A Cost-Benefit Analysis of VPC Interface Endpoints

A Cost-Benefit Analysis of VPC Interface Endpoints

VPC Interface Endpoints (powered by AWS PrivateLink) are a powerful technology to improve security and performance in an AWS environment. However, they come at a cost. In this article we will explore the VPC Interface Endpoints for AWS services and discuss how and when they should be used.

What is AWS PrivateLink

On November 8th, 2017, AWS PrivateLink was introduced as a way to connect to AWS Services like EC2, ELB and Kinesis Data Streams without traversing the public internet. Before PrivateLink, any API call to these services (eg. EC2:DescribeInstances or ELB:RegisterInstancesWithLoadBalancer) required an outbound internet connection - either a public IP address, NAT instance or NAT gateway. The request itself, including any sensitive information, would first leave your VPC and then travel across the internet to the AWS service you were calling.

With PrivateLink, these requests are routed over AWS’ internal networks instead. This obviously improves security. It also benefits performance, as laid out in this blog post by VMware Carbon Black.

On November 28th, 2017, AWS released the same functionality for customer and partner services. From this moment on, you can publish your own AWS-hosted application as a private service. This service can be consumed by other AWS accounts over AWS’ internal networks. The only requirement is that your application is fronted by a Network Load Balancer.

How does it work

To enable PrivateLink, you publish the Network Load Balancer in front of your application as a VPC Endpoint Service. When the endpoint service has been deployed, a service name will be displayed. This service name can be used by others to subscribe to your endpoint service.

When another AWS account subscribes to your endpoint service, they choose a subnet for every availability zone they want the service to be available in. AWS will deploy an Elastic Network Interface (ENI) in each of these subnets.

When an application in this AWS account tries to connect to your Network Load Balancer, traffic will be routed over these ENIs, through Amazon’s internal network, and to your NLB, without ever traveling over the public internet.

VPC Endpoints

For a more in-depth explanation, see my video on AWS Networking in the Sentia Solutions Architect Professional Course. The PrivateLink section starts at 19:40.

VPC Interface Endpoints for AWS Services

The exact same architecture is used to provide access to AWS service APIs like EC2, ELB, Kinesis, Secrets Manager, CloudWatch, and so on. Amazon has built these services around a Network Load Balancer - or has refactored existing services to use NLBs. The AWS News blog regularly posts articles like New – Use AWS PrivateLink to Access AWS Lambda Over Private AWS Network. Any time you see one of these, Amazon has migrated another service to use NLBs.

As AWS migrates more internal services to NLB, the list of services that support PrivateLink continues to grow. At the time of writing, there are 66 supported services, ranging from Amazon API Gateway to Amazon WorkSpaces, with notable mentions for security services like STS, KMS and CloudTrail.

Why use VPC Interface Endpoints

The two main reasons to use VPC Interface Endpoints are security and performance. Let’s look at these in turn.

Security: no internet traversal

The technical description above explains how any PrivateLink service uses Amazon’s internal networks to route traffic to its destination load balancer. This is useful for basic services like EC2 and ELB, but it becomes essential for security services like STS and Secrets Manager. These services are used to store and retrieve the most sensitive data types - passwords, usernames, API keys, temporary credentials, credit card info, and so on. The ability to guarantee this data will not traverse the internet is a big security win.

Security: VPC Endpoint Policies

Many of the AWS services with PrivateLink support also support Endpoint Policies. These IAM policies are applied on an existing AWS Interface Endpoint and determine which traffic can pass through the interface. This allows you to limit which operations and resources can be accessed from the VPC. For example, an Aurora endpoint can deny the DeleteDBCluster operation, or an SecretsManager endpoint can only allow access to specific secrets. This solution protects against privilege escalation: even if a user would somehow gain access to the DeleteDBCluster permission, the command still wouldn’t pass through the interface endpoint.

More on VPC Endpoint Policies and how they can be used to protect against data exfiltration can be found in my video on AWS Security in the Sentia Solutions Architect Professional Course. The Data Exfiltration section starts at 21:23.

