BIPI
BIPI

VPC Endpoints: When to Pay for Them and When to Use NAT

Cloud Security

VPC endpoints reduce data exfiltration risk and bypass NAT egress charges, but interface endpoints have a meaningful hourly cost. The economics flip at different traffic levels per service.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 10, 2024 · 7 min read

#aws#vpc#network-security#privatelink

VPC endpoints sit at the intersection of three concerns: data exfiltration risk, NAT gateway cost, and operational complexity. They are not free, and adding all of them by default doubles the network bill on small estates. The right answer depends on traffic volume, service criticality, and threat model.

Gateway endpoints are free, use them

S3 and DynamoDB have gateway endpoints. They cost nothing. They route traffic through the route table without going to the internet or through NAT. There is no downside to enabling them in every VPC that uses S3 or DynamoDB, which is every VPC. The fact that we still see new VPCs without S3 gateway endpoints in 2024 is bizarre.

Gateway endpoints attach to route tables, not subnets. The endpoint policy can restrict which S3 buckets are accessible (e.g., only buckets in your own AWS account). That stops compromised workloads from exfiltrating data to attacker-controlled S3 buckets.

Interface endpoints cost money

Interface endpoints (PrivateLink) cost roughly $7.20 per endpoint per AZ per month in ap-south-1, plus $0.01 per GB processed. A VPC with three AZs and ten interface endpoints costs about $216 per month before data charges. That adds up.

The economics:

  • NAT gateway costs $0.045/hour per AZ plus $0.045 per GB processed in ap-south-1.
  • Interface endpoint costs $0.01 per GB processed (no hourly per-GB) plus the hourly endpoint fee.
  • Break-even is around 200 GB/month per service per AZ.

Below break-even, NAT is cheaper. Above break-even, the endpoint pays for itself. For services that handle lots of data (S3 already covered by gateway endpoint, ECR for container images, CloudWatch Logs, SSM for Session Manager traffic), interface endpoints almost always win on cost and security.

Which interface endpoints actually matter

Our default set for production VPCs:

  • com.amazonaws.<region>.ecr.api and ecr.dkr (required for pulling images without internet).
  • com.amazonaws.<region>.ssm, ssmmessages, and ec2messages (required for Session Manager without internet).
  • com.amazonaws.<region>.logs (CloudWatch Logs, high traffic).
  • com.amazonaws.<region>.secretsmanager (low traffic but security-sensitive).
  • com.amazonaws.<region>.kms (low traffic but security-sensitive).

For VPCs that run KMS-heavy workloads (encryption envelopes, signing operations), the KMS endpoint is essential because KMS traffic should never traverse the internet even via NAT.

Endpoint policies are underrated

Every interface endpoint accepts a resource policy that restricts which actions and resources can be accessed through it. Most teams leave the default 'allow all' policy in place. That is a missed opportunity.

An S3 gateway endpoint policy that restricts access to buckets in your own AWS Organization (using the aws:PrincipalOrgID condition) prevents data exfiltration to attacker-owned buckets. An SSM endpoint policy that denies sending session output to unknown S3 buckets prevents log tampering. These are simple JSON documents with high leverage.

Centralized endpoints with Transit Gateway

Organizations with many VPCs end up paying for interface endpoints multiple times. The fix is centralized endpoints: deploy interface endpoints in a shared services VPC and route other VPCs to them via Transit Gateway and Route 53 Resolver rules. This requires private hosted zones to override the default AWS service DNS names, which is finicky but worth it past 5-10 VPCs.

When endpoints are wrong

If a workload genuinely needs internet egress to non-AWS endpoints (third-party APIs, GitHub, package registries), an interface endpoint does not help. You still need NAT or a managed egress (AWS Network Firewall, third-party proxy). Endpoints are for AWS-to-AWS traffic. They are not a general egress solution.

The architecture we end up with most often: NAT gateway for general internet egress (gated by Network Firewall for FQDN filtering), S3/DynamoDB gateway endpoints in every VPC, and a curated set of interface endpoints based on actual traffic patterns observed in VPC Flow Logs.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.