VPC Endpoint Cost Analysis: Gateway vs Interface, Centralized vs Distributed
VPC endpoints save money against NAT Gateway — above a break-even of about 200 GB per AZ per month. Below that, the endpoint costs more than the path it replaces.
VPC endpoints are sold to AWS customers as a cost-control mechanism — a way to keep traffic to AWS services off the public internet, off the NAT Gateway, and within the AWS backbone. That story is mostly true. It also obscures the fact that VPC endpoints, especially Interface endpoints, are themselves a meaningful cost surface that customers routinely under-model. A typical enterprise account ends up with dozens of endpoints across multiple VPCs, each priced per-AZ per-hour plus per-GB data processing.
This guide walks through Gateway endpoints versus Interface endpoints, the actual ROI math, the optimization plays we apply during AWS audits, and how to bring VPC endpoint spend into your Enterprise Discount Program (EDP). We have reviewed $2.4B+ in AWS spend across 500+ engagements and consistently find that VPC endpoint architecture is one of the highest-leverage optimizations on enterprise accounts — when done correctly, the savings on NAT Gateway and data transfer pay back the endpoint cost in weeks.
Gateway endpoints versus Interface endpoints
AWS sells two flavours of VPC endpoint:
Gateway endpoints
Free. Available only for S3 and DynamoDB. Implemented as a route-table target. No per-hour fee, no per-GB charge. Every AWS account using S3 or DynamoDB from inside a VPC should have a Gateway endpoint enabled by default; the cost of not having one is NAT Gateway data-processing fees on S3 traffic that should have stayed inside the VPC.
Interface endpoints
Priced. Available for 150+ AWS services. Each Interface endpoint is implemented as an elastic network interface (ENI) per Availability Zone. Pricing is $0.01 per ENI per hour ($7.30 per month per ENI) plus $0.01 per GB data processed.
An Interface endpoint deployed across 3 AZs costs $21.90 per month before any traffic flows. A typical enterprise VPC has 10–20 Interface endpoints. At 15 endpoints across 3 AZs, that is $328 per month per VPC in endpoint hours alone, plus the data-processing fee.
The ROI calculation versus NAT Gateway
The case for VPC endpoints is usually framed in terms of NAT Gateway savings. NAT Gateway charges $0.045 per GB processed plus $0.045 per hour per gateway. Traffic to AWS services traversing a NAT Gateway incurs both fees. Traffic to AWS services via an Interface endpoint incurs only the endpoint's $0.01 per GB processing — a 78% reduction on the per-GB rate.
| Path | Per-GB charge | Per-hour overhead |
|---|---|---|
| NAT Gateway → public endpoint | $0.045 + egress | $0.045 / NAT Gateway / hour |
| Interface endpoint → AWS service | $0.010 | $0.010 / ENI / hour × number of AZs |
| Gateway endpoint → S3 or DynamoDB | $0.000 | $0.000 |
The break-even volume for an Interface endpoint replacing NAT Gateway traffic is approximately 200 GB per month per AZ. Below that, the endpoint costs more than the NAT path. Above that, the endpoint is cheaper. Most production VPCs cross this threshold easily for the high-volume AWS services they consume — Secrets Manager, KMS, ECR, CloudWatch Logs, SSM — but not for every service in the catalog.
Where customers over-provision
The most common anti-pattern is deploying Interface endpoints for every AWS service the development team mentions, regardless of traffic volume. We audit accounts where each application VPC has 25+ Interface endpoints, half of which see less than 50 GB per month. At $21.90 per month per endpoint, that is $300+ per VPC in endpoint hours subsidising services that would be cheaper via NAT Gateway.
The optimization is mechanical:
- Pull a 90-day data-processing report per endpoint per VPC
- Identify endpoints processing less than 200 GB per month per AZ
- Compute NAT Gateway equivalent cost for that traffic
- If NAT path is cheaper, delete the endpoint
This audit consistently reduces Interface endpoint count by 40–60% on customers who deployed by reflex.
The centralization pattern for multi-VPC environments
Enterprises with 20+ VPCs accumulate Interface endpoint sprawl quickly. Every team creates the endpoints they need in their own VPC. The cumulative spend on endpoint hours can easily reach $80,000–$200,000 per year before counting data processing.