Performance: latency

Because the traffic over PrivateLink stays within Amazon’s networks, the physical distance travelled, the number of hops and the risk of traversing congested networks are all significantly lower. VMware Carbon Black ran performance tests on PrivateLink, and found an average latency reduction of about 70%.

Performance: bandwidth

PrivateLink supports a sustained bandwidth of 10 Gbps per availability zone with bursts up to 40 Gbps. If this is not enough, AWS support can increase this even further.

Performance: stability

The Carbon Black performance test also showed that using PrivateLink consistently lowers the amount of errors and timeouts on high loads:

The results show that the VPC endpoint results in consistent timeouts errors and cannot reliably handle the load being applied, whereas the PrivateLink connection has minimal errors under the same load.

The balance of cost, security and performance

With all the benefits mentioned above, I bet you’re jumping deploy VPC Interface Endpoints everywhere! However, there’s always a catch. In this case it’s an obvious one: cost. Amazon does not provide this service for free, and you should determine the value of using of using VPC Interface Endpoints for your workloads accordingly.

We will look at three scenarios below:

  • A highly secure environment that only uses VPC endpoints and prohibits any outbound traffic over the internet
  • A low security environment that uses no VPC endpoints
  • A hybrid solution with public internet access and a few VPC endpoints

All pricing is based on the Ireland (eu-west-1) region.

High security

In a very sensitive environment, you want to guarantee that all AWS API calls stay within AWS’ networks and no data can be extracted to the internet. In this scenario, you will have no Internet Gateway and no NAT Gateway, so no outbound traffic is possible. However, this will also prohibit all interactions with AWS services, so you need VPC endpoints for every service you use.

VPC Endpoints Only

In this example, your environment uses CloudWatch Logs, Secrets Manager, Security Token Service (STS), Simple Notification Service (SNS) and Simple Queue Service (SQS). The application is deployed in three AZs, so a total of 15 ENIs are deployed. The amount of data processed is very low, so will be set to 1 GB per ENI.

The cost to run the networking part of this solution is $120.06. From the PrivateLink pricing page:

  • 730 hours in a month x 0.011 USD = 8.03 USD (Hourly cost for endpoint ENI)
  • 1 GB per month x 0.01 USD = 0.01 USD (PrivateLink data processing cost)
  • 8.03 USD + 0.01 USD = 8.04 USD (Hourly cost and data processing per endpoint ENI)
  • 5 VPC endpoints x 3 ENIs per VPC endpoint x 8.04 USD = 120.60 USD (Total PrivateLink endpoints and data processing cost)
  • Total PrivateLink endpoints and data processing cost (monthly): 120.60 USD

This might seem low, but keep in mind that this solution has no internet access, and every additional service the instances need to contact will cost an additional $24.12 per month.

Low security

In a more common scenario, contact with the public internet is not prohibited at all, and since all API calls use encryption in transit (HTTPS) anyway, customers are not worried about Secrets Manager or STS traffic traversing the internet. In this situation, NAT Gateway would be sufficient to protect private resources. We will deploy a NAT Gateway per availability zone for optimal redundancy.

NAT Gateways Only

The cost to run the networking part of this solution is $105.27. From the VPC pricing page:

  • 730 hours in a month x 0.048 USD = 35.04 USD (Gateway usage hourly cost)
  • 1 GB per month x 0.048 USD = 0.05 USD (NAT Gateway data processing cost)
  • 35.04 USD + 0.05 USD = 35.09 USD (NAT Gateway processing and month hours)
  • 3 NAT Gateways x 35.09 USD = 105.27 USD (Total NAT Gateway usage and data processing cost)
  • Total NAT Gateway usage and data processing cost (monthly): 105.27 USD

The cost of this solution is about 13% lower than the previous one, and this time the instances can connect to the internet. However, this solution provides no security benefits whatsoever.

