of our previous NAT Gateway cost estimate. Our new total cost for this work is:
| Category | Rate | Total (1 Day) |
|---|---|---|
| NAT Gateway Hourly Charge | $0.045 / Hour | $1.08 |
| NAT Gateway Data Processing | $0.045 / 1 GB | $0.00 |
| VPC Endpoint Hourly Charge | $0.01 / Hour | $0.24 |
| VPC Endpoint Data Processing | $0.01 / 1 GB | $1.00 |
| Solution Total | $2.32 |
When we compare the new $2.32 cost versus the previous $5.58 cost, we can see that adding a VPC Endpoint for our scenario has reduced our networking cost by 58% as well as improved security.