Cost

Delete idle VPC endpoints

An interface VPC endpoint bills per hour per AZ even with zero traffic — a 3-AZ endpoint is ~$22/month for nothing. Find the idle ones and delete them (but never the free gateway kind).

13 min·10 sections·AWS

Last reviewed 27 May 2026

Idle interface VPC endpoints: the basics

Why an endpoint moving zero bytes still shows up on the bill

An interface VPC endpoint (AWS PrivateLink) is an Elastic Network Interface placed in your subnets that lets resources reach an AWS service privately, without routing over the internet or through a NAT Gateway. It bills in two parts: roughly $0.01 per hour for every Availability Zone the endpoint is provisioned in, plus roughly $0.01 per GB of data processed. The per-AZ hourly charge runs whether the endpoint carries a single byte or none at all. An endpoint spread across three AZs is ~$0.03/hour — about $22/month — before any traffic flows.

An "idle" interface endpoint is one whose CloudWatch and VPC Flow Logs show little or no bytes processed over a meaningful window — typically 30 days. It's still attached to your subnets, still resolving its private DNS name, still billing the per-AZ hours. The usual causes are mundane: an endpoint created during a project or POC and never wired into a workload, the same endpoint duplicated into every account and VPC by a landing-zone template, or an endpoint provisioned in more AZs than the workload that uses it actually spans.

Critically — and this trips people up — gateway VPC endpoints (the kind used only for S3 and DynamoDB) are free. They have no hourly or per-GB charge at all. This lesson is about idle interface endpoints only. Never delete a gateway endpoint to "save money": there's nothing to save, and you may break private S3 access. The check fires on interface endpoints that combine a non-trivial fixed cost with no traffic to justify it.

In this lesson you'll learn the per-AZ-per-hour billing model that makes interface VPC endpoints surprisingly expensive when idle, the critical difference between free gateway endpoints (S3, DynamoDB) and billable interface endpoints, how to tell a genuinely idle endpoint from one carrying intermittent traffic, and the safe pattern for deleting one without silently breaking a service that was routing through its private DNS. You'll see the AWS CLI commands to inventory interface endpoints, check their traffic, and delete the dead ones — plus the edge cases that bite.

Fun fact

The landing-zone endpoint tax

A platform team standardised on a landing-zone template that provisioned a tidy set of 11 interface endpoints — SSM, EC2 Messages, ECR, CloudWatch Logs, KMS, and friends — into every new account, each across all three AZs "for consistency." At ~$0.03/hour per endpoint that's about $240/month per account before any traffic. When they audited 90 accounts, more than half had endpoints with zero bytes processed in 30 days — sandbox and shared-service accounts where the workloads those endpoints were meant to serve never landed. The idle subset alone was billing roughly $13,000 a month for ENIs that resolved DNS and moved nothing.

Hunting an idle endpoint in action

Priya runs a quarterly VPC audit for a fintech with 60-odd AWS accounts. Her wastage tooling flags four interface endpoints in the analytics-sandbox VPC — com.amazonaws.eu-west-1.ecr.api, .ecr.dkr, .ssm, and .kms — each provisioned across three AZs, each with essentially zero bytes processed for 30 days. That's ~$0.03/hour apiece, about $88/month combined, on a sandbox whose container workload was decommissioned a year ago.

Before deleting anything she draws the line that matters: are any of these gateway endpoints? No — the VPC's S3 gateway endpoint is free and stays. The four flagged ones are all interface type, so they're the right targets. She then confirms two things: that the traffic really is flat (a weekly batch could hide in a daily average) and that nothing still depends on the endpoint's private DNS, because deleting one can silently break a service that was resolving the AWS API through it.

She pulls the endpoint inventory, filters to Interface, checks each one's traffic, and confirms the sandbox has no running tasks pointing at them. Then she deletes the four interface endpoints in a single call and leaves the free S3 gateway endpoint untouched. Total time: about five minutes; she logs the deletion so next quarter's audit doesn't refire on a template-recreated copy.

First, list every VPC endpoint and its type. Only Interface endpoints bill — Gateway endpoints (S3, DynamoDB) are free and must be excluded from any cleanup target.

