Save Money with AWS VPC Endpoints
Part of my job is to keep the AWS costs down as much as possible. I tend to review the use of our AWS resources on a daily basis and then do a comparison with previous months or weeks to identify a pattern or spike.
I noticed a big jump in the last month’s bill in our “Amazon Elastic Compute Cloud NatGateway” line. We were spending more than $5,700 as you can see in the screenshot below.
A NatGateway is an AWS managed instance that permits Internet traffic from instances sitting in a private subnet inside your VPC. As you see in the bill items above, the NatGateway has 2 lines, the second one is basically the NAT Gateway resource and that’s billed 24/7. The other item is how much you use in terms of outgoing traffic to that resource.
It seemed like a lot of traffic to me, so we identified using VPC Endpoints for our S3 calls as a potential solution.
What is a VPC Endpoint?
A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect.
Endpoints are virtual devices.
They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
At the moment, AWS Supports just S3.
There is no additional charge for using endpoints.
An endpoint enables instances in your VPC to use their private IP addresses to communicate with resources in other services. Your instances do not require public IP addresses, and you do not need an Internet gateway, a NAT device, or a virtual private gateway in your VPC. You can use endpoint policies to control access to resources in other services. Traffic between your VPC and the AWS service does not leave the Amazon network.
We add this small piece of code to our platform and VOILÀ!.
Terraform:
resource "aws_vpc_endpoint" "private-s3" {
vpc_id = "${aws_vpc.main.id}"
service_name = "com.amazonaws.eu-west-1.s3"
route_table_ids = [ "${aws_route_table.private.0.id}" , "${aws_route_table.private.1.id}" , "${aws_route_table.private.2.id}" ]
policy = <<POLICY
{
"Statement": [
{
"Action": "*","Effect": "Allow","Resource": "*","Principal": "*"
}
]
}
POLICY
}CloudFormation JSON:
"S3Endpoint" : {
"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"PolicyDocument" : {
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}]
},
"RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
"ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] },
"VpcId" : {"Ref" : "VPCID"}
}
}CloudFormation YAML:
S3Endpoint:
Type: "AWS::EC2::VPCEndpoint"
Properties:
PolicyDocument: {
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}]
}
RouteTableIds:
- !Ref routetableA
- !Ref routetableB
ServiceName:
!Sub |
- "com.amazonaws.${AWS::Region}.s3"
VpcId: !Ref VPCIDHow much are we saving?
Cost when using vs when not using VPC Endpoints for S3.
10/2016: ~91,435,000 GB = 30 days = ~$4,300/mo = $52,800/yr
11/2016: ~30,312.000 GB = 30 days = ~$1,400/mo = $16,800/yr
Savings of ~$35,000/yr!
I definitely recommend keeping an eye on your AWS bills. You will find many ways of saving money and maybe even get a big slap on the back from your boss!
The A Cloud Guru course on AWS Cost Control from Paul Wakeford, will give you a good guide about how to get your bill under control.
Check out the AWS courses from A Cloud Guru to level-up your cloud computing skills, or visit their community forums to connect with industry experts.
