Is your NAT gateway processing cost too high? Are you looking for ways to adhere to Amazon’s leadership principle of frugality? Want to learn a trick that will impress your manager and save your organization money? Are you a big fan of 1Strategy? If you answered yes to any of these questions, this blog post is for you!
If you’re using Amazon Web Services (AWS) at any scale, chances are you have an Amazon Virtual Private Cloud (VPC) in place to organize compute resources and to safeguard and isolate their networking. A VPC is an isolated virtual network with customizable features for security, performance, and monitoring.
While there is no cost for the creation and use of the VPC itself, costs are incurred by the resources within the VPC and data transfer out of the VPC. Internet gateway, VPN, Private Link, and Transit gateway are some related resources which configure access between external sources and your VPC. An Internet gateway (IGW) is a common configuration for setting up ingress and egress to the public internet. Outbound traffic to the internet will always generate data transfer charges as it goes through the gateway, while inbound traffic is free. AWS-managed VPNs and AWS Direct Connect are both secure solutions for reaching on-premises resources without exposing traffic to the internet. AWS Transit gateway connects Amazon VPCs, AWS Accounts, and on-premises networks to a single gateway. Traffic originating from the AWS network destined for another AWS service will always stay on the AWS global backbone network and is automatically encrypted. Data transfer within the same AWS account and same AWS region is usually free.
It is common for all these routing solutions to also use a Network Address Translation gateway (NAT gateway) for—you guessed it—Network Address Translation. NAT gateways are priced with two separate charges, per hour as well as per GB of traffic processed. In the AWS us-east-1 region, these costs are both $0.045. If a NAT gateway were to run for 30 days and process 1TB of data, the hourly charge would be $32.40 and the processing charge would be $46.08, together a total of $78.48 for the NAT gateway’s monthly bill. If that 1TB of processed data is destined for a supported AWS service, we can bypass the NAT gateway processing cost entirely by provisioning a VPC Endpoint. This reduces the amount of traffic processed by the NAT Gateway.
VPC Endpoints are powered by AWS Private Link and enable private connections between a VPC and supported AWS services. Traffic between your VPC and AWS services does not leave the Amazon network, and therefore will not require a public IP, NAT gateway, IGW, or any network connection other than the endpoint. There are three types of VPC endpoints: gateway, gateway load balancer, and interface.
A gateway load balancer endpoint intercepts and routes traffic to a configured gateway load balancer. Gateway endpoints are currently available for Amazon S3 and Amazon DynamoDB, and they are available at no additional cost. Gateway endpoints can only be used by the resources within the VPC. An interface endpoint uses an elastic network interface provisioned in a subnet in your VPC to serve as the entry point for traffic destined to a supported AWS service, and can be used by resources within the VPC as well as from external networks. At the time of writing there are 128 AWS services available to create an interface endpoint for in us-east-1 including SageMaker, Athena, CodeBuild, CodeDeploy, CloudWatch, Lambda, Redshift, Simple Notification Service (SNS), and many more. Interface endpoint pricing is $0.01 per hour and $0.01 per GB processed. With these lower hourly and processing price rates, it’s apparent that endpoints can generate significant cost savings at scale. Consider three scenarios processing 50TB of data in 500 hours with varying destinations:
Remember that gateway endpoints are available only for S3 and DynamoDB at this time, but the savings in the interface endpoint column may apply to one of 125+ AWS services, and still reduce costs by 77%. Below is a sample architecture using Elastic Container Service (ECS) cluster in a VPC with a NAT gateway vs an Interface Endpoint to connect to Elastic Container Registry (ECR):
Suppose the engineering team running this ECS cluster noticed that tasks were failing repeatedly, causing the tasks to continuously pull down ECR images. Through the course of several weeks, the ECR cluster kept pulling down images, routing that traffic through the NAT gateway. The engineers found that 77TB of NAT gateway bandwidth had been used, which cost $3,562.02. Had they provisioned an Interface Endpoint for ECR, this traffic could have skipped the NAT gateway, which is 4.5x more expensive. The cost for using the Interface Endpoint instead would be $794.08, which is more than 77% less expensive. It’s a painless architectural change with the potential for big savings:
What are you waiting for? Those 77% savings are waiting for you on the other side of provisioning an Interface Endpoint! If you or your organization need help configuring VPC Endpoints, cutting costs on AWS, or with any other AWS services, our AWS experts at 1Strategy would be delighted to assist you. Just reach out to us at info@1Strategy.com.