Skip to content

VPC Endpoints Audit

This audit was used to identify billable PrivateLink resources that were not needed once the tracker stack kept its private subnets and relied on the NAT gateway for outbound AWS service traffic.

Current tracker posture

  • Private subnets remain in use for ECS tasks, the database host, and auxiliary EC2 workers.
  • NAT handles outbound access to AWS APIs such as ECR, Secrets Manager, CloudWatch Logs, and SSM.
  • The free S3 gateway endpoint is retained.
  • Billable interface endpoints for ECR, Secrets Manager, CloudWatch Logs, SSM, SSMMessages, EC2Messages, and EFS are no longer declared in the tracker Terraform.

Why this is cheaper

  • NAT already exists in the network module, so PrivateLink is not required to keep the stack private.
  • Removing interface endpoints eliminates per-AZ endpoint charges.
  • Keeping S3 as a gateway endpoint preserves private bucket access without additional hourly cost.

Notes

  • If a different stack in the same AWS account still shows interface endpoints, those were created outside the tracker Terraform.
  • EFS mounts still work without an EFS VPC endpoint because the data path uses EFS mount targets, not PrivateLink.