Skip to content

VPC Endpoints

VPC Endpoints provide secure, private connectivity between your VPC and AWS services without requiring an internet gateway or NAT device. However, unused Interface Endpoints incur hourly charges, and missing free Gateway Endpoints represent a missed optimization.

Implementation Effort: Low - Estimated time: less than 30 minutes. Delete unused Interface Endpoints or create free Gateway Endpoints via console or CLI.

What We Detect

Unused Interface Endpoints

  • Idle endpoints -- Interface VPC Endpoints with little to no traffic, indicating they are no longer needed by any workload

Missing Free Gateway Endpoints

  • S3 Gateway Endpoint -- VPCs without a free Gateway Endpoint for S3, causing traffic to route through NAT Gateways (incurring data processing charges)
  • DynamoDB Gateway Endpoint -- VPCs without a free Gateway Endpoint for DynamoDB

Why It Matters

Interface Endpoints are billed hourly (~$7.20/month per AZ). Unused ones are pure waste. Gateway Endpoints for S3 and DynamoDB are completely free and route traffic privately within AWS, avoiding NAT Gateway data processing fees.

Recommendations

  1. Delete unused Interface Endpoints after confirming no traffic dependency
  2. Deploy Gateway Endpoints for S3 and DynamoDB in all VPCs -- they are free with no downside

Keep on chasing 🧡