We have an VPC with 3 public subnets and 3 private subnets.
Public subnets reach Internet across an Internet Gateway. Private subnets reach Internet across its own NAT Gateway (One for each).
After created a couple of batch compute environments and lambdas (The lambdas use a custom image located into ECR repos) whose run into private subnets, our bill increases with NAT Gateway traffic.
We forgot to create VPC endpoints to S3 and SecretManager. Ok, we created those endpoints.
But our bill in NAT Gateway traffic is still to much.
We activated flow logs and started our quest.
We examined the traffic between NAT gateways and Internet. Is all https traffic. We deduced it was AWS Services calling Other AWS services APIs.
We create some other VPC endpoints and that works. Our NAT gateway traffic was less than before. But we had some https traffic yet. Our apps are not creating this traffic. So, we needs more AWS VPC endpoints. AWS VPC Endpoints have a cost.
How can we know which VPC Endpoints we need?
Flow logs are not 7 layer logs. There are some way to sniffer the traffic?