Skip to content

VPC Endpoints

VPC Endpoints in Amazon Web Services are a crucial component for securely connecting VPC resources to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. However, unused or underutilized VPC Endpoints can lead to unnecessary costs and potential security risks.

Unused VPC Endpoints Detection

We identify potential waste in VPC Endpoints through a detection algorithm that relies on CloudWatch metrics, primarily focusing on network data.

By regularly monitoring and evaluating VPC Endpoints against these network metrics, you can identify endpoints that are experiencing little to no traffic, indicating potential underuse or complete inactivity.

Proactively identifying and removing unused VPC Endpoints can help:

  1. Reduce unnecessary costs associated with maintaining unused endpoints.
  2. Simplify your VPC architecture and improve overall network design.
  3. Enhance security by minimizing potential attack surfaces.

By regularly reviewing and optimizing your VPC Endpoint deployments based on these network metrics, you can ensure more efficient resource allocation and cost-effective management of your AWS environment.

Missing Free Gateway Endpoints

Cost: FREE - Gateway Endpoints for Amazon S3 and Amazon DynamoDB are provided at no additional charge. There are no data processing or hourly charges for using Gateway Endpoints.

We also detect VPCs that are missing free Gateway Endpoints for S3 and DynamoDB. This is an informational finding designed to help you optimize your network architecture and reduce costs.

What are Gateway Endpoints?

Gateway Endpoints are a type of VPC Endpoint that provide private connectivity between your VPC and supported AWS services (S3 and DynamoDB) without requiring an internet gateway, NAT device, or VPN connection.

Why deploy Gateway Endpoints?

Deploying Gateway Endpoints for S3 and DynamoDB offers several benefits:

  1. Cost Savings: Traffic to S3 and DynamoDB through a Gateway Endpoint does not incur NAT Gateway data processing charges. This can result in significant savings if your workloads frequently access these services.

  2. Improved Security: Traffic stays within the AWS network and never traverses the public internet, reducing your attack surface.

  3. Better Performance: Direct routing to S3 and DynamoDB often results in lower latency compared to routing through NAT Gateways.

  4. No Bandwidth Constraints: Gateway Endpoints do not impose any bandwidth limits on your traffic.

Detection Method

We scan each VPC in your account and check for the presence of Gateway Endpoints for:

  • Amazon S3 (com.amazonaws.<region>.s3)
  • Amazon DynamoDB (com.amazonaws.<region>.dynamodb)

VPCs missing one or both of these free endpoints will be flagged as optimization opportunities.

How to Deploy Gateway Endpoints

You can create Gateway Endpoints through the AWS Console, CLI, or Infrastructure as Code:

AWS CLI Example (S3):

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-1234567890abcdef0 \
    --service-name com.amazonaws.eu-west-1.s3 \
    --route-table-ids rtb-1234567890abcdef0 \
    --region eu-west-1

AWS CLI Example (DynamoDB):

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-1234567890abcdef0 \
    --service-name com.amazonaws.eu-west-1.dynamodb \
    --route-table-ids rtb-1234567890abcdef0 \
    --region eu-west-1

Best Practice: Deploy Gateway Endpoints for S3 and DynamoDB in all VPCs where workloads access these services. Since they are free, there is no downside to deploying them proactively.