Open in app

Sign in

Write

Sign in

How I Saved $30/Day on AWS with These 5 Simple Clicks

Chetan Bothra
2 min readJan 6, 2025

Running workloads on AWS can be expensive, especially when your architecture includes EKS clusters, NAT Gateways, and frequent image pulls from ECR (Elastic Container Registry). Recently, I discovered that a significant portion of my AWS bill was coming from NAT Gateway data transfer costs. After a quick investigation, I managed to save $30/day by making a small but impactful change: enabling VPC Endpoints for ECR.

Here’s how you can achieve the same cost savings in just 5 clicks.

💸 The Problem: High NAT Gateway Costs

When running an EKS cluster across multiple availability zones (AZs), each node pulls container images from ECR during deployments and restarts. By default, these image pulls go over the public internet, even if both your EKS nodes and ECR are in the same AWS region. This leads to unnecessary NAT Gateway charges.

After enabling VPC Endpoints, I reduced this to almost zero.

✅ The Solution: Enable VPC Endpoints for ECR

AWS offers VPC Endpoints that allow your resources to communicate internally within AWS’s network without using the public internet. By creating VPC Endpoints for ECR, your EKS nodes can pull images privately, eliminating NAT Gateway costs.

🎯 What You Need to Create

You’ll need to create two types of VPC Endpoints:

  1. ECR API Endpoint (com.amazonaws.<region>.ecr.api)
  2. ECR Docker Endpoint (com.amazonaws.<region>.ecr.dkr)

These endpoints ensure that:

  • Your EKS nodes pull images from ECR privately.
  • There is no public internet traffic for image pulls.

5 Simple Clicks to Save $30/Day

Here’s how you can enable VPC Endpoints in just 5 clicks:

1️⃣ Go to the VPC Console

  • Navigate to VPC in the AWS Management Console.
  • Click on Endpoints in the left sidebar.

2️⃣ Click “Create Endpoint”

  • Click the Create Endpoint button to start configuring your VPC Endpoints.

3️⃣ Select the ECR Services

  • Search for ECR in the service list.
  • Select both:
  • com.amazonaws..ecr.api
  • com.amazonaws..ecr.dkr

4️⃣ Choose Your Private Subnets

  • Select the Private Subnets where your EKS nodes are deployed.
  • Ensure that the VPC Endpoints are created in the same AZs as your nodes.

5️⃣ Enable Private DNS

  • Check the Enable Private DNS Name option to ensure your EKS nodes can access ECR using the default domain names.

Click Create Endpoint and you’re done!

🔍 What Happens After the Change?

Once the VPC Endpoints are in place:

  • Your EKS nodes will pull images from ECR internally.
  • You’ll see zero NAT Gateway costs related to image pulls.

In my case, I noticed the changes within 24 hours. The NAT Gateway data transfer charges dropped to almost nothing, and I saved about $30/day.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

DevOps
Ecr
Cost Optimization
Kubernetes
Aws Eks

Chetan Bothra
Chetan Bothra

Written by Chetan Bothra

29 Followers
18 Following

AWS Certified | GCP | DevOps | SRE | Docker | DevSecOps | Kubernetes | Automation | Terraform | Serverless | Blockchain

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams