Comment by dmart
VPC endpoints in general should be free and enabled by default. That you need to pay extra to reach AWS' own API endpoints from your VPC feels egregious.
VPC endpoints in general should be free and enabled by default. That you need to pay extra to reach AWS' own API endpoints from your VPC feels egregious.
Why don't you have gateway endpoints for all your APIs?
The original private endpoints implementation required meaningful work from the service teams (ec2 networking, s3, & ddb). It also changed how the "front end" API servers handled requests and how their infrastructure was deployed (at the time?). The newer LB/ENI style privatelink abstracts away _most_ of that "per service" implementation effort at the cost of more per-request/connection work fromthe virtual network. Hence why theres more support from other services, and it includes a cost.
I think that is by design https://konghq.com/blog/enterprise/api-mandate
Gateway endpoints are free. Network endpoints (which are basically AWS-managed ENIs that can tunnel through VPC boundaries) are not free.
S3 can use either, and we recommend establishing VPC Gateway endpoints by default whenever you need S3 access.
(Disclaimer: I work for AWS, opinions are my own.)