We’re redesigning our backup architecture and debating whether to route S3 backup traffic through VPC gateway endpoints versus keeping our current internet gateway setup. Currently running backups from 40+ EC2 instances (mix of databases and application servers) to S3 buckets in us-east-1.
The main drivers are cost reduction (NAT gateway charges are significant) and meeting new security compliance requirements that prefer private connectivity. We’ve looked at both gateway endpoints for S3 and interface endpoints for other services, but the configuration complexity and potential hybrid connectivity implications have us questioning the best approach.
Has anyone migrated from internet gateway to VPC endpoints for backup workflows? Particularly interested in experiences with gateway versus interface endpoints, cost savings realized, and any gotchas with hybrid setups connecting to on-premises systems.
For hybrid connectivity, consider your on-premises backup integration carefully. If you have Direct Connect or VPN connections, VPC endpoints work seamlessly - on-prem systems can access S3 through the endpoint if you configure routing properly. However, you’ll need to enable private DNS for interface endpoints, which requires enableDnsHostnames and enableDnsSupport on your VPC. Gateway endpoints don’t need this since they use route table entries. We route on-prem backup traffic through Transit Gateway to VPCs with gateway endpoints - works perfectly and keeps everything private.
Implementation recommendation based on your requirements: use gateway endpoints for S3 backup traffic and selectively add interface endpoints only for services that need private connectivity.
VPC Gateway Endpoints (S3): Create gateway endpoint in each VPC handling backups. Associate with all route tables where backup instances reside. This routes S3 traffic privately with zero additional cost. No NAT gateway charges, no data transfer fees. Configure endpoint policy to restrict access to your backup buckets only:
Interface Endpoints Configuration: If using AWS Backup, Systems Manager, or CloudWatch for backup operations, deploy interface endpoints in each AZ for high availability. Enable private DNS so service calls automatically resolve to endpoint addresses. These cost $0.01/hour per AZ plus $0.01/GB data processed, but eliminate NAT gateway dependency.
NAT Gateway Cost Comparison: Your current setup likely costs $0.045/hour per NAT Gateway (×3 for multi-AZ = $97.20/month base) plus $0.045/GB data transfer. For 10TB monthly backups, that’s $450+ in transfer costs alone. Gateway endpoints eliminate both charges for S3 traffic.
Hybrid Connectivity Options: For Direct Connect or VPN scenarios, enable route propagation so on-premises networks can reach VPC endpoints. Gateway endpoints appear as route table entries (prefix list for S3). Interface endpoints need security group rules allowing on-prem CIDR ranges. Consider using Route 53 Resolver endpoints (inbound) if on-prem systems need to resolve VPC endpoint DNS names.
Security Compliance Requirements: Implement defense in depth: (1) VPC endpoint policies restricting service actions, (2) S3 bucket policies requiring aws:sourceVpce condition, (3) VPC Flow Logs monitoring endpoint traffic, (4) AWS Config rules verifying endpoint configurations, (5) IAM policies scoped to specific endpoints. This satisfies most frameworks requiring private connectivity and network isolation.
Migration approach: Deploy gateway endpoint first (zero downtime - routing automatically prefers more specific routes). Test backup operations thoroughly. Then add interface endpoints for auxiliary services. Update security groups to allow VPC CIDR ranges instead of 0.0.0.0/0. Finally, remove NAT Gateway routes from backup instance subnets. We’ve done this migration for 8 customers - typical implementation takes 2-3 days with proper testing, and all achieved 55-70% cost reduction on backup-related networking.
One thing to watch with gateway endpoints - they only support S3 and DynamoDB. If your backup solution uses other AWS services (like SNS for notifications or Lambda for orchestration), you’ll need interface endpoints for those, which DO have hourly charges plus data processing fees. We ended up with a hybrid approach: gateway endpoint for S3 backup data, interface endpoints for control plane services. Still saved about 60% on NAT costs.
From a compliance perspective, VPC endpoints are excellent. They allow you to create S3 bucket policies that restrict access to specific VPC endpoints only, which satisfies most data residency and private connectivity requirements. We use condition keys like aws:sourceVpce to enforce that backups can only be written from our designated VPCs. This eliminated our auditors’ concerns about data potentially traversing the public internet. Make sure you enable VPC endpoint policies to add an extra security layer - you can restrict which S3 buckets are accessible through the endpoint.
Gateway endpoints for S3 are absolutely the way to go for backup traffic. We made this switch last year and saw immediate benefits. No data transfer charges, no NAT gateway costs for that traffic, and it stays entirely within the AWS network. Configuration is straightforward - just create the gateway endpoint and associate it with your route tables. Your existing S3 API calls work unchanged.