I'm setting up my API architecture like this: Users' software communicates through a Cloudflare Worker, which leads to a Public API Gateway that connects to my AWS backend, like Lambda. Right now, I'm using Cloudflare's free WAF for protection, but since the API Gateway is public, anyone can access it directly, bypassing Cloudflare. Although unauthorized requests get rejected, they still trigger the API Gateway and I get charged for them, which isn't great.
I'm considering changing my setup to route traffic like this: Users' software -> Cloudflare Worker -> VPC Interface Endpoint -> Private API Gateway. My main question is whether this will truly block charges for requests that are denied by the VPC endpoint policy, before they hit the API Gateway. I'm hoping to avoid costs for unwanted requests entirely. Is this a smart approach? Are there better alternatives out there? I'd love to hear from anyone who's dealt with something similar. Thanks!
1 Answer
How exactly do you plan for the Cloudflare worker to access your VPC endpoint? That’s a key detail! If you're going the route of using a public EC2 instance to reach the VPC endpoint, just keep in mind that you'll incur runtime costs on the EC2 side, but not for each request. Does that fit what you're trying to achieve?
I think you've got the right idea! Your setup would look like: Users software -> Cloudflare Worker -> public EC2 -> VPC Interface Endpoint -> Private API Gateway. This way, you'll only be charged for EC2 running time, which is much more cost-effective than API requests.