Last week, we looked at how to save money with AWS’s S3 service by implementing a quick hack to leverage Intelligent Tiering.

This week, we’ll take a look at reducing Data Transfer costs from our AWS monthly bill and how we can leverage some super easy configurations to reduce NAT Gateway expenditures within our VPCs.

How to view your AWS NAT Gateway Data Transfer bill

I wrote a guide in the last article that you can follow to view your monthly AWS bill.

In the billing console, you’ll find the two line items of interest that we’ll be focusing on cutting from our bill close to entirety:

• Elastic Compute Cloud > {Region} > Amazon Elastic Compute Cloud NatGateway

Cut NAT Gateway Costs — Use S3/Dynamo Gateway Endpoints

So, now let’s take a look at exterminating our AWS NAT Gateway expenditure from our AWS bill.

We can do this by reducing the amounts of data that we transfer across the NAT Gateway by taking advantage of Gateway Endpoints.

Before seeing how to do this exactly, I propose that we first understand what the NAT Gateway is and why we use it. to better understand how we can avoid using it.

What is a NAT Gateway?

A NAT (Network Address Translation) Gateway is a service that enables instances in a private subnet to connect to the internet or other AWS services, while blocking inbound traffic from the internet.

A NAT Gateway works by translating the private IP addresses of instances to public IP addresses, allowing them to communicate with external networks while remaining hidden behind the NAT Gateway.

Why use a NAT Gateway?

A NAT Gateway can be useful in scenarios where you have instances in a private subnet that need to access the internet, but you don’t want to expose them directly to the internet.

It can also be used to limit outbound traffic from your VPC, by only allowing traffic that originates from your private instances and is destined for approved destinations.

Overall, NAT Gateways improve security by allowing access to external services all while reducing access to your services in your private subnets from unknown external entities.

What is an AWS S3 Gateway Endpoint?

An AWS S3 Gateway Endpoint is an AWS managed endpoint that allows you to connect to S3 buckets from within your Amazon Virtual Private Cloud (VPC) without needing to use a NAT Gateway.

Typically, the expensive approach to accessing S3 from a private subnet in a VPC may have the following infrastructure:

From the diagram above, in order for the EC2 instances in the private subnet to access data in S3, the request and response containing the S3 data must traverse the NAT Gateway and the Internet Gateway — this is very expensive.

Now, let’s take a look at the exact same request for data from our EC2 instances in private subnets, except this time we will use a S3 Gateway Endpoint:

As you can see, AWS will prioritize using the Gateway Endpoint and will avoid sending traffic through your NAT Gateway and Internet Gateway — which saves a lot of money!.

Additionally, when you create an S3 Gateway Endpoint, it enables secure communication with S3, without requiring internet access. This makes data access more secure and fast!

5 Minute Cost Savings Hack — Enable S3 Gateway Endpoint

Let’s now take a look at how we can implement the S3 Gateway Endpoint into our own project.

Step 1: Access The Gateway Endpoint Creation Console

To begin, access the AWS VPC Console in your region of interest.

From the left-hand menu, click Virtual private cloud > Endpoints, or navigate to the Endpoints console by clicking here.

Then click the orange Create endpoint button.

Step 2: Naming and Choosing a Service Category

In the Create endpoint console, we’ll start by naming our Gateway Endpoint Resource. This is arbitrary. I’ve gone ahead and used s3-gateway.

For “Service Category”, we’ll choose AWS services.

Step 3: Selecting S3 Service

You should select the Service Name to follow the pattern com.amazonaws.{REGION}.s3.

In this example, because I am using the region us-east-1, I’ll use the following Service Name: com.amazonaws.us-east-1.s3.

The “Type” should be Gateway.

Step 4: Choose the VPC

This step is straightforward. All that you need to do is select the VPC of interest in which you would like to add the Gateway Endpoint.

Step 5: Select the Route Table

Go ahead and choose the Route Table that includes your private routes (associated with your private subnet). Read on if you’re unsure how to do determine this.

Step 6: Choose the Access Policy

I personally choose Full access here, but if your application needs a Custom policy, now is the time to configure that.

Step 7: Tag and Create the Gateway Endpoint

If you would like to add tags to your new Gateway endpoint, now is the time to add them!

After adding Tags, go ahead and click Create endpoint.

Now, all data will magically transfer through the Gateway Endpoint, which is free!

Resources

• Gateway endpoints — AWS Docs
• AWS VPC Gateway Endpoints — Jayendra’s Cloud Certification Blog