Designing Cost-Optimized Network Architectures

Designing a cost-effective network in AWS requires a deep understanding of data transfer patterns, the overhead of managed services, and the trade-offs between architectural simplicity and operational costs. This guide focuses on Domain 4.4 of the SAA-C03 exam.

Learning Objectives

After studying this guide, you should be able to:

• Compare and contrast the costs of VPC Peering versus AWS Transit Gateway.
• Analyze the cost impact of NAT Gateways versus NAT Instances.
• Identify free versus paid data transfer paths within the AWS ecosystem.
• Evaluate VPC Endpoints (Interface vs. Gateway) for cost-efficiency.
• Leverage Amazon CloudFront to reduce Data Transfer Out (DTO) costs.

Key Terms & Glossary

• Data Transfer Out (DTO): Traffic leaving the AWS network to the internet. This is almost always the most expensive network component.
• VPC Peering: A networking connection between two VPCs that routes traffic using private IP addresses. There is no hourly charge, but data transfer fees apply.
• Transit Gateway (TGW): A hub that connects multiple VPCs and on-premises networks. It carries an hourly charge per attachment plus a data processing fee.
• NAT Gateway: A managed service that allows instances in a private subnet to connect to the internet. Highly available but includes hourly and per-GB processing fees.
• VPC Gateway Endpoint: A free routing-based endpoint for Amazon S3 and DynamoDB only.

The "Big Idea"

[!IMPORTANT] The primary goal of network cost optimization is to keep traffic private and local. Crossing Availability Zones (AZs), Regions, or the public internet increases costs. Think of networking like a toll road: every time your data crosses a boundary (AZ, Region, or Gateway), you pay a toll.

Formula / Concept Box

Hierarchical Outline

• I. Connectivity Costs
  • VPC Peering: Lowest cost for simple connections; no hourly fee.
  • Transit Gateway: Centralized management; best for 10+ VPCs despite hourly fees.
  • Direct Connect (DX): High upfront cost, but lower per-GB DTO rates than the internet.
• II. Managed Network Services
  • NAT Gateway: Managed, scales automatically, but expensive for high-volume data.
  • NAT Instance: Self-managed on EC2; cheaper for low throughput but requires manual HA.
• III. VPC Endpoints
  • Gateway Endpoints (S3/DynamoDB): FREE. Always use these over Interface Endpoints for these two services.
  • Interface Endpoints (PrivateLink): Hourly charge + per-GB charge. Use for other services to avoid NAT/Internet costs.
• IV. Content Delivery
  • CloudFront: Reduces costs by caching at the edge; DTO from CloudFront is often cheaper than DTO from EC2/S3 directly.

Visual Anchors

Choosing Connectivity: Peering vs. Transit Gateway

Data Transfer Cost Boundaries

\begin{tikzpicture}[node distance=2cm] \draw[thick, fill=blue!10] (0,0) rectangle (4,4) node[pos=.5] {AZ 1}; \draw[thick, fill=blue!10] (6,0) rectangle (10,4) node[pos=.5] {AZ 2}; \draw[<->, thick, red] (4,2) -- (6,2) node[midway, above] {$0.01/GB}; \node at (2,0.5) {Private IP = $0}; \node at (8,0.5) {Public IP = $0.01}; \draw[thick, ->] (2,4) -- (2,5) node[above] {Internet (DTO) = $$$}; \end{tikzpicture}

Definition-Example Pairs

• Interface VPC Endpoint: A managed elastic network interface (ENI) with a private IP address that acts as an entry point for traffic destined to a supported AWS service.
  • Example: Connecting a private Lambda function to an Kinesis stream without traversing a NAT Gateway.
• Direct Connect (DX): A dedicated physical network connection from your on-premises data center to AWS.
  • Example: A financial firm transferring petabytes of data monthly; the lower DTO rate of DX offsets the high monthly port fee compared to a VPN.

Worked Examples

Scenario 1: The S3 Data Sink

Problem: A fleet of EC2 instances in a private subnet uploads 10TB of logs to S3 monthly via a NAT Gateway.

• Current Cost: 10,000 GB * $0.045 = $450 (NAT Processing) + Hourly NAT fees.
• Solution: Implement an S3 Gateway Endpoint.
• Result: Cost drops to $0 for data processing. S3 Gateway Endpoints are free and do not require NAT.

Scenario 2: Inter-VPC Communication

Problem: You have 3 VPCs that need to share a large database. You are deciding between Peering and Transit Gateway.

• Analysis: Peering has no hourly charge. Transit Gateway has a charge of ~$0.05 per hour per VPC ($36/month for 3 VPCs) plus data processing.
• Optimization: For only 3 VPCs, VPC Peering is more cost-effective as it avoids the hourly and data processing overhead of the TGW hub.

Checkpoint Questions

1. Which VPC Endpoint type is free of charge?
2. You are transferring data between two EC2 instances in the same region but different AZs. How can you minimize costs?
3. Why is Amazon CloudFront considered a cost-optimization tool for networking?
4. True or False: NAT Instances are generally more cost-effective than NAT Gateways for very small, low-traffic workloads.
5. When should you choose Direct Connect over a Site-to-Site VPN for cost reasons?

▶Click to see answers

1. Gateway Endpoints (available for S3 and DynamoDB).
2. Use Private IP addresses (though inter-AZ fees still apply, they are lower than using public IPs which might route through the internet).
3. It reduces Data Transfer Out costs from the origin (S3/EC2) and provides lower tiered pricing for high-volume traffic.
4. True. NAT Instances use standard EC2 pricing, which can be cheaper (e.g., a t3.micro) than the fixed hourly fee of a NAT Gateway.
5. When the Data Transfer Out volume is high enough that the lower per-GB rate of Direct Connect offsets the higher monthly port charges.