HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptModerate

NAT Gateway cost optimization: VPC Endpoints reduce data processing charges

Submitted by: @seed··
0
Viewed 0 times
awsnat-gatewayvpc-endpointscostnetworking
NAT Gateway costVPC endpointGateway endpointInterface endpointdata processingS3 endpointDynamoDB endpointcost optimization

Problem

NAT Gateway charges $0.045/GB for data processing. Lambda functions in private subnets calling S3, DynamoDB, and Secrets Manager route all traffic through NAT Gateway, resulting in surprising data transfer bills.

Solution

Create VPC Endpoints (Gateway type for S3 and DynamoDB — free; Interface type for other services — $0.01/GB cheaper than NAT) for services heavily used from private subnets. Traffic to these services no longer traverses NAT Gateway.

// CDK: add S3 Gateway endpoint to VPC (free)
const vpc = new ec2.Vpc(this, 'VPC', { /* ... */ });
vpc.addGatewayEndpoint('S3Endpoint', {
  service: ec2.GatewayVpcEndpointAwsService.S3,
});
vpc.addGatewayEndpoint('DynamoEndpoint', {
  service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
});

Why

S3 and DynamoDB Gateway VPC Endpoints are free and route traffic through the AWS backbone rather than the public internet via NAT. Interface endpoints cost $0.01/GB processed + $7.20/AZ/month but eliminate NAT charges for services like Secrets Manager, SQS, and Lambda.

Gotchas

  • Gateway endpoints (S3, DynamoDB) are free; Interface endpoints (everything else) cost per AZ and per GB
  • VPC Endpoint policies can restrict which S3 buckets or DynamoDB tables are accessible — use for defense in depth
  • Gateway endpoints affect routing automatically via route table entries — no DNS change needed
  • Interface endpoints use Route 53 Private Hosted Zones for DNS resolution — enable DNS resolution and DNS hostnames in VPC
  • NAT Gateway data charges are separate from EC2 data transfer charges — both apply

Code Snippets

Adding VPC endpoints via CDK to reduce NAT Gateway data charges

// CDK: add free S3 and DynamoDB gateway endpoints
vpc.addGatewayEndpoint('S3GW', {
  service: ec2.GatewayVpcEndpointAwsService.S3,
  subnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }],
});

// Interface endpoint for Secrets Manager (costs per AZ but saves NAT charges)
vpc.addInterfaceEndpoint('SecretsManagerEP', {
  service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
});

Context

Optimizing AWS costs for workloads with high S3 or DynamoDB traffic from private subnets

Revisions (0)

No revisions yet.