You might be thinking, who deploys a database in a public subnet? Even worse, it was deployed in the AWS default public subnet with publicly accessible enabled. This is what happens when services are deployed just because, without thinking about the implementation, but only about business requirements.

At first, it was a bit complex to simply change the publicly accessible setting to disabled as there were a few external data analytics tools that were pulling information from the database every few hours. The first time I tried to do so, I ended up in a call with the CTO and the Data Analytics team asking me why I disabled the public access. Simple answer - Security.

During the call, I was trying to understand why they required access to the database in that way, and it was simply because it was implemented that way. They were not aware of the security concerns, and there was also no documentation about this. We reestablished the public access so the data replication could continue.

After the call, I started checking our infrastructure to create a map of it. Our new infrastructure was created using IaC, and we basically created all the networking config, VPCs, subnets, NAT gateways, and so on. But the legacy services were in the old default public VPC, causing the traffic from the apps to pass through the NAT gateways, then through the internet, and finally reaching the database.

Besides the security concern, we were paying for bandwidth unnecessarily and probably we were also facing latency due to this. To make the story short, we were paying around $1,226.78 for bandwidth costs every month, originating as outgoing data transfer and also NAT Gateways per GB processed.

Here’s an example of our billing regarding bandwidth:

Data transfer costs

Nat gateways per GB costs

To fix this, we obviously needed to move the database to the new VPC and inside a private subnet, but also deploy a new service to manage the connections from the external Data Analytics tools. We will for sure talk about this in another post that is on the list. In the meantime, let’s focus on the numbers after making the changes:

Data Transfer costs after moving the database to the private subnet

NAT Gateways costs after moving the database to the private subnet

In short, we were able to reduce our monthly billing from 1,226.78 to 697.61, saving over 40% while increasing the security and standardizing the infrastructure using IaC. To make it simpler, I will round the numbers in the following table:

Monthly Expenses Before Monthly Expenses After Savings Savings Yearly
$1,200 $690 $510 $6,120

The company was paying for this for a long time, and it was easily prevented by planning how they wanted to access the data. I cannot complain about what they did because at the end it was really fun for me, and now I can post about it.