AWSAmazon VPCNetworking

`aws_vpc_endpoint` cost estimation

A private endpoint into AWS services from your VPC. Gateway endpoints (S3, DynamoDB) are free; Interface endpoints are ~$7/month per AZ plus data fees.

An aws_vpc_endpoint creates a private connection from your VPC to an AWS service or to another VPC, bypassing the public internet and (more importantly for cost) bypassing your NAT Gateway.

There are three endpoint types with very different pricing:

Gateway Endpoints (vpc_endpoint_type = "Gateway"): only available for S3 and DynamoDB. Completely free. No hourly fee, no data processing fee. These are an absolute cost win for any VPC that has private subnets making S3 or DynamoDB calls (which is most production VPCs).

Interface Endpoints (vpc_endpoint_type = "Interface"): PrivateLink-style ENI in each AZ. Billed $0.01/hour per AZ per endpoint plus $0.01/GB processed. A 3-AZ deployment is $21/month plus data. Available for hundreds of AWS services (KMS, Secrets Manager, ECR, SQS, SNS, etc.) plus customer-managed PrivateLink services.

Gateway Load Balancer Endpoints (vpc_endpoint_type = "GatewayLoadBalancer"): for routing traffic through third-party network appliances. Billed by the underlying GWLB.

The Interface endpoint cost (~$7/month per endpoint per AZ) can seem high, but it's almost always cheaper than the NAT Gateway data processing fees it eliminates. A 3-AZ Interface endpoint to ECR costs $21/month + data. The same traffic through NAT would cost $0.045/GB processed. Crossover is around 4 GB/month — if you pull more than 4 GB through ECR per month, the endpoint pays for itself.

c3x reads endpoint type from the resource and applies the right pricing. Data processed is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

# Free Gateway Endpoint for S3
resource "aws_vpc_endpoint" "s3" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.us-east-1.s3"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = aws_route_table.private[*].id
}

# Interface Endpoint for ECR (saves NAT processing fees)
resource "aws_vpc_endpoint" "ecr_api" {
  vpc_id              = aws_vpc.main.id
  service_name        = "com.amazonaws.us-east-1.ecr.api"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = aws_subnet.private[*].id
  security_group_ids  = [aws_security_group.endpoints.id]
  private_dns_enabled = true
}

resource "aws_vpc_endpoint" "ecr_dkr" {
  vpc_id              = aws_vpc.main.id
  service_name        = "com.amazonaws.us-east-1.ecr.dkr"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = aws_subnet.private[*].id
  security_group_ids  = [aws_security_group.endpoints.id]
  private_dns_enabled = true
}

Pricing dimensions

What you actually pay for when you provision aws_vpc_endpoint.

Dimension	Unit	What's being charged
Gateway Endpoint	free	S3 and DynamoDB Gateway Endpoints. No hourly fee, no data fee. $0
Interface Endpoint hours	per endpoint per AZ per hour	Each ENI provisioned by the endpoint. A 3-AZ deployment is 3x the hourly rate. $0.01/hour ≈ $7.30/month per AZ
Interface Endpoint data processing	per GB	Bytes flowing through the endpoint. $0.01/GB
PrivateLink service connection (customer-published)	per endpoint per AZ + per GB	Same pricing model as AWS-service Interface endpoints, but to a third-party service exposed via PrivateLink.

Optimization tips

Common ways to reduce aws_vpc_endpoint cost without changing the workload.

Add S3 and DynamoDB Gateway Endpoints unconditionally

100% on S3/DynamoDB NAT traffic

Free, no downside, saves NAT processing fees on every byte to S3/DynamoDB from private subnets. Adding them takes 10 minutes of Terraform.

Add Interface Endpoints for chatty AWS services

NAT processing fees on those services

Each Interface Endpoint pays for itself if you push more than ~3 GB/month through that AWS service. Common candidates: ECR (image pulls), Secrets Manager, KMS, CloudWatch Logs, SSM.

Don't add Interface Endpoints you don't need

Avoid spending on idle endpoints

Each Interface Endpoint is $7/month/AZ even with zero traffic. Only add for services you actively use from private subnets.

Single-AZ endpoints for dev/staging

67% in non-prod

Production VPCs justify multi-AZ endpoints for HA. Dev/staging can use single-AZ to save 2/3 of the hourly cost (with the AZ-failure risk).

FAQ

Why are Gateway Endpoints free?

Gateway Endpoints use route table modifications, not network appliances. There's no ongoing infrastructure for AWS to bill. They were introduced specifically to encourage moving S3/DynamoDB traffic off NAT Gateways. Free win for everyone.

How does c3x estimate Interface Endpoints?

c3x reads vpc_endpoint_type and the number of subnet_ids (one ENI per subnet). It applies $0.01/hour per ENI. Data processing is usage-based; add expected throughput in c3x-usage.yml.

Should I add Interface Endpoints for all AWS services?

No. Each is $7/month/AZ. Audit traffic patterns first: services with <3 GB/month of traffic from private subnets aren't worth an endpoint. Common high-value endpoints: ECR, Secrets Manager, KMS, S3 (gateway, free), CloudWatch Logs.

What's PrivateLink vs VPC Endpoint?

PrivateLink is the underlying technology; VPC Endpoints (Interface type) are how you consume it. Customer-published PrivateLink services (via aws_vpc_endpoint_service) charge the provider similar fees plus data processed.

Related resources

AWS

aws_nat_gateway

Endpoints eliminate NAT processing fees for AWS traffic

AWS

aws_s3_bucket

Free Gateway Endpoint available

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_vpc_endpoint.

Get Started Star on GitHub

← Browse all AWS resources