While preparing for the AWS SAA-C03, many candidates get confused by VPC networking cost optimization. In the real world, this is fundamentally a decision about data transfer cost elimination vs. architectural simplicity. Let’s drill into a simulated scenario.
The Scenario #
GlobalSnap Inc., a digital photography platform, operates a cloud-native image processing pipeline on AWS. Their application runs on EC2 instances within a VPC and performs hundreds of thousands of daily operations: uploading raw photos from professional cameras and downloading processed images for distribution to their CDN.
All resources—compute and storage—exist within the us-east-1 region. However, the finance team has flagged a concerning trend: monthly data transfer charges have increased by 340% over six months, despite stable user growth. The infrastructure team confirmed that traffic patterns are normal, but the path the data takes between EC2 and S3 is driving unexpected costs.
Key Requirements #
Implement a solution that eliminates avoidable data transfer costs while maintaining:
- Secure, private connectivity between VPC resources and S3
- No increase in operational complexity
- No degradation in performance
The Options #
- A) Deploy an Amazon API Gateway in a public subnet and update route tables to direct S3 API calls through this gateway.
- B) Deploy a NAT Gateway in a public subnet and attach an endpoint policy that permits access to the S3 bucket.
- C) Deploy the application in a public subnet and allow direct internet-based access to S3 through an Internet Gateway.
- D) Deploy an S3 VPC Gateway Endpoint within the VPC and attach an endpoint policy that permits access to the S3 bucket.
Correct Answer #
Option D: Deploy an S3 VPC Gateway Endpoint.
Step-by-Step Winning Logic #
S3 VPC Gateway Endpoints are purpose-built for this exact scenario. Here’s why this is the optimal choice:
-
Zero Data Transfer Cost: Traffic between EC2 and S3 via Gateway Endpoint stays on AWS’s private network backbone. You pay $0.00 for data transfer that would otherwise cost $0.09/GB (NAT Gateway processing) + $0.09/GB (data transfer OUT).
-
Zero Hourly Charges: Gateway Endpoints (for S3 and DynamoDB only) are completely free. No hourly fees, no per-GB fees.
-
No Architectural Complexity: Simply create the endpoint, associate it with your VPC route tables, and attach an endpoint policy (IAM-style permissions). No new instances to manage, no subnet design changes required.
-
Performance Improvement: By removing the Internet Gateway/NAT Gateway from the path, you reduce latency and eliminate potential bottlenecks.
-
Security Enhancement: Traffic never traverses the public internet. This satisfies compliance requirements for data locality and reduces attack surface.
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
Why not Option A (API Gateway)? #
- Wrong Service Purpose: API Gateway is designed to expose your own APIs (Lambda, HTTP backends), not to proxy S3 requests. It adds zero value here.
- Cost Disaster: You’d pay for API Gateway requests ($3.50 per million) + data transfer OUT + increased latency.
- Complexity Nightmare: You’d need to build custom integration logic, handle authentication passthrough, and manage throttling separately.
AWS Exam Signal: API Gateway appearing in infrastructure optimization questions is almost always a distractor.
Why not Option B (NAT Gateway)? #
- Expensive Middleman: NAT Gateway charges $0.045/hour (~$32.85/month) + $0.045/GB processed. For a workload transferring 10TB/month, that’s $450/month just for NAT processing—on top of data transfer charges.
- Wrong Use Case: NAT Gateways enable private subnet resources to reach the internet. S3 is an AWS service, not an internet destination.
- Endpoint Policies Don’t Attach to NAT Gateways: The option’s wording is technically nonsensical—endpoint policies are for VPC Endpoints, not NAT Gateways.
FinOps Red Flag: Any solution involving NAT Gateway for AWS service access is a cost anti-pattern.
Why not Option C (Public Subnet + Internet Gateway)? #
- Security Violation: Placing application servers in public subnets exposes them to direct internet access—violating defense-in-depth principles.
- Data Transfer Charges Persist: Even though Internet Gateway itself is free, you still pay $0.09/GB for data transfer OUT to the internet when accessing S3 via public IPs.
- No Cost Savings: This solves nothing from a FinOps perspective.
Exam Trap: This tests whether you understand that “public route” ≠ “free route” for data transfer.
The Architect Blueprint #
graph TB
subgraph VPC["VPC (us-east-1)"]
EC2["EC2 Instances
(Private Subnet)"]
RT["Route Table"]
VPCE["S3 VPC Gateway Endpoint
💰 $0/month"]
end
S3["Amazon S3 Bucket
(us-east-1)"]
EC2 -->|"Private API Calls"| RT
RT -->|"Routes s3.* prefix"| VPCE
VPCE -.->|"AWS Private Network
$0.00 Data Transfer"| S3
style VPCE fill:#2ecc71,stroke:#27ae60,stroke-width:3px
style S3 fill:#ff9900,stroke:#ff6600,stroke-width:2px
style EC2 fill:#3498db,stroke:#2980b9,stroke-width:2px
Diagram Note: EC2 instances send S3 API requests to the route table, which automatically directs traffic destined for S3 (via prefix list) through the Gateway Endpoint, keeping all traffic on AWS’s private backbone at zero cost.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost (10TB Transfer) | Pros | Cons |
|---|---|---|---|---|
| D - S3 VPC Gateway Endpoint | Low (5 min setup) | $0 (endpoint) + $0 (data transfer) = $0 | ✅ Zero cost ✅ Zero latency overhead ✅ Private traffic ✅ No maintenance |
❌ Only works for S3/DynamoDB ❌ Requires route table updates |
| A - API Gateway | High | ~$35 (API calls) + ~$900 (data transfer) = $935 | ✅ Can add custom logic | ❌ Wrong tool for this job ❌ Expensive ❌ High complexity |
| B - NAT Gateway | Medium | ~$33 (hourly) + ~$450 (processing) + ~$900 (data transfer OUT) = $1,383 | ✅ Enables internet access for private subnets | ❌ Expensive ❌ Wrong use case ❌ Endpoint policies don’t apply |
| C - Public Subnet + IGW | Low | $900 (data transfer OUT) | ✅ Simple networking | ❌ Security risk ❌ No cost savings ❌ Violates best practices |
FinOps Insight: Option D saves $900-$1,383/month compared to alternatives while improving security and performance.
Real-World Practitioner Insight #
Exam Rule #
“For the SAA-C03 exam, when you see S3 access from VPC + cost reduction, immediately select VPC Gateway Endpoint. If the question mentions DynamoDB instead, the same logic applies—Gateway Endpoints are the only free VPC endpoint type.”
Real World #
In production environments, we implement this pattern by default during VPC creation using Infrastructure-as-Code:
# Terraform example
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.us-east-1.s3"
route_table_ids = [
aws_route_table.private.id
]
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = "*"
Action = "s3:*"
Resource = [
"arn:aws:s3:::my-photo-bucket",
"arn:aws:s3:::my-photo-bucket/*"
]
}
]
})
}Additional Considerations:
- For Interface Endpoints (most other AWS services like Secrets Manager, ECR), you pay $0.01/hour per AZ (~$7.20/month per AZ) + $0.01/GB data processed.
- Always use endpoint policies to apply least-privilege access control at the network layer.
- Monitor endpoint usage with VPC Flow Logs to validate cost savings.