Hybrid solution

Most workloads require some connection to the internet, for example to download security patches, connect to external APIs, or to send out metrics. For these purposes, NAT Gateways are the perfect solution. At the same time you want to protect your sensitive information like access keys and STS tokens. In this case, you might want to deploy VPC Interface endpoints for your most sensitive AWS services, and route the rest over NAT Gateways. The diagram below depicts this hybrid scenario:

Hybrid Full

This is one of the most expensive solutions at $153.51, combining three NAT Gateways with two VPC Interface endpoints:

  • 730 hours in a month x 0.011 USD = 8.03 USD (Hourly cost for endpoint ENI)
  • 1 GB per month x 0.01 USD = 0.01 USD (PrivateLink data processing cost)
  • 8.03 USD + 0.01 USD = 8.04 USD (Hourly cost and data processing per endpoint ENI)
  • 2 VPC endpoints x 3 ENIs per VPC endpoint x 8.04 USD = 48.24 USD (Total PrivateLink endpoints and data processing cost)
  • 730 hours in a month x 0.048 USD = 35.04 USD (Gateway usage hourly cost)
  • 1 GB per month x 0.048 USD = 0.05 USD (NAT Gateway data processing cost)
  • 35.04 USD + 0.05 USD = 35.09 USD (NAT Gateway processing and month hours)
  • 3 NAT Gateways x 35.09 USD = 105.27 USD (Total NAT Gateway usage and data processing cost)
  • Total PrivateLink + NAT Gateway and data processing cost (monthly): 153.51 USD

Hybrid solution (reduced redundancy)

Because of the high cost in the previous example, you might choose to run two NAT gateways instead of three. Of course, this means that when the NAT Gateway in the second AZ fails, you immediately lose two-thirds of your workload’s capacity, but this might be an acceptable risk.

Hybrid Reduced

In this scenario, the cost will be reduced to $118.42.

  • 730 hours in a month x 0.011 USD = 8.03 USD (Hourly cost for endpoint ENI)
  • 1 GB per month x 0.01 USD = 0.01 USD (PrivateLink data processing cost)
  • 8.03 USD + 0.01 USD = 8.04 USD (Hourly cost and data processing per endpoint ENI)
  • 2 VPC endpoints x 3 ENIs per VPC endpoint x 8.04 USD = 48.24 USD (Total PrivateLink endpoints and data processing cost)
  • 730 hours in a month x 0.048 USD = 35.04 USD (Gateway usage hourly cost)
  • 1 GB per month x 0.048 USD = 0.05 USD (NAT Gateway data processing cost)
  • 35.04 USD + 0.05 USD = 35.09 USD (NAT Gateway processing and month hours)
  • 2 NAT Gateways x 35.09 USD = 70.18 USD (Total NAT Gateway usage and data processing cost)
  • Total PrivateLink + NAT Gateway and data processing cost (monthly): 118.42 USD

VPC Gateway Endpoints

A special mention should go out to the older technology of VPC Gateway Endpoints. These endpoints are only available for S3 and DynamoDB. As the name implies, these endpoints are not deployed as an interface in a subnet, but instead as a route on your route tables. The functionality of Gateway Endpoints is the same as for Interface Endpoints, including their support for endpoint policies. However Gateway Endpoints are free. This little-known fact is buried all the way at the bottom of the VPC pricing page:

Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.

This means there is absolutely no reason not to use Gateway Endpoints, and they should be a standard component of every VPC deployment.

Conclusion

AWS PrivateLink for AWS services is an awesome and very powerful feature. It provides better security and performance, but at a cost. Whether you should use them depends on your security requirements and budget.

All of these topics and many more are covered in my video on AWS Security. If you’re interested in other methods to protect your workload, you should definitely check that out.

I share posts like these and smaller news articles on Twitter, follow me there for regular updates! If you have questions or remarks, or would just like to get in touch, you can also find me on LinkedIn.

Luc van Donkersgoed
Luc van Donkersgoed