$ aws ec2 describe-vpc-endpoints --filters Name=vpc-endpoint-type,Values=Interface --query 'VpcEndpoints[].{Id:VpcEndpointId,Svc:ServiceName,AZs:length(SubnetIds),State:State}' --output table

-------------------------------------------------------------------------------

| DescribeVpcEndpoints |

+----------------+--------------------------------------+------+------------+

| Id | Svc | AZs | State |

+----------------+--------------------------------------+------+------------+

+----------------+--------------------------------------+------+------------+

# Four interface endpoints, each across 3 AZs = ~$0.03/hr each, ~$88/mo combined.

Interface-only inventory. The AZ count is the multiplier — each endpoint bills ~$0.01/hr per AZ regardless of traffic.

Before deleting, confirm the endpoint is genuinely idle. Pull 30 days of bytes processed at daily resolution — a weekly batch would show up as a spike here.

$ aws cloudwatch get-metric-statistics --namespace AWS/PrivateLinkEndpoints --metric-name BytesProcessed --dimensions Name=VPC\ Endpoint\ Id,Value=vpce-0aa11ecr --start-time $(date -u -d '30 days ago' +%FT%TZ) --end-time $(date -u +%FT%TZ) --period 86400 --statistics Sum Maximum

{

"Datapoints": [

{ "Timestamp": "2026-04-28T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" },

{ "Timestamp": "2026-05-05T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" },

{ "Timestamp": "2026-05-12T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" }

]

}

# 30 days, zero bytes processed — no batch, no cron, nothing depends on it.

Flat zeros over 30 days. If any day shows traffic, drill into VPC Flow Logs to find the consumer before deleting.

How VPC endpoint billing actually worksdeep dive

There are two kinds of VPC endpoint and they bill completely differently. A gateway endpoint is a route-table entry for S3 or DynamoDB only — it has no ENI, no hourly charge, and no per-GB charge. It is free. An interface endpoint (PrivateLink) is one or more Elastic Network Interfaces, one per subnet you enable, each backed by AWS-managed infrastructure. AWS bills roughly $0.01 per hour for every AZ the endpoint is provisioned in the moment it goes available, plus roughly $0.01 per GB processed. Spread an interface endpoint across three AZs and the fixed charge is ~$0.03/hour ≈ ~$22/month before any traffic — the per-AZ multiplier is the whole story.

The waste pattern is almost always fixed cost, not data. An endpoint created for a POC and never wired in, a landing-zone template that drops the same dozen endpoints into every account, or an endpoint provisioned in three AZs for a workload that only ever ran in one — all of these accrue the per-AZ hourly charge on zero traffic. This is the mirror image of the common optimisation advice: adding an interface endpoint to keep S3/ECR/API traffic off the NAT Gateway saves money only when real traffic flows through it. With no traffic, the endpoint is pure overhead and the NAT comparison never applies.

Two details matter before you delete. First, an interface endpoint can have private DNS enabled, which overrides the AWS service's public DNS name inside the VPC so that, say, ssm.eu-west-1.amazonaws.com resolves to the endpoint's private IPs. Delete it and that name reverts to public resolution — fine if the subnet has another egress path, but a silent break if it relied solely on the endpoint. Second, the endpoint policy and attached security group can quietly be the only thing permitting a call; confirm via Flow Logs that nothing is mid-flight before removing it.

# Inspect a single interface endpoint: type, AZ count (the cost multiplier),
# whether private DNS is enabled, and which security groups gate it.
aws ec2 describe-vpc-endpoints \
  --vpc-endpoint-ids vpce-0aa11ecr \
  --query 'VpcEndpoints[0].{Type:VpcEndpointType, Svc:ServiceName, AZs:length(SubnetIds), PrivateDns:PrivateDnsEnabled, SGs:Groups[].GroupId}'

# Sanity-check you are NOT about to touch a free gateway endpoint (S3/DynamoDB).
aws ec2 describe-vpc-endpoints \
  --filters Name=vpc-endpoint-type,Values=Gateway \
  --query 'VpcEndpoints[].{Id:VpcEndpointId, Svc:ServiceName}'

What's the impact of leaving idle interface endpoints running?

The direct cost is the per-AZ hourly charge on endpoints moving no traffic. A single-AZ idle endpoint is ~$7.20/month; a 3-AZ one is ~$22/month. Modest individually — but a landing-zone template that drops a dozen 3-AZ endpoints into every account is ~$240/month per account on provisioning alone, and across an estate of dozens of accounts where many endpoints never see traffic, the idle fraction lands in the low-to-mid thousands a month. The meter runs every hour regardless of whether anything ever connects.

