Save Money with AWS VPC Endpoints

Fernando Hönig
Nov 17, 2016 · 3 min read

Part of my job is to keep the AWS costs down as much as possible. I tend to review the use of our AWS resources on a daily basis and then do a comparison with previous months or weeks to identify a pattern or spike.

I noticed a big jump in the last month’s bill in our “Amazon Elastic Compute Cloud NatGateway” line. We were spending more than $5,700 as you can see in the screenshot below.

A NatGateway is an AWS managed instance that permits Internet traffic from instances sitting in a private subnet inside your VPC. As you see in the bill items above, the NatGateway has 2 lines, the second one is basically the NAT Gateway resource and that’s billed 24/7. The other item is how much you use in terms of outgoing traffic to that resource.

It seemed like a lot of traffic to me, so we identified using VPC Endpoints for our S3 calls as a potential solution.

What is a VPC Endpoint?

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect.
Endpoints are virtual devices.

They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.

At the moment, AWS Supports just S3.

There is no additional charge for using endpoints.

An endpoint enables instances in your VPC to use their private IP addresses to communicate with resources in other services. Your instances do not require public IP addresses, and you do not need an Internet gateway, a NAT device, or a virtual private gateway in your VPC. You can use endpoint policies to control access to resources in other services. Traffic between your VPC and the AWS service does not leave the Amazon network.

We add this small piece of code to our platform and VOILÀ!.


resource "aws_vpc_endpoint" "private-s3" {
vpc_id = "${}"
service_name = ""
route_table_ids = [ "${}" , "${}" , "${}" ]
policy = <<POLICY
"Statement": [
"Action": "*","Effect": "Allow","Resource": "*","Principal": "*"

CloudFormation JSON:

"S3Endpoint" : {
"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"PolicyDocument" : {
"Principal": "*",
"RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
"ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] },
"VpcId" : {"Ref" : "VPCID"}

CloudFormation YAML:

Type: "AWS::EC2::VPCEndpoint"
PolicyDocument: {
"Principal": "*",
- !Ref routetableA
- !Ref routetableB
!Sub |
- "com.amazonaws.${AWS::Region}.s3"
VpcId: !Ref VPCID

How much are we saving?

Cost when using vs when not using VPC Endpoints for S3.

10/2016: ~91,435,000 GB = 30 days = ~$4,300/mo = $52,800/yr
11/2016: ~30,312.000 GB = 30 days = ~$1,400/mo = $16,800/yr

Savings of ~$35,000/yr!

I definitely recommend keeping an eye on your AWS bills. You will find many ways of saving money and maybe even get a big slap on the back from your boss!

The A Cloud Guru course on AWS Cost Control from Paul Wakeford, will give you a good guide about how to get your bill under control.

Check out the AWS courses from A Cloud Guru to level-up your cloud computing skills, or visit their community forums to connect with industry experts.

Feel free to add me on Linked In or follow me on Twitter.

nubego Cloud Managed Services

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store