NAT Gateway + Internet gateway vs VPC Endpoints. When to use?
When creating VPC in AWS, you will need your resources to communicate with other AWS services (S3, DynamoDB, SNS, SQS, …) or 3rd party from a private network. AWS provides us with 2 options, route traffic through NAT Gateway and Internet gateway or through VPC Endpoints. Each of them has its own benefit. This blog will help you understand both and their use cases, so you effectively achieve the best performance, security, and cost efficiency, relying on my working experience.
Note: Pricing in this article is based on us-east-1 (N. Virginia) region. Other regions will be different, but the pricing ratio between services is the same.
Table of Contents
1. What are NAT Gateway and Internet Gateway?
- NAT Gateway is a Network Address Translation service. Your instances in a private subnet can connect to services outside your VPC through NAT via route table. But external services cannot initiate a connection with those instances.
- Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
Pricing: NAT Gateway will charge $33.48 per month for each NAT created, and $0.045 per GB. A data transfer charge will be added if you send the file to a non-AWS internet location, as it is Data Transfer Out from internal VPC to the internet. Internet Gateway is free of charge.
2. What are VPC Endpoints?
VPC endpoints are virtual devices in VPC that allow internal AWS network communication between running resources in VPC and all service providers in AWS via private IP addresses. Includes AWS, AWS Partners, and other AWS accounts. AWS will create an AWS internal network connection from the VPC endpoint to the endpoint service in the image below. Traffic is privately routed without going out the public internet. This way reduces security risks and bandwidth constraints of the public internet.
VPC endpoints include 3 types:
- Interface
- Gateway
- Gateway Load Balancer
a. Interface endpoint (Fee: $7.44 per month + ≤ $0.01 per GB)
- Support almost AWS services except for S3 and DynamoDB
- Stay inside a subnet and need to stay in an Availability Zone (for HA, put one endpoint per AZ)
- Do not use route tables
- It has its own set of DNS names, including one for AZ and region
- Is an elastic network interface (ENI) and is associated with a security group. You can update the security group to restrict access
b. Gateway endpoint (Fee: Free)
- Only supports S3 and DynamoDB services
- This endpoint type does not enable PrivateLink
- Stay inside a VPC, not a subnet, and highly available
- Associated with a route table, the route table automatically updates the prefix list of service and target VPC endpoints
- Can use IAM policies or resource policies to restrict access
c. Gateway Load Balancer (Fee: $7.44 per month + $0.0035 per GB)
- Send traffic to a fleet of virtual appliances using private IP addresses.
- Associated with a route table, the route table automatically updates the prefix list of service and target VPC endpoints
- Distributes traffic to the virtual appliances and can scale with demand.
3. When to use them?
If your resources only connect to service providers inside AWS, you can use VPC Endpoints. Communicating privately will help your resources run faster and more securely. But if your resources need to connect to 3rd party outside AWS, NAT Gateway + Internet gateway is the solution. In case your 3rd party support VPC Peering connection, prioritizing it will help you save cost for the reason I'm going to mention below.
VPC Endpoints charge ≤ $0.01 per GB along with $7.44 per month for each Interface endpoint and Gateway Load Balancer endpoint created. They are much cheaper than $0.045 per GB processed and $33.48 per month for each NAT Gateway created. One more plus, Gateway endpoint is free, a big cost efficiency that you should not ignore.
One last notice for project in the developing stage with low user traffic and cost efficiency is top priority of your customer. You will need to do some math about the cost of creating interface endpoints for all services that you use or just one NAT Gateway. Which brings a cheaper price should be your choice.
This is my first article in AWS series that I'm going to share. Hope you enjoy it! 🤟