Cloud Horizon Get the free audit

AWS · Free tool

AWS VPC Endpoint cost calculator

Plug in your Interface Endpoint count, AZ spread, and monthly GB. The calculator shows the endpoint cost, the NAT Gateway cost on the same traffic, and the savings (or the case where the endpoint is too small to pay back). Gateway Endpoints for S3 and DynamoDB are listed for completeness, but they are free.

Interface Endpoints (PrivateLink)

Gateway Endpoints (S3 + DynamoDB)

Endpoint cost vs NAT alternative

VPC Endpoint total

$0

per month

NAT on same traffic

$0

per month

Net monthly savings

$0

Interface Endpoint hourly

$0

Interface Endpoint data

$0

Gateway Endpoint cost

$0

S3 + DynamoDB are free.

Break-even per endpoint per AZ

0 GB

Below this, NAT is cheaper for that service.

If your endpoint cost is bigger than expected, check these

  • Endpoints enabled in 3 AZs but the workload runs in 2. Each unused AZ is $7.30 per month.
  • Low-volume services (under 200 GB / month / AZ) on Interface Endpoints. NAT is cheaper for them.
  • Gateway Endpoint never created for S3, so all S3 reads route through NAT at $0.045 per GB.
  • Cross-AZ traffic to the endpoint adds $0.02 per GB on top of the endpoint cost. Pin clients to local-AZ DNS.

When PrivateLink pays back, and when it does not

The math on PrivateLink is simple. Interface Endpoints save $0.035 per GB versus NAT (the difference between $0.01 endpoint and $0.045 NAT data-processing). They cost $7.30 per AZ per month at the US rate. The break-even is 209 GB per month per AZ per endpoint.

High-volume services like ECR image pulls and SSM Session Manager almost always clear that bar by an order of magnitude. Low-volume services like Step Functions or X-Ray often do not, and turning on an Interface Endpoint for them adds cost rather than saving it.

Gateway Endpoints have no break-even because they are free. If your private subnets reach S3 or DynamoDB and you do not have one, that is the single highest-leverage networking change in the account. One Terraform resource, one route-table association, double-digit percent off the NAT bill.

Run this on your real account

Free 14-day audit, read-only IAM role, one-page CFO summary.

We pull your actual VPC traffic patterns, identify the services that clear the endpoint break-even, and hand the engineer the exact Terraform diff. The audit is free, the report is yours, no upsell call.

Get the free audit More free FinOps tools

Frequently asked

When does an Interface Endpoint pay for itself?

An Interface Endpoint costs $0.01 per AZ per hour plus $0.01 per GB. NAT Gateway charges $0.045 per GB on the same traffic. The endpoint break-even per AZ is roughly 209 GB per month: above that, every gigabyte saves $0.035. Below it, the hourly fee outweighs the per-GB savings and NAT is cheaper for that service.

Are Gateway Endpoints free?

Yes. Gateway Endpoints for S3 and DynamoDB cost zero hourly and zero per GB. Every workload that talks to S3 or DynamoDB from a private subnet should have one. The number of S3 buckets reachable through a single Gateway Endpoint is unlimited.

How many AZs do Interface Endpoints need?

Match your workload. If your application runs in three AZs, enable the endpoint in all three to avoid cross-AZ charges on top of the endpoint cost. Each enabled AZ adds another $7.30 per month at the US rate, and most teams discover during audits that they enabled three AZs but only use two.

Which AWS services support Interface Endpoints?

Most do. SSM, ECR, Secrets Manager, KMS, STS, Logs, Monitoring, Lambda, ECS, EKS API, Step Functions, SNS, SQS, Kinesis, all Bedrock and SageMaker endpoints, and around 200 more. The full list is on the AWS PrivateLink documentation. The high-traffic ones in most accounts are ECR (image pulls) and SSM (Session Manager), which together commonly produce a third of the NAT data-processing bill.

Related free tools

Keep going. No email.

AWS · Networking

NAT Gateway cost calculator

The line item nobody budgets for. Hourly cost, data-processing cost, monthly total, and a checklist of the most common NAT cost drivers we catch in audits.

AWS · Commitments

Reserved Instance break-even calculator

Standard or Convertible, 1 or 3 year, every payment option. Monthly savings, break-even month, net return over the term. Defaults you can override with your real EDP rate.

AWS · Commitments

AWS Savings Plan ROI calculator

Plug in your on-demand spend, commit term, and payment option. Get monthly savings, break-even month, and net return over the term. Honest about the assumptions, no email gate.