Comment by kbolino

Comment by kbolino 5 days ago

18 replies

View on Hacker News

The problem is that VPC endpoints aren't free.

They should be, of course, at least when the destination is an AWS service in the same region.

[edit: I'm speaking about interface endpoints, but S3 and DynamoDB can use gateway endpoints, which are free to the same region]

otterley 5 days ago

Gateway endpoints are free. Network endpoints (which are basically AWS-managed ENIs that can tunnel through VPC boundaries) are not free.

S3 can use either, and we recommend establishing VPC Gateway endpoints by default whenever you need S3 access.

(Disclaimer: I work for AWS, opinions are my own.)

Reply View 11 replies
  • JoshTriplett 5 days ago

    That's fascinating! I hadn't found that in the documentation; everything seems to steer people towards PrivateLink, not gateway endpoints.

    Would you recommend using VPC Gateway even on a public VPC that has an Internet gateway (note: not a NAT gateway)? Or only on a private VPC or one with a NAT gateway?

    Reply View 6 replies
    • otterley 5 days ago

      I recommend S3 Gateways for all VPCs that need to access S3, even those that already have routes to the Internet. Plus they eliminate the need for NAT Gateway traversal for requests that originate from private subnets.

      Reply View 3 replies
      • JoshTriplett 5 days ago

        > I recommend S3 Gateways for all VPCs that need to access S3, even those that already have routes to the Internet.

        Fascinating. What's the advantage of doing that?

        Reply View 2 replies
    • paulddraper 5 days ago

      > everything seems to steer people towards PrivateLink, not gateway endpoints

      Gateway endpoints only work for some things.

      Reply View 0 replies
    • Hikikomori 5 days ago

      Privatelink endpoints can be of type gateway or interface. Only gateway is free and only S3 and dynamodb supports it.

      Reply View 0 replies
  • kbolino 5 days ago

    Fair point, and valid for S3 (the topic at hand) and DynamoDB.

    Other AWS services, though, don't support gateway endpoints.

    Reply View 3 replies
    • mdaniel 5 days ago

      https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-e...

      ~~I get the impression there are several others, too, but that one is of especial interest to me~~ Wowzers, they really are much better now:

        aws --region us-east-1 ec2 describe-vpc-endpoint-services | jq '.ServiceNames|length'
  459
      If you're saying "other services should offer VPC Endpoints," I am 100% on-board. One should never have to traverse the Internet to contact any AWS control plane
      Reply View 2 replies
paulddraper 5 days ago

Well yeah that's the point....why route through the public internet.

Reply View 5 replies
  • kbolino 5 days ago

    I doubt the traffic ever actually leaves AWS. Assuming it does make it all the way out to their edge routers, the destination ASN will still be one of their own. Not that the pricing will reflect this, of course.

    The other problem with (interface) VPC endpoints is that they eat up IP addresses. Every service/region permutation needs a separate IP address drawn from your subnets. Immaterial if you're using IPv6, but can be quite limiting if you're using IPv4.

    Reply View 4 replies
    • immibis 5 days ago

      Sounds like a good reason to use IPv6.

      Reply View 3 replies
      • kbolino 5 days ago

        There were still a couple of services/features that choked on IPv6 last time I looked (1.5-2 years ago) but it works with most things and they do seem to be making progress on the others.

        Reply View 2 replies