The Private VPC Endpoint Strategy

VPC endpoints replace public AWS endpoints for in-VPC traffic. The strategy that picks which to deploy.

Free endpoints

S3, DynamoDB. Gateway endpoints; no extra cost.

Always deploy these; saves NAT egress.

Paid endpoints

ECR, SSM, Secrets Manager, KMS, etc. Interface endpoints; per-hour + per-GB.

Deploy if traffic is frequent enough to amortise the cost.

Calculate

Endpoint cost vs NAT egress for the same service. Crossover usually at 100GB/month.

Per-VPC: a few endpoints save more than they cost.