Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline
I have a basic understanding of AWS architecture, however I need a way to reduce current costs. My current pipeline is as follows:
- Source react app code from Github
- Use CodeBuild to build a docker container and push it to the ECR.
- Deploy the container into ECS Fargate Cluster
For security reasons, I do not want my ECS service to auto-assign a public IP. Instead I have been using VPC endpoints within the same subnets that the cluster operates in, for the following services:
- com.amazonaws.eu-west-2.ecr.dkr (Interface)
- com.amazonaws.eu-west-2.ecr.api (Interface)
- com.amazonaws.eu-west-2.logs (Interface)
- com.amazonaws.eu-west-2.secretsmanager (Interface)
- com.amazonaws.eu-west-2.s3 (Gateway)
The downside to this is now the majority of my AWS bill is taken up by having VPC endpoints stood up. The two options I thought of are:
- Put a CloudFormation step in CodePipeline to stand up the VPC endpoints before ECS deployment, and delete manually after deployment
- Create a Lambda function step in CodePipeline to stand up the VPC endpoints before deployment, and another Lambda step to delete them afterwards.
Are either of these "best practice" or is there another way I could automatically create/delete these endpoints when required? Any further info required let me know.
That S3 Gateway endpoint won't be costing you anything but yes the Interface endpoints will. I'm not sure how many of each type you're deploying but you only need one of each; they can be shared to save costs as discussed here - https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/.
You mention "I do not want my ECS service to auto-assign a public IP" - fair enough but is this related to your VPC endpoints? VPC endpoints allow your service to be deployed in an entirely private subnet without any internet connectivity (plus have some other benefits). If you don't use VPC endpoints you'll need outbound access to get to AWS services, but you can do that via NAT and don't need a public IP address for your service.
Is there a simple way to reduce the SDK to use only S3 ?asked 2 years ago
How do I configure an Amazon MQ instance that's in a VPC to invoke a Lambda function?Accepted Answerasked a year ago
Internal error with CodePipeline + CodeDeployasked 3 years ago
Number of pipelines recommended in CodePipelineAccepted Answerasked 2 years ago
Public APIGW Rest Api proxy to private Fargate App in VPC via VPC Linkasked 5 months ago
Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipelineasked a month ago
Rollback using CodePipelineasked 4 years ago
CodePipeline ECS Rolling Updates for multiple servicesasked 3 months ago
is there a tool that can generate a cloud formation script to recreate a current VPC and it's associated configurationsAccepted Answerasked a month ago
Can't activate tape gateway using a VPC Endpointasked 2 years ago