NAT vs VPC Endpoints

Endpoints save NAT egress.

Overview

NAT Gateway charges per-GB processing fees on every byte that leaves a private subnet to reach AWS services. VPC endpoints route that traffic over the AWS backbone for free (gateway endpoints for S3 and DynamoDB) or for a per-AZ flat fee (interface endpoints). At any meaningful traffic volume to S3 or DynamoDB, gateway endpoints are an obvious win. Interface endpoints make sense once the per-byte traffic exceeds the per-AZ flat fee.

• Endpoints save NAT egress. Bytes that would have crossed NAT instead route over the AWS backbone.
• Gateway endpoints (S3, DynamoDB). Free, bypass NAT entirely. The no-brainer save.
• Interface endpoints. Per-AZ flat fee plus per-GB at much lower rates than NAT processing.
• Per-service cost analysis. Cost trade-off depends on traffic volume per service. The math tells the story.

The approach

Three habits keep NAT and endpoint architecture rational: gateway endpoints by default for S3 and DynamoDB, interface endpoints for high-volume services where the math works, and a quarterly audit that catches missed savings.

• Gateway endpoints for S3 and DynamoDB. Free, bypass NAT. Default everywhere with private subnets reaching these services.
• Interface endpoints for high-volume services. SQS, SNS, KMS, Secrets Manager when traffic justifies the per-AZ flat fee.
• Per-service cost analysis. Calculate the crossover per service. Below it, NAT is fine; above it, the endpoint pays back.
• Quarterly audit plus documented architecture. Catches missed savings; per-endpoint the rationale lives in the runbook.

Why this compounds

Each correctly-placed endpoint cuts NAT cost every month. The team’s AWS networking economics fluency deepens; new VPCs ship with the right endpoints on day one rather than retrofitting them after the bill arrives.

• Cost efficiency. NAT processing fee replaced by free or near-free endpoint paths.
• Security improves. Traffic stays inside the AWS network. Compliance frameworks like that.
• Latency improves. No internet round-trip for AWS-service calls.
• Year-one investment, year-two habit. First endpoint setup is heavy lift. By year two, every new VPC ships with sensible endpoint defaults.