-1

I am trying to understand the cost implications between S3 and Ec2. I found this a nice article but it triggered me the following confusion.

  1. Everywhere the article says that the S3 and Ec2 data transfer are free if it is in the same region. But, in the above article, I found the following statement (section: Accessing services within the same AWS Region),

If the internet gateway is used to access the public endpoint of the AWS services in the same Region (Figure 1 – Pattern 1), there are no data transfer charges. If a NAT gateway is used to access the same services (Figure 1 – Pattern 2), there is a data processing charge (per gigabyte (GB)) for data that passes through the gateway.

AFAIK, NAT gateway comes into the picture in when Ec2 wants to communicate something outside. So, does this mean, any S3 data transfer (ingress/egress) between private subnet Ec2 instance and S3 is not free (as I have configured NAT)? Similarly, any S3 data transfer (ingress/egress) between the public subnet instances and S3 is only free?

  1. I am not able to understand the statement - "public endpoint of the AWS services". How can I create a public endpoint for S3 or kinesis? The image point out that it is possible to interact with S3/Kinesis/DynamoDB/ECR/SNS using a public endpoint but I am not sure how to create a public endpoint for those. Is there any simple example to point to the public endpoint access example?
Invisible
  • 179
  • 1
  • 8

1 Answers1

2

The term Data Transfer specifically refers to traffic going from AWS to the Internet. Therefore, any traffic between any AWS services in the same Region do not attract Data Transfer costs.

However, there might be some charges for VPCs and NAT Gateways. These are not called "Data Transfer", but are instead specifically related to the service being used. See: Amazon VPC Pricing - Amazon Web Services

The endpoints of AWS services reside on the Internet. These are the locations where requests are sent, such as requests to launch an Amazon EC2 instance or to upload data to an Amazon S3 bucket.

If you have resources in a private subnet that wish to communicate with AWS services (such as Amazon S3), you can add a VPC Endpoint to your VPC. You will sometimes see these Endpoints referred to as connecting through AWS PrivateLink. For example, a VPC Endpoint for S3 acts as a 'shortcut' between the VPC and the S3 endpoints. There is no charge for traffic sent over a VPC Endpoint. This reduces the amount of traffic going via the NAT Gateway, and possibly even totally eliminates the need for a NAT Gateway.

See: Access AWS services through AWS PrivateLink - Amazon Virtual Private Cloud

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks for the prompt answer. It looks like I confused a lot, from your answer I think I get the point. So if I don't configure VPC Endpoint/PrivateLink and if I download 1 TB from S3 from a private subnet instances which is configured with NAT gateway, I need to pay for NAT gateway data processing charge, am I right? – Invisible May 28 '23 at 10:10
  • 1
    That is correct. NAT Gateway has two changes: One 'per hour' charge and one 'per GB' charge. – John Rotenstein May 28 '23 at 10:30
  • Final one: If my private subnet is configured with both NAT gateway (for some other outside communication) and S3 VPC endpoint/PrivateLink, in this case, how does AWS pick the best route while interacting with S3? Because from the Ec2 private instance I am using the same command as "aws ls s3://some-bucket/single-tb-file.txt" (no difference in reference to the bucket name in terms of NAT gateway or S3 VPC endpoint), so it should either download via NAT or S3 VPC. How does this pick the best route and how to verify whether it is using NAT or S3 private VPC while downloading the files? – Invisible May 28 '23 at 10:46
  • I mean when both are option (NAT/S3 VPC), I want the cost-less route to pick by AWS, so interested to know how AWS picks that and how to verify this manually that it chooses the S3 VPC. – Invisible May 28 '23 at 10:50
  • 1
    It will work automatically. Traffic will route through a VPC Endpoint in preference to the NAT Gateway. Take a look at the Route Table and you will probably see the configuration. – John Rotenstein May 28 '23 at 11:01