How to use AWS VPC endpoints in NAT enabled subnets?

3
votes

I am using few AWS Lambda functions, which are sitting inside private subnets,
These private subnets have VPC endpoints configured for the services for which the functions need access to,
The current setup does not use a NAT gateway, therefore all the traffic from the functions is going through the VPC endpoints.

I now have a use-case where we need to use a NAT gateway,
But would enabling NAT mean that the Functions would no longer use the VPC endpoints for external service access, and instead use the NAT?

2
amazon-web-servicesarchitectureamazon-vpc

2 Answers

5
votes

I think this works as follows. For:

Gateway endpoints (S3, DynamoDB)

Routes to them are added automatically to our route tables when you create them. Docs says:

If you have an existing route in your route table for all internet traffic (0.0.0.0/0) that points to an internet gateway, the endpoint route takes precedence for all traffic destined for the service, because the IP address range for the service is more specific than 0.0.0.0/0. All other internet traffic goes to your internet gateway, including traffic that's destined for the service in other Regions.

Interface VPC Endpoints

They work by modifying IP addresses in a DNS of a service. The IP address will be private addresses of the endpoint interfaces. Docs says:

The hosted zone contains a record set for the default DNS name for the service (for example, ec2.us-east-1.amazonaws.com) that resolves to the private IP addresses of the endpoint network interfaces in your VPC. This enables you to make requests to the service using its default DNS hostname instead of the endpoint-specific DNS hostnames.

To use private DNS, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport.

Conclusion

So in both cases, priority is given to the interfaces, not the internet. I recommend checking the links provided. They have more info with examples to double check my conclusions.

2
votes

VPC Endpoints or NAT Gateway?

AWS services like EC2, RDS, Lambda, and ElastiCache come with an Elastic Network Interface (ENI), which enables communication from within your VPCs via Private Endpoints. However, many AWS services provide a REST API, available via the Internet only. A few examples: S3, DynamoDB, CloudWatch, SQS, and Kinesis.

There are three options to make these services accessible from private subnets:

  • A VPC Endpoint type: Gateway Endpoints is free of charge, but are only available for S3 and DynamoDB.
  • A VPC Endpoint type: Interface Endpoint costs $7.20 per month and AZ plus $0.01 per GB and is available for most AWS services.
  • A NAT Gateway can be used to access AWS services or any other services with a public API. Costs are $32.40 per month and AZ plus $0.045 per GB.

Keep the following rules of thumb in mind when designing your network architecture.

  • Adding Gateway Endpoints for S3 and DynamoDB should be your default option.
  • Do you need to access non-AWS resources via the Internet, add a NAT Gateway. Do the math if traffic to AWS services justifies additional Interface Endpoints.
  • Are you only accessing AWS services from the private subnets? No more than four different services? Use Interface Endpoints. Otherwise, do the math to calculate costs for Interface Endpoints and NAT Gateway.

Ref Link: https://cloudonaut.io/advanved-aws-networking-pitfalls-that-you-should-avoid/