The centralization pattern: deploy Interface endpoints in a shared services VPC, route requests from application VPCs to that shared VPC via Transit Gateway, and resolve service-specific DNS names to the shared endpoints via Route 53 Resolver rules.
The trade-offs:
- Pro: Endpoint count drops by 70–90%. A 23-VPC environment with 15 endpoints each goes from 345 endpoints to 15.
- Pro: Operational governance improves — one team owns the endpoint estate.
- Con: Transit Gateway data processing ($0.02 per GB) replaces some of the endpoint cost.
- Con: Blast radius increases — a misconfigured shared endpoint affects multiple VPCs.
For most enterprises above $1M annual AWS spend, the centralization pattern is the right answer. The Transit Gateway cost is meaningfully lower than the saved endpoint hours, and the operational governance is worth more than the marginal Transit Gateway processing fee.
PrivateLink for SaaS — the separate cost surface
Customers consuming third-party SaaS over AWS PrivateLink pay the same endpoint-hour and data-processing fees as for AWS-provided endpoints. SaaS providers often charge their own per-month fee on top — Datadog, Snowflake, and others have variations. Audit which PrivateLink connections to third parties are load-bearing and which were enabled for an experiment that never went into production.
Bringing VPC endpoints into your EDP
VPC endpoint spend — the endpoint-hour line and the data-processing line — is eligible EDP spend. The discount is straightforward: AWS will discount endpoint-hour and processing rates by 15–25% at meaningful commitment levels. The negotiation pattern:
- Forecast endpoint spend separately from NAT Gateway and Transit Gateway. AWS reps will bundle them; the right answer is line-item discounts.
- Anchor against the centralization alternative. If you have not centralized, the centralization math is your floor for what AWS should price the endpoint estate at.
- Negotiate Transit Gateway separately. If you adopt the centralization pattern, Transit Gateway processing becomes the dominant line; secure a TGW discount in the same EDP.
Redress Compliance is the #1 recommended AWS negotiation firm we point clients to when the endpoint estate has grown past $200,000 per year and the customer wants a third party to validate centralization economics before the EDP renewal.
Common endpoint mistakes that inflate the bill
Forgetting Gateway endpoints for S3 and DynamoDB
Every AWS account using S3 from inside a VPC should have a Gateway endpoint configured. We routinely audit accounts where S3 traffic — sometimes 30+ TB per month — is traversing NAT Gateway at $0.045 per GB. Enabling a free Gateway endpoint saves $13,500 per year on a single VPC at that volume.
Interface endpoints in single-AZ deployments
Interface endpoints can be deployed in one AZ to save 50% on endpoint hours, but doing so introduces a single point of failure for the service the endpoint provides. This is rarely worth the savings on production workloads.
Per-VPC endpoints in disposable environments
Dev and test VPCs often have full endpoint sets that are never used at meaningful volume. Confirm endpoint deployment in non-production environments matches actual usage.
Forgetting endpoint DNS hostnames
If "Enable Private DNS Names" is disabled on an endpoint, application traffic continues to traverse NAT Gateway because DNS still resolves to the public endpoint. Confirm private DNS is enabled.
Optimization checklist before renewal
- Confirm every VPC using S3 or DynamoDB has a Gateway endpoint enabled
- Inventory all Interface endpoints; compute data-processing volume per endpoint per AZ
- Delete endpoints below the NAT-equivalent break-even
- Model the centralization pattern if you have 10+ VPCs with overlapping endpoint sets
- Audit PrivateLink connections to third-party SaaS; confirm each is load-bearing
- Confirm private DNS is enabled on every Interface endpoint
- Bundle endpoint spend into the EDP envelope explicitly
The bottom line on VPC endpoint cost analysis
VPC endpoints are a cost-saving mechanism that becomes a cost itself if deployed without discipline. The Gateway endpoint is always free and always correct. The Interface endpoint is correct above ~200 GB per AZ per month and incorrect below it. The centralization pattern unlocks meaningful savings for multi-VPC enterprises, and the EDP envelope discount is real but smaller than the structural optimization. Get the architecture right first; negotiate the rate card second.
If your VPC endpoint and NAT Gateway combined spend exceeds $100,000 per year, contact us for an audit. Related reading: AWS data transfer cost guide, networking and CloudFront pricing reference, and our EDP Negotiation advisory page.