There's a second-order cost in the AZ count specifically. Teams enable an interface endpoint in every AZ "for consistency" or because a template defaulted to it, even when the workload only spans one or two. Each extra AZ is another ~$7.20/month for redundancy nothing uses. Right-sizing the AZ set on the endpoints you do keep is often a bigger lever than deleting the fully-idle ones, and it's invisible unless someone looks at the subnet list per endpoint.

The mirror-image risk is deleting the wrong thing. Gateway endpoints for S3 and DynamoDB are free, and an interface endpoint that carries real traffic is usually saving you NAT processing charges at $0.045/GB. Treating "delete VPC endpoints" as a blanket cost play can increase your bill — by pushing AWS-bound traffic back onto a NAT Gateway — or break private connectivity. The finding is narrow on purpose: idle interface endpoints only, confirmed by 30 days of flat traffic.

Finally, idle endpoints make the architecture harder to reason about. Six months on, someone debugging a connectivity issue finds five interface endpoints in a VPC and has no idea which are load-bearing and which are template cruft. Cleaning them up isn't only a cost story — it's a hygiene story. A short, intentional list of endpoints is far easier to defend at audit and to reason about during an incident than a long, accidental one.

How do you safely clean up idle interface endpoints?

Deleting an interface endpoint is cheap; deleting one that something still resolves through is how you silently break a service. Run the four-step loop below for every flagged endpoint — and confirm the type first.

1. Confirm it's an interface endpoint, not a free gateway one

Filter the inventory to VpcEndpointType=Interface before anything else. Gateway endpoints (S3, DynamoDB only) cost nothing and never belong on a cleanup list — deleting one saves zero dollars and can break private S3 access. Only interface endpoints carry the per-AZ hourly charge, so they're the only valid targets.

2. Confirm zero traffic over a real window

Pull BytesProcessed for the endpoint at daily granularity for at least 30 days. A daily average can still hide a weekly or monthly batch, so eyeball the per-day points for any non-zero spike. If you see any traffic, drill into VPC Flow Logs filtered to the endpoint's ENIs to identify the consumer before doing anything destructive.

3. Confirm nothing depends on the endpoint's private DNS

If the endpoint has private DNS enabled, deleting it reverts the AWS service hostname to public resolution inside the VPC. That's harmless if the subnet has another egress path (NAT or a different endpoint), but a silent break if the workload relied solely on this endpoint. Check the endpoint policy and attached security groups too — sometimes the only thing permitting a call is the endpoint itself. Confirm there's a working alternative path before deleting.

4. Delete, then fix the template that created it

Delete the idle interface endpoints — multiple IDs in one call is fine — and log the deletion in your change record so the next audit doesn't refire on a recreated copy. Then go upstream: if a landing-zone or account-vending template provisions these by default, that's where the real fix is. Change the template to provision endpoints on demand (or scope them to AZs the workload actually uses) so new accounts stop arriving pre-loaded with idle ones.

# Delete one or more idle INTERFACE endpoints in a single call.
# (Gateway endpoints would be excluded by the step-1 type filter.)
aws ec2 delete-vpc-endpoints \
  --vpc-endpoint-ids vpce-0aa11ecr vpce-0bb22dkr vpce-0cc33ssm

# Confirm they're gone and nothing in the VPC still references them.
aws ec2 describe-vpc-endpoints \
  --filters Name=vpc-endpoint-type,Values=Interface \
  --query 'VpcEndpoints[].{Id:VpcEndpointId, Svc:ServiceName, State:State}'

# Optional: list endpoints with their AZ count to spot over-provisioned ones
# (more AZs than the workload uses = ~$7.20/mo each in avoidable fixed cost).
aws ec2 describe-vpc-endpoints \
  --filters Name=vpc-endpoint-type,Values=Interface \
  --query 'VpcEndpoints[].{Id:VpcEndpointId, AZs:length(SubnetIds)}'

Quick quiz

Question 1 of 5

A wastage check flags five VPC endpoints in one VPC with near-zero traffic over 30 days. One is a gateway endpoint for S3; four are interface endpoints (SSM, KMS, two ECR), each across 3 AZs. What's the right next move?

Keep learning

Go deeper into VPC endpoint types, PrivateLink pricing, and the patterns around cleanup.

