Centralized VPC Endpoints can High-Traffic Services Like S3, SSM, KMS Be Excluded?

This is a common design decision that I have seen when you have VPC interface endpoint for centralized and decentralized architecture. You can think through it, as below:

• For S3 use, S3 Gateway Endpoints, as they are free (no data processing charge, no hourly charge) and do not require PrivateLink. They work at the route table level within a VPC.

• Centralizing S3 via an interface endpoint through TGW means you pay TGW data processing charges on every byte of S3 traffic. For high-volume S3 workloads this can be very costly. So, deploying S3 Gateway Endpoints locally in each spoke VPC, no TGW hop, no cost.

• For SSM and KMS you can evaluate based on traffic volume, the interface endpoints can be relatively low-traffic (control plane calls, not data plane bulk transfers). Centralizing these is generally fine and simplifies endpoint management. However, if you have hundreds of EC2 instances polling SSM or making frequent KMS calls, the TGW data processing cost ($0.02/GB) and TGW attachment hours can add up.

Note:

• Centralized is generally more cost effective for higher numbers of endpoints
• For higher traffic, the decentralized approach is more cost effective
• The best choice can vary for low numbers of VPCs and endpoints
• Every scenario is different; do your own math

Also, some of the General Guidance for Centralized Endpoints and things to remember:

• Interface endpoints support up to 10 Gbps per AZ with burst to 40 Gbps
• There is an extra hop via TGW for centralized endpoints. For latency-sensitive applications, local endpoints are preferable.
• TGW data processing ($0.02/GB) + interface endpoint hourly charge vs. per-VPC interface endpoint hourly charges. At scale, centralization saves on endpoint hours but can cost more in TGW data processing, run the numbers for your specific traffic profile.