By using AWS re:Post, you agree to the Terms of Use
/Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline/

Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline

0

I have a basic understanding of AWS architecture, however I need a way to reduce current costs. My current pipeline is as follows:

  1. Source react app code from Github
  2. Use CodeBuild to build a docker container and push it to the ECR.
  3. Deploy the container into ECS Fargate Cluster

For security reasons, I do not want my ECS service to auto-assign a public IP. Instead I have been using VPC endpoints within the same subnets that the cluster operates in, for the following services:

  • com.amazonaws.eu-west-2.ecr.dkr (Interface)
  • com.amazonaws.eu-west-2.ecr.api (Interface)
  • com.amazonaws.eu-west-2.logs (Interface)
  • com.amazonaws.eu-west-2.secretsmanager (Interface)
  • com.amazonaws.eu-west-2.s3 (Gateway)

The downside to this is now the majority of my AWS bill is taken up by having VPC endpoints stood up. The two options I thought of are:

  • Put a CloudFormation step in CodePipeline to stand up the VPC endpoints before ECS deployment, and delete manually after deployment
  • Create a Lambda function step in CodePipeline to stand up the VPC endpoints before deployment, and another Lambda step to delete them afterwards.

Are either of these "best practice" or is there another way I could automatically create/delete these endpoints when required? Any further info required let me know.

1 Answers
1

That S3 Gateway endpoint won't be costing you anything but yes the Interface endpoints will. I'm not sure how many of each type you're deploying but you only need one of each; they can be shared to save costs as discussed here - https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/.

You mention "I do not want my ECS service to auto-assign a public IP" - fair enough but is this related to your VPC endpoints? VPC endpoints allow your service to be deployed in an entirely private subnet without any internet connectivity (plus have some other benefits). If you don't use VPC endpoints you'll need outbound access to get to AWS services, but you can do that via NAT and don't need a public IP address for your service.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions