VPC Endpoints or NAT Gateway?

AWS services like EC2, RDS, and ElastiCache come with an Elastic Network Interface (ENI), which enables communication from within your VPCs. However, many AWS services provide a REST API, available via the Internet only. A few examples: S3, DynamoDB, CloudWatch, SQS, and Kinesis.

There are three options to make these services accessible from private subnets:

• A Gateway Endpoints is free of charge, but are only available for S3 and DynamoDB.
• An Interface Endpoint costs $7.20 per month and AZ plus $0.01 per GB and is available for most AWS services.
• A NAT Gateway can be used to access AWS services or any other services with a public API. Costs are $32.40 per month and AZ plus $0.045 per GB.

Keep the following rules of thumb in mind when designing your network architecture.

• Adding Gateway Endpoints for S3 and DynamoDB should the default.
• Do you need to access non-AWS resources via the Internet, add a NAT Gateway. Do the math if traffic to AWS services justifies additional Interface Endpoints.
• Are you only accessing AWS services from the private subnets? No more than four different services? Use Interface Endpoints. Otherwise, do the math to calculate costs for Interface Endpoints and NAT Gateway.

Always add VPC Endpoints for S3 and DynamoDB. But do the math, when adding VPC Endpoints for other AWS services to your network. Using a NAT Gateway might be cheaper.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here.