Feature: DynamoDB VPC Endpoints


The main goal of this feature in the CloudFix product is to avoid NAT gateway data transfer costs for network traffic going through a NAT gateway to DynamoDB. In order to eliminate the NAT gateway data transfer costs, the traffic going through a NAT gateway to DynamoDB should be routed to DynamoDB VPC Gateway Endpoints instead.
In order to fix this problem, below solution steps are applicable:

  1. Collecting data: In order to keep this simple, flow logs are not collected for analyzing NAT Gateway data, whereas the list of VPCs and subnets are directly collected by CloudFix.
  2. Finding opportunities: Identify VPCs needing an endpoint or endpoints with missing route tables.
  3. Create and update endpoints: Create endpoints in VPCs without one. Add missing route tables to existing endpoints. This is basically applying the fix.

How does it work?

This is one of the Finder-Fixer (FF) pairs that is available in the product. The recommendations for the same are provided like other Finders in CloudFix.

Collecting Data:

All the available lists of VPCs and subnets are collected by CloudFix along with the total transfer cost of NAT Gateways associated with that subnet. It is assumed that 1% of that goes to the DynamoDB endpoints.

Finding the Opportunities:

  1. The Finder finds all the VPCs without a DynamoDB endpoint and outputs all the endpoints with missing route tables.
  2. If there’s a new endpoint that needs to be created, then the Finder will consider all the route tables in the VPC. But, the missing route tables will be considered only when updating an existing endpoint.
  3. The primary source of information for this Finder is the existing data that is available in Cost Graph from AWS Config.

Fixing the Identified Opportunities:

  1. For every create opportunity, this CloudFix Fixer calls the ec2:create_vpc_endpoint API and then uses the ec2:modify_vpc_endpoint to attach all route tables to the endpoint.
  2. For an update opportunity, it uses the ec2:modify_vpc_endpoint API to attach the given route table to the endpoint.

These would ensure that the DynamoDB traffic is always routed via VPC endpoints.

Note that existing routes in your environments are not changed or removed. The most specific routes take precedence in a route table. It is very unlikely that any route table will have routes specifically for DynamoDB IPs or CIDR blocks, but in case there are such configurations we make a simplification decision to not create an algorithm to analyze and remove them.



Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request