• OSAM

Reduce Cost and Increase Security with Amazon VPC Endpoints

This blog explains the benefits of using Amazon VPC endpoints and highlights how OSAM can help your business optimize cost and security with this service.



Optimize cost with Amazon VPC endpoints


Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.


A VPC endpoint allows you to privately connect your VPC to supported AWS services without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.


VPC endpoints enable you to reduce data transfer charges resulting from network communication between private VPC resources (such as Amazon Elastic Cloud Compute—or EC2—instances) and AWS Services (such as Amazon Quantum Ledger Database, or QLDB). Without VPC endpoints configured, communications that originate from within a VPC destined for public AWS services must egress AWS to the public Internet in order to access AWS services. This network path incurs outbound data transfer charges. Data transfer charges for traffic egressing from Amazon EC2 to the Internet vary based on volume. However, at the time of writing, after the first 1GB / Month ($0.00 per GB), transfers are charged at a rate of $ 0.09/GB (for AWS US-East 1 Virginia). With VPC endpoints configured, communication between your VPC and the associated AWS service does not leave the Amazon network. If your workload requires you to transfer significant volumes of data between your VPC and AWS, you can reduce costs by leveraging VPC endpoints.


In larger multi-account AWS environments, network design can vary considerably. Consider an organization that has built a hub-and-spoke network with AWS Transit Gateway. VPCs have been provisioned into multiple AWS accounts, perhaps to facilitate network isolation or to enable delegated network administration. When deploying distributed architectures such as this, a popular approach is to build a shared services VPC, which provides access to services required by workloads in each of the VPCs. This might include directory services or VPC endpoints. Sharing resources from a central location instead of building them in each VPC may reduce administrative overhead and cost.



Figure 1: Centralized VPC Endpoints (multiple VPCs)


Optimize security with Amazon VPC endpoints


There are two types of VPC endpoints: interface endpoints and gateway endpoints. Amazon Simple Storage Service (S3) and Amazon DynamoDB are accessed using gateway endpoints. You can configure resource policies on both the gateway endpoint and the AWS resource that the endpoint provides access to. A VPC endpoint policy is an AWS Identity and Access Management (AWS IAM) resource policy that you can attach to an endpoint. It is a separate policy for controlling access from the endpoint to the specified service. This enables granular access control and private network connectivity from within a VPC. For example, you could create a policy that restricts access to a specific DynamoDB table through a VPC endpoint.



Figure 2: Accessing S3 via a Gateway VPC Endpoint


Interface endpoints enable you to connect to services powered by AWS PrivateLink. This includes a large number of AWS services, services hosted by other AWS customers and partners in their own VPCs, and supported AWS Marketplace partner services. Like gateway endpoints, interface endpoints can be secured using resource policies on the endpoint itself and the resource that the endpoint provides access to. Interface endpoints enable the use of security groups to restrict access to the endpoint.



Figure 3: Accessing QLDB via an Interface VPC Endpoint


Additionally, an organization may have centralized its network and chosen to leverage VPC sharing to enable multiple AWS accounts to create application resources (such as Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, and AWS Lambda functions) into a shared, centrally managed network. With either pattern, establishing a granular set of controls to limit access to resources can be critical to support organizational security and compliance objectives while maintaining operational efficiency.



Figure 4: Centralized VPC Endpoints (shared VPC)


How OSAM can help you


Step 01: ASSESS AND ANALYZE

  • Assess customers’ application infrastructure

  • Gather customers’ specific requirements

Step 02: CONSULT

  • Discuss with customers to find out best-fit services

  • Propose migration planning of Microsoft workloads to AWS

  • Provide customers approved AWS credit package


Step 03: MIGRATE

  • Determine what data and apps can be migrated

  • Move Microsoft workloads to the ideal environment


Step 04: VALIDATE

  • Perform post-migration validation

  • Once validated, we go live


Step 05: OPTIMIZE

  • Deploy managed services for better performance, agility and efficiency

  • Optimize figuration to get the most value of IT investment

48 views
VĂN PHÒNG
LIÊN HỆ
  • Facebook
  • YouTube
  • LinkedIn

Hà Nội

Tầng 2 Tòa nhà Trường Thịnh,

#1 Phùng Chí Kiên, Cầu Giấy.
 

Thành phố Hồ Chí Minh

Tầng 10, Tòa nhà Dreamplex,

#2 Nguyễn Trung Ngạn, Quận 1

Singapore

101 Upper Cross St.

#05-16 People's Park Centre

Nhật Bản

Shinjuku Monolith 19th Floor,

2-3-1 Nishi Shinjuku, Shinjuku-ku

 

Công ty TNHH Quốc Tế OSAM

(+84) 024 22165050.

hello@osam.io

 

9:00AM tới 6:00PM (GMT+7)

Số GCNĐKDN: 0107692699

Nơi cấp: Sở Kế hoạch & Đầu tư Thành phố Hà Nội (06/01/2017)

© Copyright 2020 Osam.io