Hands-On Lab: Designing Cost-Optimized Network Architectures

Welcome to this hands-on lab focused on Domain 4: Design Cost-Optimized Architectures for the AWS Certified Solutions Architect - Associate (SAA-C03) exam.

One of the most common unnecessary expenses in AWS networking is routing traffic to AWS services (like Amazon S3 or DynamoDB) through a NAT Gateway or traversing the public internet. NAT Gateways charge an hourly rate plus a per-GB data processing fee. By implementing Gateway VPC Endpoints, you can route this traffic internally within the AWS network entirely for free.

Prerequisites

Before starting this lab, ensure you have the following:

An active AWS Account with Administrator access.
The AWS CLI installed and configured (aws configure) with valid credentials.
A default region selected (e.g., us-east-1).
Basic familiarity with bash/terminal environments.

[!WARNING] Cost Warning: This lab uses resources that may incur minor charges if you exceed the AWS Free Tier. Remember to run the teardown commands at the end of the lab to avoid ongoing charges.

Learning Objectives

By completing this lab, you will be able to:

Identify scenarios where NAT Gateway data processing costs can be eliminated.
Provision a custom VPC with a private subnet via the AWS CLI.
Create and configure a Gateway VPC Endpoint for Amazon S3.
Verify internal routing changes to ensure traffic bypasses the public internet.

Architecture Overview

This diagram contrasts the expensive default routing path with the cost-optimized VPC Endpoint path we will build.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a Custom VPC and Private Subnet

First, we need an isolated network environment to simulate a secure backend infrastructure.

bash

# 1. Create the VPC
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --query 'Vpc.VpcId' \
  --output text

# NOTE: Copy the output VPC ID (e.g., vpc-0abcd1234efgh5678). 
# We will refer to this as <YOUR_VPC_ID>

# 2. Create a Private Subnet within the VPC
aws ec2 create-subnet \
  --vpc-id <YOUR_VPC_ID> \
  --cidr-block 10.0.1.0/24 \
  --query 'Subnet.SubnetId' \
  --output text

# NOTE: Copy the output Subnet ID. 
# We will refer to this as <YOUR_SUBNET_ID>

▶📸 Console alternative: Create VPC and Subnet

Navigate to the VPC Console > Your VPCs.
Click Create VPC.
Choose VPC only, name it cost-optimized-vpc, and set the IPv4 CIDR to 10.0.0.0/16. Click Create VPC.
Navigate to Subnets > Create subnet.
Select the VPC you just created, name it private-subnet-1, set the CIDR to 10.0.1.0/24, and click Create subnet.

Step 2: Create a Custom Route Table for the Private Subnet

We need a route table associated specifically with our private subnet to manage its traffic flow.

bash

# 1. Create the route table
aws ec2 create-route-table \
  --vpc-id <YOUR_VPC_ID> \
  --query 'RouteTable.RouteTableId' \
  --output text

# NOTE: Copy the output Route Table ID. 
# We will refer to this as <YOUR_ROUTE_TABLE_ID>

# 2. Associate the route table with your private subnet
aws ec2 associate-route-table \
  --subnet-id <YOUR_SUBNET_ID> \
  --route-table-id <YOUR_ROUTE_TABLE_ID>

▶📸 Console alternative: Route Table Creation

In the VPC Console, navigate to Route Tables > Create route table.
Name it private-route-table and select your cost-optimized-vpc. Click Create.
Select the new route table, go to the Subnet associations tab, and click Edit subnet associations.
Check the box for your private-subnet-1 and click Save associations.

