How to setup interface VPC endpoints in a multi tier architecture?

Question

Customer want to use an interface VPC endpoint (for Cloudwatch logs specifically). Their main driver is that they want to reduce NAT gateway usage charges. Now they have a VPC with 4-tiers of subnets (Public, Web, App, database). Each tier can access/route to the lower tier only. What is the best practice to set this up from a cost/security perspective?. They currently don't use Transit Gateway or a multi-VPC/account architecture

1. 4 interface endpoints per network tier?
2. Create a new tier (lets say vpc endpoint tier) and centralize the VPC endpoint there?
3. Something else?

Accepted Answer

In this scenario, #2 option would be better, where you create a new "tier" similar to a network services VPC design. No need to add multiple sets of interface endpoints.

In regards to the potential future state, you may want to consider an actual network services VPC depending on the number of VPCs and VPC endpoints you need. It is simple enough to change down the road if you end up needing a network services VPC to host the VPC endpoints though, so I would not start out with that design.

Refer to [Centralized access to VPC private endpoints](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html)  in the Whitepaper.

How to setup interface VPC endpoints in a multi tier architecture?

Relevant questions

Benefits to S3 cross-region access with VPC peered interface endpoints vs. public internet using NAT gateways?

How do I create a VPC Endpoint for S3 Interface?

S3 Interface Endpoint

Best way to manage access to a VPC Endpoint

Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline

SQS interface endpoint for cross region access