Also read, which PaaS services require VPCs

Accessing PaaS Services on AWS

AWS services like EC2, RDS, and ElastiCache come with an Elastic Network Interface (ENI), which enables communication from within your VPCs.

However, many AWS services do not come with an ENI and provide only a REST API (accessed over the Internet only).  These include: S3, DynamoDB, CloudWatch, SQS, and Kinesis.

There are three options to make these services accessible from private subnets:

  • Gateway Endpoints is free of charge, but are only available for S3 and DynamoDB.
  • An Interface Endpoint costs $7.20 per month and AZ plus $0.01 per GB and is available for most AWS services.
  • NAT Gateway can be used to access AWS services or any other services with a public API. Costs are $32.40 per month and AZ plus $0.045 per GB.

Accessing PaaS Services – Summary

Depending on the service, there may be one or more options for access to these services (from private subnets).  This post describes three possible options along with their costs.

For an advanced AWS security consultation, please Contact AWS Security Architect