Private networking on AWS is one of the few areas where the right answer is "spend more money, save more money." Gateway endpoints are literally free. Interface endpoints pay back at ~150 GB/month. PrivateLink and Transit Gateway have ROI envelopes that depend almost entirely on traffic volume. The math is not hard — but almost nobody computes it before designing the network.
The four tools
- Gateway endpoints — S3 and DynamoDB only. Free. Add to the route table. Period.
- Interface endpoints (PrivateLink for AWS services) — per-AZ ENI for an AWS service (Secrets Manager, KMS, ECR, CloudWatch Logs, etc.). ~$7/mo per endpoint per AZ + $0.01/GB processed.
- PrivateLink (custom) — expose your own service across accounts/VPCs without VPC peering. Same per-AZ + per-GB pricing on the consumer side.
- Transit Gateway — central hub-and-spoke routing between VPCs and on-premises. ~$36/mo per attachment + $0.02/GB.
ROI math, simulated
| Scenario | Without | With | Break-even |
|---|---|---|---|
| S3 from VPC, 500 GB/mo via NAT | $22.50/mo NAT data | $0 (Gateway endpoint) | Immediate |
| Secrets Manager, 50 GB/mo | $2.25 NAT + $0 NAT base apportioned | $21 endpoint + $0.50 data | ~150 GB/mo per AZ |
| ECR pulls, 2 TB/mo from 3 AZs | ~$90 NAT data | $63 endpoints + $20 data = $83 | Even at 2 TB; clear win at 5 TB |
| Inter-VPC mesh, 5 VPCs, 4 TB/mo | VPC peering: complex + free transit | TGW: $180 attachments + $80 transit = $260 | TGW worth it when peerings exceed ~10 |
When each tool earns its keep
Gateway endpoints
Always. There is no scenario where you should be routing S3 or DynamoDB traffic through a NAT Gateway. Free, fast, fewer moving parts.
Interface endpoints
Once any AWS service crosses ~150 GB/month per AZ. ECR, CloudWatch Logs, and Secrets Manager are common winners. KMS often is, too, at meaningful encryption volume.
PrivateLink (custom)
Cross-account service exposure. Replaces VPC peering complexity at the cost of per-GB transit. Worth it when you have many consumers; less so for 1:1.
Transit Gateway
The math flips around 6–10 VPC peerings. Below that, peering is simpler and cheaper. Above that, TGW pays for itself in operational sanity.
Traps to avoid
- Interface endpoints in every AZ "for redundancy." The base cost is per AZ. If your traffic is concentrated in one AZ (AZ-aware routing), the second/third endpoint is wasted spend.
- TGW for two VPCs. A single VPC peering is free, low-latency, and simpler. TGW is for hubs of 5+ VPCs.
- Forgetting on-premises egress. Direct Connect + TGW changes the calculus dramatically. Model your on-premises traffic explicitly.
List your endpoints. List their processed-bytes/month from CloudWatch. Divide cost by GB. Anything below ~150 GB/mo per AZ on Interface endpoints is probably losing money against NAT. Anything missing a Gateway endpoint for S3 or DynamoDB is definitely losing money.
Simulating network ROI on pinpole
The pinpole canvas models endpoints and TGW attachments as explicit nodes with per-AZ cost and per-GB transit. Add an endpoint, watch the NAT processed-byte line drop. Add a TGW attachment, watch the peering complexity collapse. The number you're optimising for is total monthly networking cost — not endpoint count.
The cheapest gigabyte is the one routed privately.
Simulate endpoints and Transit Gateway ROI on the canvas. Surface break-even points before you deploy.
Start 14-day free trial →