Last month, I was reviewing a client's AWS infrastructure when something caught my eye. Their monthly bill had a line item that didn't sit right with me - data transfer charges that seemed way too high for what they were doing.
After digging through their architecture, I found the culprit. Their EC2 instances were talking to S3 buckets the long way around - through the public internet.
Wait, Why Does That Matter?
Here's the thing most people don't realize when they start with AWS. When your EC2 instance needs to grab a file from S3, it has to go somewhere to get it. Without any special configuration, that "somewhere" is out through your Internet Gateway, across the public internet, and back into AWS to reach S3.
Think of it like this. Imagine you work in a large office building. Your colleague sits on the same floor, just around the corner. But instead of walking over to their desk, you leave the building, walk around the block, enter through the main lobby, go through security again, and then finally reach them. Sounds ridiculous, right?
That's exactly what happens when EC2 talks to S3 without a VPC Endpoint.
What Was Actually Happening
The client had a pretty standard setup. Application servers running on EC2, storing and retrieving files from S3. Nothing fancy. But every single S3 request was taking the scenic route through the internet.
This created two problems.
First, they were paying data transfer fees for traffic that didn't need to leave AWS at all. Every gigabyte going out through the Internet Gateway costs money. When you're moving terabytes of data to and from S3 daily, those charges add up fast.
Second, their data was traveling across the public internet unnecessarily. Even though S3 connections are encrypted, why expose your traffic to the outside world when you don't have to?
The Fix Was Surprisingly Simple
We created a VPC Gateway Endpoint for S3. That's it. No agents to install, no complex networking changes, no application code modifications.
A Gateway Endpoint is basically a private door between your VPC and S3. Once it's in place, traffic to S3 stays entirely within the AWS network. Your EC2 instance talks to S3 through this private connection instead of going out to the internet.
Here's what the setup looks like in practice:
# Using AWS CLI to create a Gateway Endpoint for S3
aws ec2 create-vpc-endpoint \
--vpc-id vpc-1234567890abcdef0 \
--service-name com.amazonaws.ap-south-1.s3 \
--route-table-ids rtb-1234567890abcdef0
You'll need to attach it to the route tables used by your subnets. After that, any traffic destined for S3 automatically uses the endpoint. The applications don't even know the difference - they keep using S3 the same way they always did.
What Changed After Implementation
The data transfer charges dropped noticeably in the next billing cycle. I won't throw around specific numbers because every environment is different, but the reduction was significant enough that the client asked me what else we could optimize.
Beyond the cost savings, there's a security benefit that's harder to quantify. Traffic between EC2 and S3 no longer traverses the public internet. It stays on AWS's private backbone. For workloads dealing with sensitive data, this is a meaningful improvement.
A Few Things Worth Knowing
Gateway Endpoints are free. AWS doesn't charge you for creating or using them. The only thing you pay for is the standard S3 request and storage costs you'd pay anyway.
They work for S3 and DynamoDB. If you need private connectivity to other AWS services like SQS, SNS, or Secrets Manager, you'll want Interface Endpoints instead. Those do have an hourly charge, but they're still cheaper than routing everything through NAT Gateways.
One gotcha I've seen trip people up - if your S3 bucket policy restricts access by source IP, you might need to update it. Traffic through a Gateway Endpoint doesn't come from your NAT Gateway's public IP anymore. You can use VPC Endpoint conditions in your bucket policy to handle this.
The Bigger Picture
Cost optimization in AWS isn't always about buying Reserved Instances or committing to Savings Plans. Sometimes the biggest wins come from architectural decisions that seem minor on the surface.
I've seen teams spend hours negotiating enterprise discounts while ignoring networking patterns that waste hundreds of dollars every month. A quick review of your VPC configuration, endpoint usage, and data transfer patterns can reveal opportunities that are easier to capture and often have immediate impact.
If you haven't looked at your data transfer charges lately, it might be worth a few minutes of your time. You might find your infrastructure is taking the long way around too.
Top comments (0)