Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline
I have a basic understanding of AWS architecture, however I need a way to reduce current costs. My current pipeline is as follows:
- Source react app code from Github
- Use CodeBuild to build a docker container and push it to the ECR.
- Deploy the container into ECS Fargate Cluster
For security reasons, I do not want my ECS service to auto-assign a public IP. Instead I have been using VPC endpoints within the same subnets that the cluster operates in, for the following services:
- com.amazonaws.eu-west-2.ecr.dkr (Interface)
- com.amazonaws.eu-west-2.ecr.api (Interface)
- com.amazonaws.eu-west-2.logs (Interface)
- com.amazonaws.eu-west-2.secretsmanager (Interface)
- com.amazonaws.eu-west-2.s3 (Gateway)
The downside to this is now the majority of my AWS bill is taken up by having VPC endpoints stood up. The two options I thought of are:
- Put a CloudFormation step in CodePipeline to stand up the VPC endpoints before ECS deployment, and delete manually after deployment
- Create a Lambda function step in CodePipeline to stand up the VPC endpoints before deployment, and another Lambda step to delete them afterwards.
Are either of these "best practice" or is there another way I could automatically create/delete these endpoints when required? Any further info required let me know.
That S3 Gateway endpoint won't be costing you anything but yes the Interface endpoints will. I'm not sure how many of each type you're deploying but you only need one of each; they can be shared to save costs as discussed here - https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/.
You mention "I do not want my ECS service to auto-assign a public IP" - fair enough but is this related to your VPC endpoints? VPC endpoints allow your service to be deployed in an entirely private subnet without any internet connectivity (plus have some other benefits). If you don't use VPC endpoints you'll need outbound access to get to AWS services, but you can do that via NAT and don't need a public IP address for your service.
Relevant questions
Is there a simple way to reduce the SDK to use only S3 ?
asked 2 years agoHow do I configure an Amazon MQ instance that's in a VPC to invoke a Lambda function?
Accepted Answerasked a year agoInternal error with CodePipeline + CodeDeploy
asked 3 years agoNumber of pipelines recommended in CodePipeline
Accepted Answerasked 2 years agoPublic APIGW Rest Api proxy to private Fargate App in VPC via VPC Link
asked 5 months agoReducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline
asked a month agoRollback using CodePipeline
asked 4 years agoCodePipeline ECS Rolling Updates for multiple services
asked 3 months agois there a tool that can generate a cloud formation script to recreate a current VPC and it's associated configurations
Accepted Answerasked a month agoCan't activate tape gateway using a VPC Endpoint
asked 2 years ago