How I reduced AWS networking costs by 93% while removing public attack surface

I recently tackled a common but expensive challenge in AWS: the hidden cost of public IPv4 addresses.

In a setup with dozens of ECS Fargate tasks, my "In-use Public IP" charges were hitting hundreds of dollars per month. Beyond the cost, having backend workers exposed to the public internet was a security risk I wanted to eliminate.

The Fix: I transitioned the entire architecture to a private-first model.

1. Disabled Public IPs: Moved all Fargate tasks to private mode within the VPC. 2. VPC Peering: Connected multiple VPCs using VPC Peering to enable secure, private communication between services across environments, no internet routing required. 3. Optimized Routing: Navigated complex DNS and routing requirements to ensure seamless communication between services without needing a NAT Gateway. 4. Added a Public Load Balancer: Introduced an internet-facing Application Load Balancer to handle inbound traffic. Only the load balancer is publicly accessible backend services remain private.

The Results: - Cost: Monthly networking spend for public IPs was eliminated entirely, replaced by a much smaller, fixed endpoint fee. - Security: Drastically reduced the attack surface by ensuring backend workers are no longer reachable from the internet. - Efficiency: The system is now more robust, secure, and cost-predictable.