You might be thinking, Who deploys a database in a public subnet? Even worst, it was deployed in the AWS default public subnet with publicly accesssible enabled, this is what happends when services are deployed just because without thinking on the implementation but just business requirements.

At first it was a bit complex to simply change the publicly accessible to disabled as there were a few external data analytics tools that were pulling information from the database every few hours, the first time I tried so, I endup in a call with the CTO and the Data Analytics team asking me why I disabled the public access. Simple answer - Security.

During the call I was trying to understand why they required to access the database in that way and it was simply because it was implemented in that way, they were not aware of the security concerns and there was also no documentation about this, we reestablished the public access so the data can continue with the replication.

After the call I started checking our infrastructure to create a map of it, our new infrastrcuture was created using IaC and we basically created all the networking config, VPCs, Subnets, NAT gateways and so on. But the legacy services were in the old default public VPC causing the traffic from the apps to pass through the nat gateways, then through internet and finally reaching the database.

Besides the security concern, we were paying for bandwidth unnecessarily and probably we were facing also latency due to this. To make the story short we were paying around $1,226.78 for bandwidth costs every month, originated as outgoing data transfer and also NAT Gateways per GB Processed

Here an example of out billing regaring bandwidth:

Data transfer costs

Nat gateways per GB costs

To fix this we obviously needed to move the database to the new VPC and inside a private subnet, but also deploy a new service to manage the connections from the external Data Analytics tools, we for sure will talk about this in another post that is in the list. In the meantime lets focus on the numbers after making the changes:

Data Transfer costs after moving the database to the private subnet

NAT Gateways costs after moving the database to the private subnet

In short we were able to reduce our monthly billing from 1,226.78 to 697.61 saving over 40% while increasing the security and standardize the infrastructure using IaC. To make it simplier I will round the numbers in the following table:

Monthly Expenses Before Monthly Expenses After Savings Savings Yearly
$1,200 $690 $510 $6,120

The company was paying for this for a long time and it was easily prevented by plannifying how they wanted to access the data, I cannot complain about what they did because at the end it was really fun for me and now I can post it.