If you are building data pipelines, you’ve probably seen a NAT Gateway charge that made you double-check your architecture. While prepping for the AWS Solutions Architect Associate (SAA) exam, I’ve been diving into the "invisible" side of networking. We often assume that for a Lambda or an EC2 instance to talk to S3, it must go through the public internet. This is a costly mistake. The Problem: The "Public" Default By default, services like S3, DynamoDB, or Kinesis live outside your VPC. To reach them from a private subnet, traffic usually flows through a NAT Gateway. This introduces: Security Risks: Your data technically leaves your network perimeter. Cost Inefficiency: You pay for every GB that passes through that NAT Gateway. The Solution: VPC Endpoints (AWS PrivateLink) VPC Endpoints allow you to create a private connection between your VPC and supported AWS services. The traffic never leaves the Amazon network. Gateway Endpoints (The "OGs") These are specific to S3 and DynamoDB.…