VPC NAT Gateway vs VPC Endpoint pricing
I have a question about switching from a NAT Gateway to a VPC Endpoints.
My application runs using ECS Fargate, in a VPC with 2 subnets which are in two different zones. Currently I use the NAT Gateway to allow my application to access services like CloudWatch, ECR and S3.
I understand that switching from NAT Gateway to VPC endpoint is cheaper and more secure. However, I'm confused about the endpoint pricing.
My application requires the following endpoints:
- S3 Gateway Endpoint
- SSM Interface Endpoint
- ECR Interface Endpoint
- DKR Interface Endpoint
- CloudWatch Interface Endpoint
This is 5 endpoints that need to run in 2 AZ's each, which the AWS cost calculator says will be $85 per month compared to 2 NAT gateways which would be roughly $65 a month.
Are some of the endpoints listed above free when using internally with AWS services (e.g. I saw somewhere that S3 Gateway Endpoint has no cost)? I'm a bit confused as to how these services are cheaper than NAT Gateways. Especially when it requires 3 endpoints just for pulling from ECR (ECR, DKR and S3).
Any insight would be appreciated.
- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
There are two types of VPC endpoints: gateway type and interface type.
Among them, gateway-type S3 VPC endpoints can be used for free.
https://aws.amazon.com/vpc/pricing/?nc1=h_ls
Note: To avoid the NAT Gateway Data Processing charge in this example, you could set up a gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There are no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.
As you know, pulling images from ECR requires two interface-type VPC endpoints and one gateway-type VPC endpoint.
Therefore, the charges that need to be calculated are for two interface-type VPC endpoints.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
If you simply estimate the price of a VPC endpoint for just the ECR part, it will be cheaper than NAT Gateway.
However, if other VPC endpoints are included, this will exceed this, so NAT Gateway will be cheaper.
Additionally, if you want to sacrifice availability and focus only on cost, you can configure the VPC endpoint to be hosted in only one AZ.
However, in that case, you will not be able to access ECR in the event of an AZ failure, so there is a high possibility that the service will stop.
Also, in environments where ECS pulls a large number of container images, I think communication costs will be lower with VPC endpoints.
관련 콘텐츠
AWS 공식업데이트됨 2년 전
Thank you. This makes sense. I think in my case because I'm also using SSM and log to CloudWatch, I require the CloudWatch interface and the SSM interface, which pushes it closer to the NAT gateway. However, it's still about $5 cheaper, so I'm one more interface away from going back to NAT gateway 😅.