How to setup interface VPC endpoints in a multi tier architecture?
Customer want to use an interface VPC endpoint (for Cloudwatch logs specifically). Their main driver is that they want to reduce NAT gateway usage charges. Now they have a VPC with 4-tiers of subnets (Public, Web, App, database). Each tier can access/route to the lower tier only. What is the best practice to set this up from a cost/security perspective?. They currently don't use Transit Gateway or a multi-VPC/account architecture
- 4 interface endpoints per network tier?
- Create a new tier (lets say vpc endpoint tier) and centralize the VPC endpoint there?
- Something else?
- 최신
- 최다 투표
- 가장 많은 댓글
In this scenario, #2 option would be better, where you create a new "tier" similar to a network services VPC design. No need to add multiple sets of interface endpoints.
In regards to the potential future state, you may want to consider an actual network services VPC depending on the number of VPCs and VPC endpoints you need. It is simple enough to change down the road if you end up needing a network services VPC to host the VPC endpoints though, so I would not start out with that design.
Refer to Centralized access to VPC private endpoints in the Whitepaper.
