The Private VPC Endpoint Strategy

VPC endpoints replace public AWS endpoints for in-VPC traffic. The strategy that picks which to deploy.

Free endpoints

VPC endpoints provide private connectivity from VPCs to AWS services without traversing the internet. The traffic stays on the AWS backbone; no NAT gateway is involved; security is improved and (for some endpoints) cost is reduced. The endpoint strategy determines which endpoints to deploy where; the math depends on traffic patterns.

What free endpoints provide:

• S3 and DynamoDB gateway endpoints.: S3 and DynamoDB use gateway-type endpoints. The endpoint is a route table entry; AWS adds it to the VPC at no charge. There is no per-hour cost; there is no per-GB processing cost.
• Gateway endpoints; no extra cost.: The endpoint type is "Gateway" (different from "Interface" endpoints used by most other services). Gateway endpoints are explicitly free; AWS provides them as part of the VPC service.
• Always deploy these.: Because the cost is zero, always deploy the gateway endpoints in every VPC that uses S3 or DynamoDB. There is no economic reason to skip them; the only reason would be operational oversight.
• Saves NAT egress.: Without the endpoint, S3 and DynamoDB traffic from private subnets goes through NAT gateways at $0.045 per GB. With the endpoint, the traffic goes through the endpoint at no cost. The savings on high-volume S3 workloads can be substantial.
• Improves security.: Endpoint-only access to S3 (combined with bucket policies that require the endpoint) prevents data from leaving via the public internet path. The defense-in-depth value is real.

Free endpoints are operationally and economically a no-brainer. Every VPC should have them.

Paid endpoints

Interface endpoints (the type used for most non-S3, non-DynamoDB services) have per-hour and per-GB costs. The economics are different; not every VPC needs every endpoint. The decision is per-VPC, per-service, based on the actual traffic patterns.

• ECR, SSM, Secrets Manager, KMS, others.: Most AWS services use interface endpoints. The list of services with endpoint support is long and growing; common ones include ECR (container images), SSM (parameter store, session manager), Secrets Manager, KMS, Lambda, SQS, SNS.
• Interface endpoints: per-hour plus per-GB.: Interface endpoints cost roughly $0.01 per hour per AZ plus $0.01 per GB processed. The hourly cost adds up across many endpoints; the per-GB cost is offset by NAT savings.
• Deploy if traffic is frequent enough.: The decision is whether the traffic to this service from this VPC is high enough that endpoint costs are less than the NAT egress savings. Heavy ECR pulls, heavy KMS calls, frequent SSM access all favor endpoints.
• Avoid duplicate endpoints across VPCs.: Some teams deploy the same endpoint in many VPCs. The cost adds up; consolidation through Transit Gateway and a hub VPC may be cheaper at scale.
• Watch for security policy requirements.: Some compliance requirements specify endpoint-only access. The cost of the endpoints is required regardless of traffic volume; the endpoint is a compliance requirement, not an economic optimization.

Paid endpoints are a per-VPC decision. The math determines whether the endpoint is cheaper than the alternative.

Calculate

The right endpoint set comes from calculation, not intuition. The endpoint cost vs. NAT egress cost for each service produces a clear answer. The crossover point determines which services warrant endpoints.

• Endpoint cost vs NAT egress.: Per service per VPC, calculate the monthly endpoint cost (per-hour times AZs times 24 times 30 plus per-GB times monthly traffic) versus the NAT egress cost (per-GB times monthly traffic). The cheaper option wins.
• Crossover usually at 100GB/month.: For typical interface endpoints across 2 AZs, the crossover with NAT egress is around 100GB per month. Below that, NAT is cheaper; above that, endpoints are cheaper. The exact crossover depends on AZ count and per-GB rates.
• Per-VPC: a few endpoints save more than they cost.: Most VPCs benefit from a small set of endpoints (S3 gateway free, ECR, SSM, Secrets Manager, KMS) because the traffic to these services is significant. The combined savings on NAT egress exceeds the endpoint cost.
• Diminishing returns at scale.: Adding more endpoints provides diminishing returns. The first few endpoints capture most of the savings; the next few are marginal; the rest are pure cost. The team picks the high-leverage endpoints first.
• Review periodically.: Traffic patterns change. Endpoints that made sense last year might be over-provisioned now; new endpoints might be justified by new workloads. The review keeps the endpoint set aligned with current traffic.

Private VPC endpoint strategy is one of those AWS networking disciplines that pays off proportionally to the rigor applied. Nova AI Ops integrates with VPC traffic data and endpoint inventory, surfaces endpoint-vs-NAT economics, and produces the per-VPC recommendation that the network team uses to optimize.