Reference
To prevent the use of internet \ NAT gateway to access these AWS internet facing services, the corresponding VPC endpoints can be created so that the traffic goes through AWS internal network only (Private Link)
- Gateway VPC Endpoint for S3 (
com.amazonaws.*region*.s3) - Interface VPC Endpoint for CloudWatch (
com.amazonaws.*region*.logs) - Interface VPC Endpoint for ECR Docker (
com.amazonaws.*region*.ecr.dkr) - Interface VPC Endpoint for ECR API (
com.amazonaws.*region*.ecr.api)
Interface VPC Endpoint (Docker & API) for CloudWatch and ECR may not be necessary as the cost for maintaining a VPC endpoint may outweigh the actual traffic for those services (through internet gateway + NAT Gateway).
Gateway VPC Endpoint for S3 is free of charge
Consider that a single Interface VPC Endpoint will require a fixed cost of $9.36/month to run – before taking into account any additional cost for data being processed.
Example Scenario where 1 GB of logs being uploaded to CloudWatch every month
NAT Gateway data processing charge = 1GB * $0.059 = $ 0.059 / month
Data Transfer Charge = 0 (No charge for the data transfer from the EC2 instance to S3/CloudWatch as it is Data Transfer Out to Amazon EC2 to S3 in the same region.
If there is cross-AZ traffic 1 GB * 0.01 = $ 0.01 / month