Hey everyone! I'm finalizing a project for a client and I'd love to get your thoughts on my current AWS setup. I previously asked about cost-effective ways to run NAT, and thanks to your suggestions, I managed to halve my costs using Fck-NAT. Now, I have a VPC with 2 public and 2 private subnets, which I believe is the minimum setup required.
In the private subnets, I have 2 ECS containers running minimal tasks. One task is ingesting data from a website and the other is acting as a web server. The client can set up tools, and these setups are saved as JSON files on S3. I've also set up S3 and Secrets Manager as VPC endpoints that only allow access from the tasks on the private subnet, but these endpoints have fixed costs that are draining my budget.
On the public subnet, there's an ALB directing traffic to my ECS tasks, and Fck-NAT is allowing one task to POST to an API online. I'm struggling to find ways to further cut costs without sacrificing security. I currently use Route 53 with a cheap domain to create an HTTPS certificate that routes to the ALB.
There are painful considerations: scrapping the VPC endpoints would save costs but might compromise security. Am I missing any cost-saving strategies without jeopardizing client security? Thanks a ton for your help!
P.S. I apologize for my spelling in advance!
3 Answers
You could consider getting rid of the VPC endpoint for Secrets Manager and route that traffic through Fck-NAT instead. Since the traffic to Secrets Manager is already HTTPS encrypted, it shouldn't pose a major security risk. I suggest keeping a couple of t4g.nano Fck-NAT instances (around $7/month) for security while managing your ECS containers in the private subnets.
Make sure you're using an S3 gateway instead of an endpoint since you won't get charged for the S3 gateway. If you already have NAT set up, it might not be worth paying for a dedicated Secrets Manager VPC endpoint. Also, depending on your traffic, an API Gateway could be cheaper than using an ALB in front of your ECS services.
Thanks for the tip about the S3 gateway; I actually meant that in my post! I hadn't considered using an API Gateway, though – that's definitely worth looking into.
Have you thought about making this serverless? You could use an API Gateway and Lambdas to handle the data instead of your current setup.
Yeah, I did consider that! Breaking the web server into smaller Lambda functions could save a ton on load. I hadn't thought of it until I completed the web server, though, but it seems viable now.
That's a solid point about the HTTPS traffic! Routing through the web might really help cut costs while the instances are idle.