Using a VPC endpoint may result in savings if they are used to route traffic bidirectionally from EC2 instances inside a VPC to AWS S3. VPC S3 endpoints are generally a bad idea if S3 is already reachable and resources are in standard zones. There may be cases where there are private subnets that use a NAT Gateway only for S3 and there is no other S3 accessibility, in which case this CloudFix Fixer can replace the NAT Gateway with VPC S3 endpoints which would result in savings.
How does it work?
On your registered AWS account in CloudFix, CloudFix checks the accounts that have:
- At least 100 GBs of NAT traffic usage
- Scans all the VPC traffic and filter its route tables (which is used by subnets) to those which has NAT Gateways and don't have S3 routes, or already existing S3 VPC Endpoint.
Note: For cases where this route is present, CloudFix also checks the app-level information to see if there's any alternative route to S3.
Based on the above, CloudFix comes up with a list of VPC route tables to update.
Below are some general points to consider:
- When S3 buckets or VPCs and EC2 instances are outside the “us-east-1” and “us-west-1” regions, no actions related to VPC endpoints are taken and instead the expectation is that the migrations from the outside regions will occur first. Moving to standard regions is the broader fixer. In the scope of this, it reduces all data transfer costs to zero in all cases where S3 is reachable from the EC2 instances.
- When an EC2 instance is in a private subnet and using a NAT Gateway to access S3, the NAT Gateway routes to S3 are not automatically replaced with VPC Endpoints.
This Fixer is a Cost Reduction Fixer (rather than Cost Optimization).