A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is currently the only route to AWS services, and the monthly bill is dominated by NAT data processing charges. Which two changes will most directly reduce that cost? Select two.
Trap 1: Add an internet gateway and move the instances into public subnets.
This changes the routing model and security exposure, but it does not reduce the amount of traffic the application sends to AWS services. It also does nothing to remove NAT-related charges for private service access.
Trap 2: Replace the NAT Gateway with a Site-to-Site VPN connection.
A VPN is meant for connectivity to on-premises or external networks. It does not eliminate the need to reach S3 and DynamoDB privately, so it does not directly solve the NAT data-processing-cost problem.
Trap 3: Create an interface endpoint for S3 instead of a gateway endpoint.
An interface endpoint can work for some S3 use cases, but it adds hourly and data-processing charges. For the specific goal of lowering NAT charges for S3 access from private subnets, the S3 gateway endpoint is the lower-cost choice.
- A
Create a gateway VPC endpoint for Amazon S3.
An S3 gateway endpoint routes S3 traffic over the AWS private network instead of through the NAT Gateway. That removes NAT data processing charges for the S3 downloads and is one of the most direct cost optimizations for private-subnet workloads.
- B
Create a gateway VPC endpoint for Amazon DynamoDB.
DynamoDB also supports a gateway endpoint, which keeps table traffic off the NAT Gateway path. Using the endpoint avoids both NAT data processing fees and the need to hairpin private AWS API calls through internet egress.
- C
Add an internet gateway and move the instances into public subnets.
Why wrong: This changes the routing model and security exposure, but it does not reduce the amount of traffic the application sends to AWS services. It also does nothing to remove NAT-related charges for private service access.
- D
Replace the NAT Gateway with a Site-to-Site VPN connection.
Why wrong: A VPN is meant for connectivity to on-premises or external networks. It does not eliminate the need to reach S3 and DynamoDB privately, so it does not directly solve the NAT data-processing-cost problem.
- E
Create an interface endpoint for S3 instead of a gateway endpoint.
Why wrong: An interface endpoint can work for some S3 use cases, but it adds hourly and data-processing charges. For the specific goal of lowering NAT charges for S3 access from private subnets, the S3 gateway endpoint is the lower-cost choice.