DEV Community

Cover image for AWS VPC Endpoint is JUST a FinOps topic!?
Walid BATTOU for AWS Community Builders

Posted on • Originally published at

AWS VPC Endpoint is JUST a FinOps topic!?

This article follows up on the previous one, where we attempted to address the following question:
AWS VPC Endpoint is NOT a security topic!?

Clarification about my last article

Even if we demonstrate that the VPC Endpoint is not focused on security or performance because the traffic stays on the AWS backbone. In a real-world use case, we can have compliance requirements.
Image description
If you have compliance requirements such as HIPPA(health) or PCI-DSS(Bank) it is not feasible to tell the auditor "Hey, do not check the AWS documentation, VPC Endpoint is not about security, I checked it."

However, if you have no compliance requirements, be frugal! You will have the options described below.

Why is it a topic related to cost?

How VPC endpoints are billed?
They are billed based on the elastic network interfaces(ENI) per availability zone behind the endpoint. We can deploy it across 1 to 3 availability zones based on your infrastructure requirements. Of course, it is recommended to have at least two for high availability.
Image description

Split VPC endpoints into two categories!

You will find the list of AWS services that support VPC endpoints.

I split this list into two categories:

  • Endpoints related to an application (eg. API gateway, Athena).
  • Endpoints related to the infrastructure (eg. CloudWatch, SSM).

Based on that, we can start with the costs incurred when using or not using an "infrastructure" VPC endpoint like CloudWatch Log for example (price for eu-west-1).

Let's focus on the CloudWatchLog VPC Endpoint

Consider a scenario where we have 10 VPCs, each hosting multiple workloads that utilize CloudWatch Logs for application logging. On average, the monthly log volume is 1TB for all of them.

We have 3 options:

  • Without VPC endpoint (with NAT Gateway).
  • With VPC Endpoint (one per VPC).
  • With Centralized VPC Endpoint.

Cost without VPC Endpoint (with NAT Gateway)

Image description

What we pay in this case:

  • 1TB(DataProcessing per month)*0.048=$48/month
  • Total: $48/month

Cost with VPC Endpoint

Image description

What we pay in this case:

  • VPCEndpoint/month for 3 AZs for each VPC:
    • $0.011*730(hours in month)*3=$~24/month
  • VPCEndpoint data processed:
    • $0.01*1000=$10/month
  • Total for 10VPCs: (24*10)+10=$250/month

Cost with Centralized Endpoint

On AWS, we usually have multiple accounts and VPCs. The general practice is to have a network account with a transit gateway in it. For more information, please refer to this documentation.

Image description

What we pay in this case:

  • VPCEndpoint/month for 3 AZs:
    • $0.011*730(hours in month)*3=$~24/month
  • VPCEndpoint data processed:
    • $0.01*1000=10$/month
  • Transit Gateway data processed:
    • $0.02*1000=20$/month
  • Total: $54/month


With 1TB of data transfer for 10 VPCs. The best scenario is to not use the VPC endpoint and keep using the NAT Gateway.

Image description

The decision to utilize a VPC endpoint or not varies based on individual use cases. It's essential to evaluate the specific requirements and factors involved.

Make your own calculations!

When keeping a NAT Gateway is more cost-effective!?

When does it become more economical to use the centralized solution?

Based on the previous calculation, the following table shows that above approximately 1.3TB of DataTransfer, the centralized endpoint is more cost-effective. Below this amount, you can continue using the NAT Gateway.

Image description

In the next article, we will see how to deploy a centralized VPC Endpoint in an air-gapped environment on AWS.

Top comments (0)