Opportunity Name
Fix VPC Endpoints for Agents
AWS Resource Type
VPC
Opportunity Description
Cloudfix will add CloudWatch, SSM, and S3 related VPC endpoints on private VPC subnets connected to EC2 instances to allow Cloudwatch and SSM agents to connect to those instances.
Criteria for identifying the opportunity
For each VPC connected to an EC2 instance:
-
Look for private subnets (those without Internet access)
-
Check if VPC endpoints exist on those private subnets for the following SSM/CloudWatch services:
-
SSM
-
EC2 Messages
-
SMS Messages
-
Monitoring
-
S3
-
-
Add a VPC endpoint on the private subnet for any missing services, provided IP addresses are available.
Potential savings (range in % on annual basis)
This FF will not save money. Instead, it will increase the cost by $87 per annum (infrastructure charges) for each VPC endpoint it creates. It will potentially unlock greater savings from improved Compute Optimizer recommendations (when SSM Agent installs CloudWatch Agent, and they successfully communicate). These savings will outweigh the increased spending.
What happens when the Fixer is executed?
The fixer creates the missing VPC endpoints and configures them appropriately.
Is it possible to rollback once CloudFix implements the fixer?
Yes. The customer can rollback manually by deleting the newly created VPC endpoints.
Can CloudFix implement the fix automatically once I accept the recommendation?
Yes
Does this fix require downtime?
No
Priyanka Bhotika
Comments