You've completed Delete idle VPC endpoints. You now know why an interface endpoint bills per AZ per hour even with zero traffic, the critical line between free gateway endpoints and billable interface ones, why this is the mirror image of the create-endpoints-to-cut-NAT advice, and the four-step loop — confirm type, confirm idle, confirm DNS, delete and fix the template. The next time the wastage tool flags one, you'll have the type check and the AZ math ready before you reach for delete-vpc-endpoints.

Back to the library

Idle interface VPC endpoints: what it means for the bill

A small fixed charge that recurs on networking nobody is using

A VPC endpoint is a piece of networking plumbing that lets cloud resources talk to AWS services privately. The kind this finding is about — interface endpoints — carry a small fixed charge of roughly $0.01 per hour for each Availability Zone they're set up in, plus a per-gigabyte charge for any traffic. The fixed part bills every hour regardless of whether any traffic flows. An endpoint set up across three zones is about $22 a month before a single byte moves through it.

This finding flags interface endpoints that are sitting idle — almost no traffic over the last month — but still drawing that fixed monthly charge. In practice these are leftovers from a project or proof-of-concept that never went live, copies created automatically in every account by a shared template, or endpoints set up in more zones than the workload ever needed. Each one is a small recurring charge on no business activity. Across a large estate with a landing-zone template that provisions a dozen of them per account, the number lands in the low thousands a month with nothing to show for it.

One important nuance for finance: there is a closely related, very common piece of advice that says to create VPC endpoints to cut NAT Gateway data-processing cost. That advice is sound when the endpoint carries real traffic. This finding is the opposite case — endpoints that carry no traffic and therefore only cost money. The right framing is that an idle interface endpoint is a governance and ownership signal: it means networking was provisioned and then forgotten, and the longer it sits, the harder it is to attribute or charge back to a business unit.

This lesson is for the finance partner who sees "networking" or "PrivateLink" on the cloud invoice and wonders why it grows even when nothing changed. It walks through why interface endpoints bill per zone per hour, why a shared landing-zone template can quietly multiply that charge across the estate, what a reasonable size for this category looks like, and the three things you can actually do — reporting, ownership conventions, and a template review — to keep it small without learning AWS internals. It also draws the line between this finding and the legitimate advice to add endpoints to cut NAT cost, so you ask the right question at the monthly review.

Fun fact

The landing-zone endpoint tax

How a finance partner closes the loop

Sam is the finance partner embedded with the platform team at a fintech. At the monthly cost review, the networking line has crept up again and Sam asks one question that's now standard on the agenda: "How many interface VPC endpoints are idle — drawing the per-zone charge with no traffic — and what's that costing us a month?" The dashboard says ~$2,400 across the sandbox and shared-service accounts. Small in absolute terms, but it's been roughly that every month for half a year, so the cumulative is well into five figures.

The conversation isn't technical. Sam doesn't ask about AZs or DNS or PrivateLink. She asks three things: where did these come from, who owns them, and is anything actually using them. The platform lead is candid — they nearly all came from the standard account template, which provisions a fixed set of endpoints into every account whether the workloads land there or not. That single answer reframes the whole category: this isn't a cleanup problem, it's a default-template problem. Engineering commits to two things — a one-off cleanup of the idle endpoints, and a change to the template so sandbox accounts don't get the full set by default.

Sam also flags the trap she's learned to watch for: there's standing advice to add endpoints to cut NAT Gateway cost, so she's careful not to ask anyone to "delete all the endpoints." The target is specifically the interface endpoints with no traffic. Two months later the line is down to a residual few hundred dollars of endpoints that genuinely carry traffic, and the template fix means it stays there. The dollar figure was a leading indicator of a defaults problem; the cleanup itself was almost incidental.

Why this matters to the budget, not just the bill

The per-resource impact is small and the aggregate is material. A typical estate carries somewhere from a few hundred to a few thousand dollars a month in idle interface endpoints — usually well under 1% of total cloud spend. Not enough to move a quarterly number on its own, but enough that it lands in "unexplained networking variance" every month, and finance ends up chasing it across teams instead of focusing on the bigger commitments.

The more important point is the cause. Unlike most waste, which comes from individual engineers, this category is usually manufactured by a single shared template that provisions the same endpoints into every account by default. That makes it both easy to fix at the root and easy to let grow unnoticed — every new account adds to the line automatically. On the monthly report, watch the count of idle endpoints alongside the dollar amount; if the count grows in lockstep with new account creation, the template is the lever, not the teams.

