iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
😊

Stop Wasting 5,000 Yen a Month on NAT Gateways: Save Costs Safely with VPC Endpoints (With Conditions)

に公開
AWS
初心者
VPC
NAT
図解
idea

*This page contains promotions.
[What you will learn in this article]

  1. Why NAT Gateways are expensive (you are charged just for having them sit there).
  2. How using VPC Endpoints makes access to S3 free.
  3. [Important] What VPC Endpoints cannot do (you'll run into trouble if you misunderstand this).

Introduction: Do you really need that "Butler"?

A NAT Gateway is essential for accessing the internet from a private subnet. In a previous article, I likened it to a "butler who runs errands on your behalf."

While very convenient, he has one fatal flaw: his "salary is high."

  • Hourly rate: $0.062 / hour
  • Data processing: $0.062 / GB
  • Monthly equivalent: Approx. 5,000 to 6,000 yen (Tokyo region, depending on the exchange rate)

Whether you are communicating or not, 5,000 yen disappears every month just by him "standing there." This is a painful expense for personal development.

What if your reason for using a NAT Gateway is "just to save logs to S3"? You are effectively chartering a luxury car (NAT GW) just to go to a convenience store (S3).

Today, I will explain how to stop that wasteful spending and use a "secret shortcut (VPC Endpoint)" instead.

https://amzn.to/4k9FoD4
https://amzn.to/3ZgtQEy

1. Understanding the Difference Between the Two Routes with "Diagrams"

There are roughly two routes to access S3 (AWS's warehouse).

Route A: Via NAT Gateway (Expensive)
This route goes out to the "Internet (outside)" once and then comes back to the AWS warehouse. Because it goes through the Butler (NAT GW), a high toll is charged.

Route B: Via VPC Endpoint (Cheap and Fast)
This route goes through a "dedicated underground tunnel" within the AWS premises. Since it doesn't go out to the internet, it is safe, and if it is the "Gateway type," it is free.

▼ [Diagram] Detour vs. Underground Tunnel

2. The Magic Word "Gateway Type"

There are actually two types of "VPC Endpoints." This is the point where beginners get most confused.

Type Destination Fee Difficulty
Gateway Type S3, DynamoDB Free (For free!) Easy
Interface Type Others (CloudWatch, etc.) Paid (Cheaper than NAT) Intermediate

The one to watch is the "Gateway Type." If your use case is limited to things like "uploading images to S3" or "reading/writing to DynamoDB," you can reduce the cost to 0 yen by simply deleting the NAT Gateway and creating this Gateway-type endpoint.

An "S3 direct-access tunnel for free" provided officially by AWS. There's no reason not to use it.

🔸 Note
Interface types are cheaper than NAT for low traffic, but there are cases where NAT becomes cheaper if there is a large amount of data transfer.

3. [Important] Why it's Conditional (What it can't do)

"Great! Then I'll throw away all my NAT Gateways and switch to this!" If that's what you're thinking, please wait a moment.

VPC Endpoints are not "all-purpose." This is because they are specifically "direct tunnels to AWS services (like S3)" and not an "exit to the internet."

❌ What you "cannot" do with a VPC Endpoint

  • Access Google
  • Use external APIs like the Twitter API
  • yum update or apt-get update (OS updates)
  • git clone from GitHub

These are all located on "servers on the internet," so they cannot be reached through the underground tunnel (VPC Endpoint). If you need these communications, you will unfortunately have to keep the NAT Gateway.

4. Conclusion: Which one should you use? Flowchart

I've illustrated the decision criteria so you won't get lost.

▼ [Diagram] Post-NAT Gateway Decision Flow

Wise Saving Techniques

For cases like "I basically only use S3, but I occasionally want to do OS updates...":

  1. Usually, keep only the "Gateway-type Endpoint (free)".
  2. Create a "NAT Gateway" only when updating, and delete it immediately after finishing.

This way, you can avoid paying 5,000 yen a month. (It takes a little effort, but it's a sufficient strategy for personal development.)

Conclusion: Cost Reduction Starts with Knowing the "Mechanism"

It is often said that "AWS is expensive," but that is frequently because "the appropriate route has not been chosen." It comes down to whether you know that a free subway (Gateway-type Endpoint) exists instead of a luxury car (NAT GW). The difference in knowledge translates directly to the difference in your wallet.

📚 Two Books to Deepen Your Understanding of Costs and Network Mechanisms
For those who want to know more about "Endpoints" and "Routing" discussed this time.

  1. Become able to draw "Architecture Diagrams" in practice ▼ Amazon Web Services: Network & Server Construction from the Basics. It also explains how to configure VPC Endpoints with actual screen captures. If you've ever experienced getting stuck with "Route Table settings," learning systematically with this book is the shortcut.

https://amzn.to/4k9FoD4

  1. Acquire a professional "Sense of Cost" ▼ Comprehensive Guide: AWS Certified Solutions Architect - Associate Textbook. Calculating costs like "How much will this configuration cost?" is an essential skill for SAA (design certification). Even if you don't plan to take the exam, reading it for "knowledge to prevent wasteful spending" will make you less afraid of looking at your AWS bills. (Amazon Associate link here)

https://amzn.to/3ZgtQEy

Discussion