Step 3: Implement the Gateway VPC Endpoint (The Cost Optimization)

Instead of provisioning an expensive NAT Gateway (approx ~$32/month + $0.045/GB), we will create a Gateway VPC Endpoint for S3. Gateway endpoints for S3 and DynamoDB are completely free.

bash

# Create the Gateway VPC Endpoint and attach it to your route table
aws ec2 create-vpc-endpoint \
  --vpc-id <YOUR_VPC_ID> \
  --service-name com.amazonaws.us-east-1.s3 \
  --vpc-endpoint-type Gateway \
  --route-table-ids <YOUR_ROUTE_TABLE_ID>

(If you are in a different region, replace us-east-1 with your current region, e.g., us-west-2)

[!TIP] In a production environment, you can attach a VPC Endpoint Policy here to restrict access only to specific S3 buckets, adding a layer of security alongside cost savings.

▶📸 Console alternative: Create VPC Endpoint

In the VPC Console, navigate to Endpoints (under Virtual Private Cloud on the left menu).
Click Create endpoint.
Name it s3-cost-optimized-endpoint.
Under Service category, choose AWS services.
In the Services search bar, type s3 and press Enter. Select the service name ending in .s3 with the type Gateway.
Select your cost-optimized-vpc.
Under Route tables, check the box next to your private-route-table.
Leave the policy as Full Access and click Create endpoint.

Checkpoints

Let's verify that AWS has automatically updated your routing table to direct S3 traffic through the new, free endpoint.

Checkpoint 1: Verify Route Table Entries

bash

aws ec2 describe-route-tables \
  --route-table-ids <YOUR_ROUTE_TABLE_ID> \
  --query 'RouteTables[0].Routes'

Expected Result: You should see a route where the DestinationPrefixListId looks like pl-63a5400a (the AWS-managed prefix list for S3 in your region) and the GatewayId starts with vpce-. This proves that traffic to S3 IP addresses will now stay on the internal AWS backbone.

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing resource clutter. While the VPC and Gateway Endpoint are free, it is best practice to clean up lab environments.

Run the following CLI commands sequentially to delete the resources:

bash

# 1. Delete the VPC Endpoint (Find your endpoint ID from the console or previous output)
# Replace <YOUR_VPCE_ID> with the actual ID (e.g., vpce-0123456789abcdef)
aws ec2 delete-vpc-endpoints --vpc-endpoint-ids <YOUR_VPCE_ID>

# 2. Delete the Subnet
aws ec2 delete-subnet --subnet-id <YOUR_SUBNET_ID>

# 3. Delete the Route Table
aws ec2 delete-route-table --route-table-id <YOUR_ROUTE_TABLE_ID>

# 4. Delete the VPC
aws ec2 delete-vpc --vpc-id <YOUR_VPC_ID>

Troubleshooting

Issue	Probable Cause	Fix
Error: InvalidVpcID.NotFound	You forgot to replace `<YOUR_VPC_ID>` with the actual ID.	Check your previous CLI output or the VPC console for the `vpc-xxxxxxxx` identifier and run the command again.
VPC Endpoint Creation Fails	Wrong service name for your region.	Ensure the `--service-name` argument matches your configured region. Use `aws ec2 describe-vpc-endpoint-services` to find the exact name.
Can't delete VPC during Teardown	Resources are still attached.	Ensure you deleted the Subnet and Route Table first. The VPC must be empty before deletion.
Console alternative doesn't show S3 Gateway	Filtered to Interface endpoints only.	Ensure you select the service type Gateway (not Interface) when searching for S3 in the Endpoints wizard.

Concept Review: Cost Optimization

Understanding when to use different network services is critical for Domain 4 of the SAA-C03 exam. Here is a quick comparison table:

Network Service	Use Case	Cost Profile
NAT Gateway	Outbound internet access for private subnets (software updates, third-party APIs).	High: Hourly charge + per GB data processing fee.
Gateway VPC Endpoint	Accessing Amazon S3 or DynamoDB from a private subnet.	Free: No hourly charge, no data processing fee.
Interface VPC Endpoint (PrivateLink)	Accessing other AWS services (SQS, SNS, Kinesis) or SaaS securely.	Medium: Hourly charge + per GB processing fee (typically cheaper than NAT GW but not free).