There's a nuance finance specifically needs to hold. Interface endpoints are also a legitimate cost-saving tool — adding one can cut NAT Gateway data-processing charges substantially when real traffic flows. So this is not a "fewer endpoints is always better" story. The defensible question at the review is narrow: "which interface endpoints have no traffic over 30 days?" — never "why do we have endpoints at all?" Conflating the two undoes a real optimisation while chasing a small one.

Finally, it's a chargeback and leading-indicator signal. Template-provisioned endpoints with no owner are dollars that can't cleanly attribute to a business unit, which weakens the chargeback model. And sustained growth in the idle count usually means account vending is outrunning template hygiene — the same drift that predicts other default-driven waste (oversized baseline infrastructure, unused log groups) trending up six months later. Watch it as a signal, not a target.

What finance can actually do about this

Finance can't delete cloud networking, but it can set the conditions that keep the number small — and the biggest lever here is the template, not the cleanup.

1. Put idle-endpoint count and cost on the monthly report

Add "idle interface VPC endpoints" as a recurring line with both the dollar amount and the count. The dollar amount is the headline; the count trending with new account creation is the leading indicator that a default template is the source. If either climbs two months running, that's the prompt to escalate — to the platform team that owns the template, not to individual workload teams.

2. Make endpoint provisioning a defaults decision, not a per-account one

The single highest-leverage change is upstream: agree that account-vending templates provision connectivity on demand, not by default, and that sandbox or shared-service accounts don't get the full endpoint set automatically. That one policy does more for this category than any amount of monthly cleanup, because it stops the line regrowing every time a new account is created.

3. Keep the NAT-vs-endpoint nuance explicit in the review

Hold the line that this finding is about idle endpoints only. Interface endpoints that carry traffic often save money by keeping it off the NAT Gateway, so the question is always "which have no traffic over 30 days?" — never "can we have fewer endpoints?" Making that distinction explicit prevents a cost-saving optimisation from being unwound while chasing a small idle charge.

4. Treat the trend and the cause as the metric, not the absolute number

A small residual is fine — some endpoints will be briefly idle between workloads. The right question isn't "why isn't this zero?" but "is it flat, and do we know why it exists?" A flat few hundred dollars with a known cause is healthy; a steadily growing line tied to account vending means the default is unmanaged, which matters more than the dollar size.

Quick quiz

Question 1 of 5

The idle-VPC-endpoint line has grown from $900 to $2,400 a month over six months, and the count rose in step with the number of new accounts created. The total is small but the trend is up. As the finance partner, what's the right next move?

Keep learning

Go deeper into VPC endpoint types, PrivateLink pricing, and the patterns around cleanup.

You've finished the finance partner's view of idle VPC endpoints. You know why interface endpoints bill per zone per hour, why a shared template is usually the real source, why this finding is narrow on purpose (idle endpoints only, never the NAT-saving ones that carry traffic), and what the levers are — reporting cadence, fixing the default template, and watching the trend and cause rather than the absolute dollar. Next time the line shows up at the review, you'll have a sharper question to ask than "can we delete some of these?"

Back to the library

Idle interface VPC endpoints: the headline

A recurring networking charge for capacity no one is using

Some pieces of cloud networking bill a small fixed fee per hour just for existing, whether or not anything uses them. Interface VPC endpoints are one of those — and they multiply quietly when a standard template copies them into every account. At scale, the result is a recurring drag on the cloud bill from connectivity the business provisioned and then forgot.

This is a hygiene and accountability issue rather than a big-ticket cost. Each flagged endpoint is money spent on something with no clear owner and no active value. Cleaning them up is low-risk, but the more valuable outcome is the discipline it establishes: networking that is created by a template still needs an owner, a purpose, and a review date — not just a default.

A short read on a small but stubborn category of cloud waste, written for the exec who wants the headline and the one question to ask. You'll get the rule-of-thumb framing, why a default template is usually the root cause, and what "good" looks like at an org level — no commands, no implementation.

Fun fact

The landing-zone endpoint tax

What it looks like when the org gets this right

At one company, the quarterly cloud review used to carry a slide line that read "$2,400/month of idle VPC endpoints." Small number, but it sat there every quarter, never shrinking, occasionally growing as the account count grew. The exec sponsor stopped asking about the dollars and started asking about the shape: "Why do brand-new sandbox accounts come pre-loaded with networking nobody asked for? Who owns the template that does that?"

