VPC Endpoint Cost

Endpoints have hourly cost.

Overview

VPC endpoints are not free. Gateway endpoints (S3, DynamoDB) are; interface endpoints carry a per-AZ ENI-hour cost plus per-byte processing. Right-architecture means matching the NAT savings to the endpoint cost on a per-service basis. Reflexively enabling every interface endpoint costs more than the NAT they replace at low traffic volumes.

• Hourly cost per AZ. Per-AZ ENI-hour cost on every interface endpoint. Multi-AZ deployments multiply the bill.
• Interface versus gateway. Right type per service: gateway for S3 and DynamoDB; interface for the rest, when traffic justifies it.
• Per-service cost analysis. Calculate the crossover per service. Below it, NAT is cheaper; above it, the endpoint pays back.
• NAT savings versus endpoint cost plus quarterly audit. Per-service trade-off analysis; quarterly review catches endpoints that no longer earn their hourly fee.

The approach

Three habits keep VPC endpoint cost matched to actual savings: gateway endpoints by default for S3 and DynamoDB, interface endpoints selectively where traffic volume justifies the per-AZ flat fee, and a quarterly audit that prunes underused endpoints.

• Gateway endpoints for S3 and DynamoDB. Free, bypass NAT. Default everywhere private subnets reach those services.
• Interface endpoints selectively. KMS, SSM, ECR when traffic volume justifies the per-AZ flat fee.
• NAT savings versus endpoint cost. Run the math per service. Endpoint pays back only when NAT processing for that service exceeds the endpoint cost.
• Quarterly audit plus documented architecture. Catches stale endpoints; per-endpoint the rationale documented.

Why this compounds

Each correctly-placed endpoint cuts the recurring NAT bill while keeping AWS-service traffic on the AWS backbone. The team’s AWS networking economics fluency deepens; new VPCs ship with the right endpoints on day one.

• Cost efficiency. Endpoint cost matched to NAT savings. The bill stays predictable.
• Security improves. Traffic stays in the AWS network. Compliance frameworks like that.
• Latency improves. No internet hop for AWS-service calls.
• Year-one investment, year-two habit. First endpoint setup is investment. By year two, every new VPC ships with sensible defaults.