Background
To protect servers from malicious actors on the Internet, industrial best practice recommends not allocating public IP addresses to EC2 instances that don't need to be directly exposed on the Internet, for example servers that can be put behind a load balancer.
However, these servers may need to connect to services on the Internet, for example to invoke third-party APIs or access AWS resources that can not be deployed to customer's VPC.
In this case, NAT gateways are often used to provide Internet connectivity for servers in the private subnets. These highly available NAT gateways do come at a cost: $0.045 per GB data processed, which is billed in addition to EC2 Data Transfer fees.
The Trick
If you happen to have an S3-heavy workload running in a private subnet, try attaching an S3 gateway endpoint to your VPC. Gateway endpoints are free to use and EC2 Data Transfer to S3 in the same region remains free, so you can save the data processing fees on NAT gateways.
You can attach an S3 gateway endpoint to your VPC in just 6 steps:
- Open "Endpoints" from the VPC console.
- Click "Create Endpoint".
- Search for "Type: Gateway" in Services.
- Select the Gateway type S3 endpoint.
- Select your VPC.
- Click "Create Endpoint".
The only caveat is that gateway endpoints are only available for S3 and DynamoDB in the same AWS region.
Great technique
Thanks for contributing to the programming and dev community
Thanks for your kind words!