Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do I find why my AWS VPC is costing $34?
2 points by manishsharan 15 days ago | hide | past | favorite | 12 comments
This is for my personal lab. I am at my wits end trying to hunt down this cost. I do not have an EIP or public IP address or a NAT gateway. I do have ipv6 egress only gateway and EIPs for SQS, ECR and S3. I am mostly using my AWS for batch processing where I upload data to S3 and triggers a job by placing a message in a SQS queue. My VPC has subnets in different AZ.



I had a $5 a month VPS that cost $300 a month to run because it didn't have enough RAM and was swap-happy and running up incredible I/O costs against EBS. The $10 a month VPS was a lot cheaper.

In your case a Lambda could be cheaper still.


Cost explorer will help you dig into the usage type and resources used.


I am in Cost Explorer. The Service that is costing $34 is VPC. I am not able to drill down into this service. I did deploy a IPV6 egress which is serverless. It is is supposed to be free or charge me for data egress only. But this VPC as been idle since I deployed it.


Sort by usage type?


@QuinnyPig... fancy meeting you here . I follow your account on twitter. Hope to see you on Bluesky soon

here is the cost csv dump in gist https://gist.github.com/manish-2014/363482a08078e346238ef633...

I have also dumped my cloudformation stack template. I am 100% convinced it is the IPV6 egress , which is supposed to be serverless and hence a surprise as I did not do much with this VPC in December


I’ve been on BlueSky for a while—same username. Say hi!

Check the usage type in Cost Explorer; if it’s under ec2-other, that disambiguates it.

IPv6 egress costs the same as IPv4 egress; the IPs don’t.


https://docs.aws.amazon.com/vpc/latest/userguide/egress-only...

As per this document, An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead. For more information, see NAT gateways.

Pricing There is no charge for an egress-only internet gateway, but there are data transfer charges for EC2 instances that use internet gateways. For more information, see Amazon EC2 On-Demand Pricing.


Right. That thing doesn’t incur cost itself. It’s a good egg.


$34 screams “NAT Gateway.” Are you SURE you don’t have one? I’d bet a beer on it.


That was my first guess. I am using using Ipv6 egress which is supposed to be serverless.

I can confirm I do not have any NAT gateway anywhere


I did cloudformation stack deployments in December to my account. I am pretty sure that it is the ipv6 egress , which is supposed to be serverless and hence cheaper that NAT, that is responsible.

Here is my cloudformation template for VPC:

Resources: # VPC with IPv4 CIDR block BatchVpc: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: !Sub '${AWS::StackName}-BatchVpc' - Key: stack Value: !Sub '${AWS::StackName}'

  # IPv6 CIDR Block for the VPC
  BatchVpcIpv6CidrBlock:
    Type: AWS::EC2::VPCCidrBlock
    Properties:
      VpcId: !Ref BatchVpc
      AmazonProvidedIpv6CidrBlock: true

  # Egress Only Internet Gateway for IPv6 traffic
  BatchEgressIgw:
    Type: AWS::EC2::EgressOnlyInternetGateway
    Properties:
      VpcId: !Ref BatchVpc

  # Security Group for SQS access
  BatchSgSqs:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for SQS access
      VpcId: !Ref BatchVpc
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 10.0.0.0/16
      Tags: # Added tags
        - Key: Name
          Value: !Sub '${AWS::StackName}-BatchSgSqs'
        - Key: stack
          Value: !Sub '${AWS::StackName}'

  # Subnet for Batch instances (public subnet with IPv6)
  BatchSubnetPublicA: 
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref BatchVpc
      AvailabilityZone: !Select [ 0, !GetAZs ]
      CidrBlock: 10.0.1.0/24 
      Ipv6CidrBlock: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt BatchVpc.Ipv6CidrBlocks ], 1, 64 ] ]
      AssignIpv6AddressOnCreation: true
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-BatchSubnetPublicA'
        - Key: stack
          Value: !Sub '${AWS::StackName}'
          
  # Route table for the subnet
  BatchRtbPublicA:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref BatchVpc
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-BatchRtbPublicA'
        - Key: stack
          Value: !Sub '${AWS::StackName}'

  # Associate subnet with route table
  BatchSubnetRtbAssocA: 
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref BatchSubnetPublicA
      RouteTableId: !Ref BatchRtbPublicA

  # Route for IPv6 internet traffic
  BatchRouteIpv6Internet:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref BatchRtbPublicA
      DestinationIpv6CidrBlock: ::/0
      EgressOnlyInternetGatewayId: !Ref BatchEgressIgw


  # VPC Endpoint for S3
  BatchEpS3:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      RouteTableIds:
        - !Ref BatchRtbPublicA
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 's3:*'
            Resource: '*'

  # VPC Endpoint for SQS
  BatchEpSqs:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
      SubnetIds: 
        - !Ref BatchSubnetPublicA
      SecurityGroupIds:
        - !Ref BatchSgSqs
      PrivateDnsEnabled: true
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 'sqs:*' 
            Resource: '*'
# for ECS BatchEpEcs: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs' SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: '' Action: 'ecs:' Resource: ''

  BatchEpEcsAgent:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs-agent'
      SubnetIds:
        - !Ref BatchSubnetPublicA
      SecurityGroupIds:
        - !Ref BatchSgSqs
      PrivateDnsEnabled: true
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: '*'
            Action: 'ecs:*'
            Resource: '*'

  BatchEpEcrApi:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
      SubnetIds:
        - !Ref BatchSubnetPublicA
      SecurityGroupIds:
        - !Ref BatchSgSqs
      PrivateDnsEnabled: true
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:BatchGetImage
            Resource: '*'

  BatchEpEcrDkr:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr'
      SubnetIds:
        - !Ref BatchSubnetPublicA
      SecurityGroupIds:
        - !Ref BatchSgSqs
      PrivateDnsEnabled: true
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:BatchGetImage
            Resource: '*'
  # VPC Endpoint for CloudWatch Logs          
  BatchEpCloudWatchLogs:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref BatchVpc
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
      SubnetIds: 
        - !Ref BatchSubnetPublicA
      SecurityGroupIds:
        - !Ref BatchSgSqs
      PrivateDnsEnabled: true
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
              - 'logs:DescribeLogGroups'
              - 'logs:DescribeLogStreams'
            Resource: '*'
Outputs: BatchVpcId: Value: !Ref BatchVpc Export: Name: sandbox-infra-lite-CustomJob-batch-network:VpcId

  BatchSubnetId:
    Value: !Ref BatchSubnetPublicA
    Export:
      Name: sandbox-infra-lite-CustomJob-batch-network:BatchSubnetId

  BatchSgId:
    Value: !Ref BatchSgSqs
    Export:
      Name: sandbox-infra-lite-CustomJob-batch-network:BatchSgId


Oh! It’s your interface endpoints. Each one costs you a penny an hour (the S3 and DynamoDB gateway endpoints are free).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: