Investigate VPC Endpoints

[dj-maisy]

What?

We should explore whether we should be making more use of VPC Endpoints.

Tasks

Preview Give feedback

1. Set up VPC Endpoint for ECR (API and DKR)
2. Set up VPC Endpoint for DocumentDB (used by Licensing)

Why?

There are two good reasons to do this:

• The majority of our traffic is currently routed through our NAT Gateways. This is expensive. A lot of our traffic consists of accessing resources and services provided by AWS. If we can route that traffic to use VPC Endpoints, you can avoid paying the premium price for traffic to be processed by the NAT Gateways (by a factor of about 4.8:1)
• Traffic that passes through AWS PrivateLink rather than out of a Nat Gateway (and theoretically via the internet) is inherently more secure, as there is no opportunity for that traffic to leave the AWS ecosystem.

Considerations

We need to consider (or check) whether we need to do the following things:

• Create or select an existing SG to enable the EKS Nodes to access the VPC Endpoints for the relevant services
• Make sure that route tables are correctly configured to allow the EKS Nodes to access the relevant AWS services via the VPC Endpoints