By using AWS re:Post, you agree to the Terms of Use

How to setup interface VPC endpoints in a multi tier architecture?


Customer want to use an interface VPC endpoint (for Cloudwatch logs specifically). Their main driver is that they want to reduce NAT gateway usage charges. Now they have a VPC with 4-tiers of subnets (Public, Web, App, database). Each tier can access/route to the lower tier only. What is the best practice to set this up from a cost/security perspective?. They currently don't use Transit Gateway or a multi-VPC/account architecture

  1. 4 interface endpoints per network tier?
  2. Create a new tier (lets say vpc endpoint tier) and centralize the VPC endpoint there?
  3. Something else?
1 Answers
Accepted Answer

In this scenario, #2 option would be better, where you create a new "tier" similar to a network services VPC design. No need to add multiple sets of interface endpoints.

In regards to the potential future state, you may want to consider an actual network services VPC depending on the number of VPCs and VPC endpoints you need. It is simple enough to change down the road if you end up needing a network services VPC to host the VPC endpoints though, so I would not start out with that design.

Refer to Centralized access to VPC private endpoints in the Whitepaper.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions