VPC NAT Gateway vs VPC Endpoint pricing

0

I have a question about switching from a NAT Gateway to a VPC Endpoints.

My application runs using ECS Fargate, in a VPC with 2 subnets which are in two different zones. Currently I use the NAT Gateway to allow my application to access services like CloudWatch, ECR and S3.

I understand that switching from NAT Gateway to VPC endpoint is cheaper and more secure. However, I'm confused about the endpoint pricing.

My application requires the following endpoints:

  • S3 Gateway Endpoint
  • SSM Interface Endpoint
  • ECR Interface Endpoint
  • DKR Interface Endpoint
  • CloudWatch Interface Endpoint

This is 5 endpoints that need to run in 2 AZ's each, which the AWS cost calculator says will be $85 per month compared to 2 NAT gateways which would be roughly $65 a month.

Are some of the endpoints listed above free when using internally with AWS services (e.g. I saw somewhere that S3 Gateway Endpoint has no cost)? I'm a bit confused as to how these services are cheaper than NAT Gateways. Especially when it requires 3 endpoints just for pulling from ECR (ECR, DKR and S3).

Any insight would be appreciated.

profile picture
Mark
질문됨 10달 전9191회 조회
1개 답변
1
수락된 답변

Hello.

There are two types of VPC endpoints: gateway type and interface type.
Among them, gateway-type S3 VPC endpoints can be used for free.
https://aws.amazon.com/vpc/pricing/?nc1=h_ls

Note: To avoid the NAT Gateway Data Processing charge in this example, you could set up a gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There are no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.

As you know, pulling images from ECR requires two interface-type VPC endpoints and one gateway-type VPC endpoint.
Therefore, the charges that need to be calculated are for two interface-type VPC endpoints.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

If you simply estimate the price of a VPC endpoint for just the ECR part, it will be cheaper than NAT Gateway.
However, if other VPC endpoints are included, this will exceed this, so NAT Gateway will be cheaper.
Additionally, if you want to sacrifice availability and focus only on cost, you can configure the VPC endpoint to be hosted in only one AZ.
However, in that case, you will not be able to access ECR in the event of an AZ failure, so there is a high possibility that the service will stop.
Also, in environments where ECS pulls a large number of container images, I think communication costs will be lower with VPC endpoints.
a

profile picture
전문가
답변함 10달 전
profile picture
전문가
검토됨 10달 전
  • Thank you. This makes sense. I think in my case because I'm also using SSM and log to CloudWatch, I require the CloudWatch interface and the SSM interface, which pushes it closer to the NAT gateway. However, it's still about $5 cheaper, so I'm one more interface away from going back to NAT gateway 😅.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인