Missing VPC Endpoints for High-Volume AWS Service Access

Go back

Trig Ghosh

CER:

CER-0118

Service Category

Networking

Cloud Provider

AWS

Service Name

AWS VPC

Inefficiency Type

Inefficient Network Configuration

Explanation

When EC2 instances, Lambda functions, or containerized workloads access AWS-managed services without VPC Endpoints, that traffic exits the VPC through a NAT Gateway or Internet Gateway. This introduces unnecessary egress charges and NAT processing costs, especially for data-intensive or high-frequency workloads.

Relevant Billing Model

Detection

Review VPC architecture for services that communicate with S3, DynamoDB, Secrets Manager, or other AWS-managed APIs
Check whether Gateway Endpoints for S3 and DynamoDB exist and are attached to relevant route tables
Identify missing Interface Endpoints for high-traffic services like Secrets Manager, SSM, or KMS
Analyze NAT Gateway metrics (bytes processed per destination service) to quantify potential endpoint-eligible traffic
Correlate NAT Gateway charges with known service access patterns to surface reroutable costs

Remediation

Provision Gateway Endpoints for S3 and DynamoDB in each VPC that accesses those services
Create Interface Endpoints (via AWS PrivateLink) for services with frequent or latency-sensitive access (e.g., Secrets Manager, CloudWatch Logs)
Ensure routing tables and DNS settings support private resolution to AWS services
Embed VPC endpoint provisioning into infrastructure-as-code templates to ensure consistency across accounts and regions
Monitor NAT Gateway data transfer volume over time to verify cost reduction after endpoint rollout

Relevant Documentation

Submit Feedback