0

We have an VPC with 3 public subnets and 3 private subnets.

Public subnets reach Internet across an Internet Gateway. Private subnets reach Internet across its own NAT Gateway (One for each).

After created a couple of batch compute environments and lambdas (The lambdas use a custom image located into ECR repos) whose run into private subnets, our bill increases with NAT Gateway traffic.

We forgot to create VPC endpoints to S3 and SecretManager. Ok, we created those endpoints.

But our bill in NAT Gateway traffic is still to much.

We activated flow logs and started our quest.

We examined the traffic between NAT gateways and Internet. Is all https traffic. We deduced it was AWS Services calling Other AWS services APIs.

We create some other VPC endpoints and that works. Our NAT gateway traffic was less than before. But we had some https traffic yet. Our apps are not creating this traffic. So, we needs more AWS VPC endpoints. AWS VPC Endpoints have a cost.

How can we know which VPC Endpoints we need?

Flow logs are not 7 layer logs. There are some way to sniffer the traffic?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
icalvete
  • 987
  • 2
  • 16
  • 50
  • So don't know what applications are you running on your instances? Usually you would know what aws services they use as they would require explicit permissions to access these services. – Marcin Jun 02 '21 at 10:36
  • You could try removing the NAT Gateway and then see what breaks! – John Rotenstein Jun 02 '21 at 12:08
  • If your EC2 instance includes the SSM Agent then that agent reaches out to the SSM service endpoint periodically. – jarmod Jun 02 '21 at 12:30
  • @Marcin, there are no instances. Are lambdas and batch cluster. No managed. My code does not need those VPC Enpoints. I created the VPC Enpoint for com.amazonaws.eu-west-1.ecr.dkr and I reduce the traffic. Need I to create one for service com.amazonaws.eu-west-1.ecr.api? or for service com.amazonaws.eu-west-1.lambda? or for what? – icalvete Jun 02 '21 at 14:55
  • @John_Rotenstein, I'm doing that. But is not a clean way. I would like to know it without breaking nothing. – icalvete Jun 02 '21 at 15:53

0 Answers0