VPC Endpoints or NAT Gateway?

AWS services like EC2, RDS, and ElastiCache come with an Elastic Network Interface (ENI), which enables communication from within your VPCs. However, many AWS services provide a REST API, available via Internet only. A few examples: S3, DyanmoDB, CloudWatch, SQS and Kinesis.

There are three options to make these services accessible from private subnets:

1. A Gateway Endpoints is free of charge, but are only available for S3 and DynamoDB.
2. An Interface Endpoint costs ~$7.20 per month and AZ plus ~$0.01 per GB and is available for most AWS services.
3. A NAT Gateway can be used to access AWS services or any other services with a public API. Costs are $32.40 per month and AZ plus $0.045 per GB.

Keep the following rules of thumb in mind when designing your network architecture.

1. Adding Gateway Endpoints for S3 and DynamoDB should the default.
2. Do you need to access non-AWS resources via Internet, add a NAT Gateway. Do the math if the traffic to AWS serices justifies additional Interface Endpoints.
3. Are you only accessing AWS services from the private subnets? No more then four different services? User Interface Endpoints. Otherwise, do the math to calculate costs for Interface Endpoints and NAT Gateway.