How to use an S3 VPC endpoint to reduce AWS transfer costs

Do you want to reduce NAT gateway data processing costs? Check out S3 VPC endpoints.

S3 VPC endpoints can help your organization reduce costs if:

• Apps and services (EC2, EKS, Lambdas etc.) in your account access S3 buckets
• If your compute resources are in a virtual private network (VPC)
• You set up a NAT gateway for your VPC

If you meet these criteria, it’s likely that all your S3 access is going over the public internet and you are getting charged for both: egress traffic from S3 and NAT gateway traffic. By creating an S3 VPC endpoint, you can eliminate these unnecessary costs. 

Background: How does an EC2 instance access S3?

• Public instances can access S3 directly.
• Instances in private subnets use either NAT or VPC endpoints to access S3.

Note: For security reasons, EC2 instances should not have a public IP assigned. Doing so provides a large surface attack for malicious users.

What are S3 VPC endpoints?

An S3 VPC endpoint is a managed virtual device that:

• Can be attached to any routing table within a single VPC
• Can be used to route traffic S3 within a single region
• Can be used in a multi-account setting
• Has lower network latency than accessing S3 via NAT
• Is more secure because the network packets never leave the internal AWS network

Checklist for using an S3 VPC endpoint

• Check if subnet routes S3 traffic use an internet gateway. Accessing S3 through an internet gateway is free. You can still use a S3 VPC if you want to increase security, but without any cost savings.
• Verify that there are subnets having a route to S3. Don’t add an S3 endpoint in this case, since the route to S3 might have been removed for sandboxing or security purposes.
• The target S3 bucket should be in the same region. AWS routes cross-region access via the NAT gateway.
• Verify your application isn’t using legacy paths. AWS routes legacy paths via the NAT gateway.
• Make sure there are no open connections to the S3 bucket. Any open connection might be dropped during re-routing. Perform these changes during maintenance windows to avoid interruptions.

How to implement an S3 VPC endpoint

1. Open the VPC dashboard in the AWS Management Console

2. Select the desired region
3. Select the Endpoints tab
4. Click on Create Endpoint
5. Select the S3 service and the VPC you want to connect

6. Select the subnets that will access this endpoint

7. Select the security groups and review the policy

8. Add tags (Optional)
9. Click on Create Endpoint
10. Verify S3 access is routed over the new endpoint. You can use traceroute on the EC2 instance to check the routes to S3 are correct.

Continue optimizing your AWS services and environments with CloudFix, the leading AWS cost and performance optimization solution.