Ask HN: How do I find why my AWS VPC is costing $34?

I had a $5 a month VPS that cost $300 a month to run because it didn&#x27;t have enough RAM and was swap-happy and running up incredible I&#x2F;O costs against EBS. The $10 a month VPS was a lot cheaper.<p>In your case a Lambda could be cheaper still.

Cost explorer will help you dig into the usage type and resources used.

$34 screams “NAT Gateway.” Are you SURE you don’t have one? I’d bet a beer on it.

I did cloudformation stack deployments in December to my account. I am pretty sure that it is the ipv6 egress , which is supposed to be serverless and hence cheaper that NAT, that is responsible.<p>Here is my cloudformation template for VPC:<p>Resources: # VPC with IPv4 CIDR block BatchVpc: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0&#x2F;16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: !Sub &#x27;${AWS::StackName}-BatchVpc&#x27; - Key: stack Value: !Sub &#x27;${AWS::StackName}&#x27;<p><pre><code> # IPv6 CIDR Block for the VPC BatchVpcIpv6CidrBlock: Type: AWS::EC2::VPCCidrBlock Properties: VpcId: !Ref BatchVpc AmazonProvidedIpv6CidrBlock: true # Egress Only Internet Gateway for IPv6 traffic BatchEgressIgw: Type: AWS::EC2::EgressOnlyInternetGateway Properties: VpcId: !Ref BatchVpc # Security Group for SQS access BatchSgSqs: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for SQS access VpcId: !Ref BatchVpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 10.0.0.0&#x2F;16 Tags: # Added tags - Key: Name Value: !Sub &#x27;${AWS::StackName}-BatchSgSqs&#x27; - Key: stack Value: !Sub &#x27;${AWS::StackName}&#x27; # Subnet for Batch instances (public subnet with IPv6) BatchSubnetPublicA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref BatchVpc AvailabilityZone: !Select [ 0, !GetAZs ] CidrBlock: 10.0.1.0&#x2F;24 Ipv6CidrBlock: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt BatchVpc.Ipv6CidrBlocks ], 1, 64 ] ] AssignIpv6AddressOnCreation: true Tags: - Key: Name Value: !Sub &#x27;${AWS::StackName}-BatchSubnetPublicA&#x27; - Key: stack Value: !Sub &#x27;${AWS::StackName}&#x27; # Route table for the subnet BatchRtbPublicA: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref BatchVpc Tags: - Key: Name Value: !Sub &#x27;${AWS::StackName}-BatchRtbPublicA&#x27; - Key: stack Value: !Sub &#x27;${AWS::StackName}&#x27; # Associate subnet with route table BatchSubnetRtbAssocA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref BatchSubnetPublicA RouteTableId: !Ref BatchRtbPublicA # Route for IPv6 internet traffic BatchRouteIpv6Internet: Type: AWS::EC2::Route Properties: RouteTableId: !Ref BatchRtbPublicA DestinationIpv6CidrBlock: ::&#x2F;0 EgressOnlyInternetGatewayId: !Ref BatchEgressIgw # VPC Endpoint for S3 BatchEpS3: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.s3&#x27; RouteTableIds: - !Ref BatchRtbPublicA PolicyDocument: Version: &quot;2012-10-17&quot; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: - &#x27;s3:*&#x27; Resource: &#x27;*&#x27; # VPC Endpoint for SQS BatchEpSqs: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.sqs&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &quot;2012-10-17&quot; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: - &#x27;sqs:*&#x27; Resource: &#x27;*&#x27; </code></pre> # for ECS BatchEpEcs: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.ecs&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &#x27;2012-10-17&#x27; Statement: - Effect: Allow Principal: &#x27;<i>&#x27; Action: &#x27;ecs:</i>&#x27; Resource: &#x27;<i>&#x27;<p><pre><code> BatchEpEcsAgent: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.ecs-agent&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &#x27;2012-10-17&#x27; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: &#x27;ecs:*&#x27; Resource: &#x27;*&#x27; BatchEpEcrApi: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.ecr.api&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &#x27;2012-10-17&#x27; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage Resource: &#x27;*&#x27; BatchEpEcrDkr: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.ecr.dkr&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &#x27;2012-10-17&#x27; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage Resource: &#x27;*&#x27; # VPC Endpoint for CloudWatch Logs BatchEpCloudWatchLogs: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref BatchVpc VpcEndpointType: Interface ServiceName: !Sub &#x27;com.amazonaws.${AWS::Region}.logs&#x27; SubnetIds: - !Ref BatchSubnetPublicA SecurityGroupIds: - !Ref BatchSgSqs PrivateDnsEnabled: true PolicyDocument: Version: &quot;2012-10-17&quot; Statement: - Effect: Allow Principal: &#x27;*&#x27; Action: - &#x27;logs:CreateLogGroup&#x27; - &#x27;logs:CreateLogStream&#x27; - &#x27;logs:PutLogEvents&#x27; - &#x27;logs:DescribeLogGroups&#x27; - &#x27;logs:DescribeLogStreams&#x27; Resource: &#x27;*&#x27; </code></pre> Outputs: BatchVpcId: Value: !Ref BatchVpc Export: Name: sandbox-infra-lite-CustomJob-batch-network:VpcId<p><pre><code> BatchSubnetId: Value: !Ref BatchSubnetPublicA Export: Name: sandbox-infra-lite-CustomJob-batch-network:BatchSubnetId BatchSgId: Value: !Ref BatchSgSqs Export: Name: sandbox-infra-lite-CustomJob-batch-network:BatchSgId</code></pre></i>