Remove Idle VPC Endpoints

Opportunity Name:

Delete Idle VPC Endpoints


AWS Resource Type:

VPC Endpoint


Opportunity Description:

Delete any Interface Endpoints or Gateway Load Balancer Endpoints with zero data processing over the past 31 days and save the hourly charges. 


Criteria for identifying the opportunity:

  • VPC Endpoint has had no data charges in the past 31 days
  • VPC Endpoint was created more than 31 days ago
  • VPC Endpoint resource is in the Available state


Potential savings (range in % on annual basis):

Customers can expect to save approximately 47% of their VPC Endpoint hourly charges by removing idle endpoints.


What happens when the Fixer is executed?

The Fixer then uses the DeleteVpcEndpoints API to delete the VPC endpoint. There is no monitoring or automated rollback associated with this fixer. 


Is it possible to rollback once CloudFix implements the fixer?

Yes. Every time this fixer removes a VPC Enpoint, the email address configured during onboarding will receive an email like the one below with all the parameters of the deleted endpoint to be used in case this needs to be recreated.

The rollback can be executed manually by using the AWS CLI create-vpc-endpoint command, the AWS Console, or the AWS CreateVpcEndpoint API, to recreate the VPC endpoint using the original parameters specified in the rollback email.



The following example shows how the rollback can be achieved using the AWS CLI:

aws ec2 create-vpc-endpoint \
--vpc-endpoint-type <VpcEndpointType> \
--vpc-id <VpcId> \
--service-name <ServiceName> \
--policy-document <PolicyDocument> \
--subnet-ids <SubnetIds> \
--security-group-ids <Groups[*].Groupld> \
--private-dns-enabled \ # or --no-private-dns-enabled according to <PrivateDnsEnabled>
--tag-specifications 'ResourceType=vpc-endpoint,Tags=[{Key=<Tags.Key>,Value=<Tags.Value>}]'
Please see the AWS CLI reference for more information.


AWS Console

Here is a step-by-step guide using AWS Management Console:

  1. Sign in to the AWS Management Console. Make sure you have the necessary permissions to create a VPC endpoint.
  2. Open the Amazon VPC console at
  3. In the navigation pane, choose 'Endpoints'.
  4. Choose 'Create Endpoint'.
  5. Under 'Service category', make sure that 'Find service by name' is selected. In 'Service Name', enter the service name that was given in the email: ServiceName.
  6. Under 'VPC', select the VPC ID that was given in the email: Vpcld.
  7. If, in Step 5, you selected the service name for Amazon S3, and if you want to configure private DNS support, select Additional settings, Enable DNS name. When you make this selection, it also automatically selects Enable private DNS only for inbound endpoint. You can configure private DNS with an inbound Resolver endpoint only for interface endpoints for Amazon S3. If you do not have a gateway endpoint for Amazon S3 and you select Enable private DNS only for inbound endpoint, you'll receive an error when you attempt the final step in this procedure.
  8. If, in Step 5, you selected the service name for any service other than Amazon S3, Additional settings, Enable DNS name is already selected. We recommend that you keep the default.
  9. Under 'Subnets', select the subnets IDs that were given in the email: Subnetlds.
  10. Under 'Security group', select the security group ID that was given in the email: Groups[*].Groupld.
  11. Under 'Policy', select 'Custom' and paste the policy document that was provided in the email: PolicyDocument
  12. Under 'Tags', click 'Add tag' and add the Key and Value provided in the email: Tags.
  13. Choose 'Create endpoint' to finish.

Please see AWS Documentation for more details.

Can CloudFix implement the fix automatically once I accept the recommendation?



Does this fix require downtime?

No. The VPC Endpoint is not in use so it can be deleted without any service impact.


Additional Resources:



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request