Within two quarters the slide changed. The headline was no longer the dollar figure; it was "account templates now provision connectivity on demand, not by default, and every endpoint has a named owner." The idle spend dropped to a residual of endpoints that genuinely carry traffic, and the line stopped appearing as an action item. The exec hadn't asked engineering to chase a few thousand dollars — she'd asked them to fix the default that the dollars were exposing.

That's the right outcome state. "Zero endpoints" is the wrong goal — endpoints that carry traffic earn their keep and often save money. "No idle endpoints, and templates that don't create them by default" is the right one. The cost line becomes a confidence signal instead of a recurring chore.

Why this is on the report at all

The dollar amount here is usually small. It's tracked because of what its size and trend say about the discipline underneath — specifically about defaults. A small, flat number means account templates are provisioning connectivity sensibly and someone owns the result. A growing number, climbing with every new account, means the inverse: a default is creating cost automatically and no one is closing the loop. That same pattern almost certainly applies to other things the template provisions by default.

There's a second-order point worth holding. The right fix is not "have fewer endpoints" — endpoints that carry traffic save money and improve security. The fix is removing the idle ones and changing the default that creates them. So this category sits at the intersection of cost discipline and platform-defaults governance. The leadership question is about the template, not the dollars.

The leadership move on this category

The actionable handle isn't the dollar number — it's the defaults that manufacture it.

1. Treat it as a defaults problem, not a cleanup problem

Most of this waste comes from a shared template provisioning the same connectivity into every account. Ask who owns that template and whether it provisions on demand or by default. Fixing the default is the durable move; one-off cleanups just buy time until the next batch of accounts.

2. Don't let it become 'have fewer endpoints'

Endpoints that carry traffic save money and improve security. The goal is removing the idle ones and right-sizing the rest — not minimising endpoints on principle. Make sure the team understands the target is narrow so a real optimisation doesn't get reversed.

3. Make this a confidence signal at the leadership review

Ask for the trend and the cause, not the dollar: "Is the idle-endpoint line flat, and do we know what creates them?" A flat line with a known, owned template is a sign platform governance is working — a one-minute item that needs no technical depth.

Quick quiz

Question 1 of 5

You're reviewing the cloud cost pack and see the idle-VPC-endpoint line is flat at around $400/month, the count isn't growing, and the platform team owns the template that governs it. What's the right read?

Keep learning

Go deeper into VPC endpoint types, PrivateLink pricing, and the patterns around cleanup.

That's the lesson. Two takeaways worth holding onto: an interface VPC endpoint costs money per zone per hour even when nothing uses it, and the size and growth of this line is a defaults-and-hygiene signal, not the headline. The leadership question is about the template that creates them and whether endpoints earn their keep — not about the dollar amount.

Back to the library

Part of the learning path Kill idle waste

Delete idle VPC endpoints

Idle interface VPC endpoints: the basics

The landing-zone endpoint tax

Hunting an idle endpoint in action

How VPC endpoint billing actually worksdeep dive

What's the impact of leaving idle interface endpoints running?

How do you safely clean up idle interface endpoints?

1. Confirm it's an interface endpoint, not a free gateway one

2. Confirm zero traffic over a real window

3. Confirm nothing depends on the endpoint's private DNS

4. Delete, then fix the template that created it

Quick quiz

Keep learning

Idle interface VPC endpoints: what it means for the bill

The landing-zone endpoint tax

How a finance partner closes the loop

Why this matters to the budget, not just the bill

What finance can actually do about this

1. Put idle-endpoint count and cost on the monthly report

2. Make endpoint provisioning a defaults decision, not a per-account one

3. Keep the NAT-vs-endpoint nuance explicit in the review

4. Treat the trend and the cause as the metric, not the absolute number

Quick quiz

Keep learning

Idle interface VPC endpoints: the headline

The landing-zone endpoint tax

What it looks like when the org gets this right

Why this is on the report at all

The leadership move on this category

1. Treat it as a defaults problem, not a cleanup problem

2. Don't let it become 'have fewer endpoints'

3. Make this a confidence signal at the leadership review

Quick quiz

Keep learning

Related cost lessons