DynamoDB: Use Gateway VPC Endpoint​

🛠️ Use VPC Gateway Endpoint for DynamoDB

This is a simple free feature that often appears in certification exam questions. However, it is still frequently overlooked, leading to additional costs for companies.

Why does this happen? This feature is often neglected because it is not mandatory. You can have workloads within a VPC communicating with DynamoDB through NAT Gateways (in private subnets) or Internet Gateways (in public subnets). As a result, teams prioritize deadlines and overlook this non-mandatory feature, despite its easy configuration, leading to unnecessary high costs.

Consider this: the absence of Gateway Endpoints for DynamoDB results in processing costs on the NAT Gateway (reflected as natgateway-bytes in the AWS Cost Explorer). To give you an idea, these processing costs on the NAT Gateway can be approximately 3 to 10 times what you are paying for DynamoDB (in RCU and WCU) for the same workload. For example, if your DynamoDB costs are $100 per month, you might end up paying between $300 and $1,000 per month in NAT Gateway processing costs.

This expense could be easily avoided with a few clicks (or with IaC) by configuring the VPC Gateway Endpoint for DynamoDB.
You should always use VPC Gateway Endpoints whenever possible (only for IPv4 traffic) for workloads in the same region.

Documentation for creating a VPC Gateway Endpoint for DynamoDB: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html#create-gateway-endpoint-ddb