VPC Endpoints

Private access to AWS services.

Overview

VPC endpoints route AWS-service traffic privately over the AWS backbone, bypassing the public internet and NAT gateways. Gateway endpoints (S3, DynamoDB) are free and route via prefix list. Interface endpoints (most other services) carry a per-AZ flat fee plus reduced per-byte processing. The architecture compounds across services: each endpoint cuts NAT processing, improves security posture, and shaves a few milliseconds of latency.

• Private access to AWS services. Traffic routed over the AWS backbone instead of the public internet.
• Gateway endpoints (S3, DynamoDB). Free; route via prefix list in the route table. Bypass NAT entirely.
• Interface endpoints (most services). Per-AZ ENI plus hourly cost. Cheaper than NAT processing once volume justifies it.
• NAT bypass plus security posture. Endpoint traffic stays in the AWS network; compliance frameworks like that.

The approach

Three habits make VPC endpoints produce real wins: gateway endpoints by default for S3 and DynamoDB, interface endpoints for the AWS services with the highest traffic volume, and a per-quarter audit that catches missed savings.

• Gateway endpoints for S3 and DynamoDB. Free, bypass NAT. Default everywhere private subnets reach those services.
• Interface endpoints for KMS, SSM, ECR, etc. Per-AZ ENI. Worth the flat fee once traffic exceeds the NAT processing alternative.
• NAT cost awareness. Endpoints reduce NAT data processing. The savings appear on the bill the next month.
• Per-quarter audit plus documented architecture. Catches missed endpoints; per-service the endpoint rationale documented.

Why this compounds

Each correctly-placed endpoint cuts NAT cost every month. The team’s AWS networking economics fluency deepens; new VPCs ship with the right endpoints on day one rather than retrofitting them after the bill arrives.

• Cost efficiency. Gateway endpoints cut NAT processing fees on the recurring traffic.
• Security improves. Traffic stays in the AWS network. SOC 2 and HIPAA controls are easier to satisfy.
• Latency improves. No internet hop. AWS-service calls return faster.
• Year-one investment, year-two habit. First endpoint is investment. By year two, every new VPC ships with sensible defaults.