How to stop and start AWS VPC Endpoints while unused

VPC Endpoints in AWS are a secure way to mantain VPC resources isolated, while still keeping access for the same resources to other AWS public services as DynamoDB / S3 (via Gateway Endpoints) or CloudWatch, ECR (via Interface Endpoints).

Unfortunately, VPC Endpoints are not included in the AWS Free Tier and they could provide a significant increase in the monthly bill.

But there are situations (e.g.: a Development environment where services are not used outside working hours) where the Endpoints are for sure unused, and relative costs are useless.

There is no simple way to stop and start the Endpoints: they are a persistent service that could be just created and permanently deleted.

But here’s a simple way to automate the creation and the deletion of one or more VPC Endpoints, using other AWS Services (in the free tier, so without other costs associated!), as:

• CloudFormation
• S3
• Lambda
• EventBridge

Step 1: Write a CloudFormation Stack

First, you need to write a CloudFormation Stack, including all the VPC Endpoints you want to create.

Here’s an example of a stack template with two simple endpoints:

If you want to extract the definition of some already created Endpoints, you can use Former2, a powerful tool to analyze your AWS account and extract draft CloudFormation templates.

In the above template, there are five parameters that must be filled with your data for:

• The VPC Id where the Endpoints will be created
• The Subnet in Availability Zone A that will have visibility of the Endpoints
• The Subnet in Availability Zone B that will have visibility of the Endpoints
• The Subnet in Availability Zone C that will have visibility of the Endpoints
• The Security Group that will be used for the Endpoints
• The Route Table where the new rules about the Gateway Endpoint will be added. This parameter can be deleted if your stack has no Gateway Endpoints.

Step 2: Setup the roles for the Lambda functions

The Lambda Functions that we will create in the following steps will use roles that we should configure before the creation of the functions.

CreateStack Policy & Role

First, create the policy that will be attached to the CreateStack Role. The policy must have:

• The standard write log and log group permissions for a Lambda Function
• The permission to create the Endpoints and to write the new routes (the stack will be launched with this role from the Lambda function).
• Also deletion permissions must be included, for rollback purposes.
• The permission to create the new CloudFormation stack.

It should be something like this:

You can now create a Lambda Service-Linked Role that will be used by the create-stack lambda function.

DeleteStack Policy & Role

The delete policy will be specular to the create one.

It must include:

• The same Lambda permissions.
• The DescribeVPC, DescribeSubnet, DescribeSG, DescribeEndpoints and only the DeleteEndpoints permissions.
• The cloudformation:DeleteStack permission.

Step 3: Upload the CloudFormation template on an S3 Bucket

I suggest that you should create a new S3 bucket as a repository for your CloudFormation template, but you are free to put the template on a pre-existing S3 bucket.

It is important that the Lambda function can read the bucket: if the bucket is private, you must configure the Bucket Policy to allow access to the Lambda Function Create Role that we created in the previous step, something like this:

Step 4: Create the Lambda Functions

The functions are per se very simple: using the AWS SDK with the Python engine, they launch the creation or the deletion of the stack.

CreateStack function

DeleteStack function

You could parametrize, of course, the static parts (the stack name and the Template URL) to have more general purpose functions.

Step 5: Create the EventBridge scheduled events

The environment is all set: now we just have to create the scheduled stop and start EventBridge events.

To do it, just follow these steps:

1. Open the EventBridge dashboard and create a new Rule.
2. Define the name of the rule, choose the default Event Bus and the “Schedule” Rule Type.
3. Define the Cron Expression for which the Event will be launched, e.g.: the cron “0 19 ? * MON-FRI *” will launch the event every 7PM of working day. You can use CronHub to write and validate your Cron Expressions.
4. Define the target (i.e. the lambda function) of the event.

That’s it: now we have scheduled stop and starts events for our VPC Endpoints!

Hope you liked this article: let me know your opinion!

References

• Working with CloudFormation Stacks: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html
• Creating IAM Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html
• Create Service-Linked Roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
• Policies on S3: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html
• Create Lambda Functions: https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html
• Create EventBridge Scheduled Events: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html