I'm working on a side project and trying to balance security and cost on AWS. My setup includes both RDS and Fargate running in private subnets, and I opted out of creating a NAT Gateway to avoid those extra costs since I don't need outbound internet access right now. To allow Fargate to pull images and access secrets, I set up VPC interface endpoints for ECR and Secrets Manager.
While the service deploys correctly, these endpoints remain idle once the service is running, and they still rack up hourly charges, which isn't ideal for a small project. I'm looking for ways to minimize or avoid these endpoint costs while keeping my Fargate tasks private. Any tips or cost-saving strategies would be greatly appreciated!
2 Answers
VPC endpoints like the ones you've set up always come with costs, so that's a trade-off for using private networking. If you're looking to avoid those fees, consider using a public subnet for some tasks if security is manageable. You could also switch to a self-hosted solution for container images and secrets. For instance, using S3 with a gateway endpoint is free for storage and can cut some costs. Just remember, there’s no easy way to have it all—private setup, low cost, and managed services.
Instead of using Secrets Manager, try using encrypted SSM parameters; they won't cost you anything. Just keep in mind that if you're in a strictly private VPC, you'll still need a private endpoint to access them. It’s a bit of a balancing act between wanting privacy and keeping costs down, but SSM can help you save some money!
That's a fair point, but having no IGW or NAT means public access for SSM won't work. You still need those private endpoints to interact with SSM effectively.