4 Network Risks That Grow Silently in AWS Environments

The problem: A VPC peering connection between staging-api and prod-api that bypasses the Transit Gateway entirely.

The TGW route tables correctly separate production and staging at the TGW layer. But someone added a direct VPC peering between staging-api and prod-api — probably during debugging, probably months ago, and then left in place. The peering created a route in both route tables:

• prod-api private route table: 10.3.0.0/16 → VpcPeeringConnectionId
• staging-api route table: 10.0.0.0/16 → VpcPeeringConnectionId

The TGW isolation is irrelevant. The peering is a direct path.

Why it matters: prod-api carries PCI scope. A direct network path from a non-PCI staging environment into a PCI-scoped production VPC is an automatic PCI-DSS finding under requirements 1.3.1 and 1.3.2. Your QSA will flag it. The audit will be delayed.

Netway traced the exact path: prod-api → peering connection → staging-api → staging-data. Every hop is logged, timestamped, and included in the signed compliance report.

Delete the VPC peering connection. If the debugging use case was legitimate, use SSM Session Manager with proper role scoping — not a persistent network path between environments.

The problem: The dev VPC has CIDR block 10.0.0.0/16 — identical to prod-api.

This is a silent failure waiting to happen. Right now, dev has no connectivity to anything — no TGW, no peering, no IGW. The conflict is harmless in isolation. The moment someone tries to connect dev to the rest of the network, AWS routing will break silently. Traffic intended for prod-api will mis-route to dev, or the attachment will simply fail to route at all.

Why it matters: CIDR conflicts are invisible until you try to do something with the conflicting VPC. By then, the fix requires re-IPing one of the VPCs — a significant operation that touches every subnet, every route table, every security group reference, and every workload. The earlier you catch it, the cheaper it is.

Re-CIDR dev to a non-overlapping block (e.g., 10.10.0.0/16) before it ever gets connected to anything.

The problem: Both dev and dev-tools have no connectivity to anything. No Internet Gateway. No NAT Gateway. No TGW attachment. No peering. They're islands.

This is less urgent than the first two — orphaned VPCs don't create a security risk on their own. But they signal one of two things: either these VPCs were created and then abandoned (wasted spend on whatever is running inside), or they're intended to be connected but the setup was never completed.

In the second case, the CIDR conflict in dev makes any future connection dangerous.

For genuinely abandoned VPCs, delete them. For VPCs that should be connected, complete the setup — and for dev, re-CIDR first.

The problem: An EC2 instance in prod-api's private subnet is sending S3 traffic through the NAT Gateway.

The NAT Gateway and EC2 instance are in the same AZ. The private route table sends 0.0.0.0/0 to the NAT. There is no S3 VPC Gateway Endpoint. Every S3 operation travels:

1. EC2 instance (private subnet)
2. NAT Gateway — $0.045/GB NAT processing
3. Out to the public S3 endpoint
4. Back the same route

For a data pipeline writing terabytes to S3 monthly, this is hundreds of dollars silently accumulating. Netway identified the specific instance, VPC, region, and extrapolated the monthly cost from the flow log traffic volume.

# 1. Create a free S3 Gateway Endpoint in prod-api
aws ec2 create-vpc-endpoint \
  --vpc-id <prod-api-vpc-id> \
  --service-name com.amazonaws.us-east-2.s3 \
  --route-table-ids <prod-api-private-route-table-id>

# 2. Move the NAT Gateway to us-east-2b to match where EC2 runs
#    (or move EC2 to us-east-2a — pick the direction that fits your architecture)

S3 Gateway Endpoints are free. Once in place, S3 traffic routes privately inside AWS and the NAT charge disappears entirely.