How we cut our AWS monthly bill by about $5,000 with Claude Code
Introduction
With Claude Code, we cut our AWS monthly bill by roughly $5,000. With the way exchange rates have been going, I imagine plenty of software companies are feeling the same AWS pain. Hopefully our story is useful.
| Action | Savings/month |
|---|---|
| AWS Client VPN → Headscale VPN migration (incl. Private CA) | $1,178 |
| Private CA cleanup and encryption key optimization | $2,300 |
| Off-hours and weekend shutdown of dev ECS | $988 |
| RDS Reserved Instance purchase | $811 |
| NAT Gateway consolidation | $267 |
| Fargate Spot adoption | $263 |
| Other (S3 lifecycle, etc.) | $78 |
| Total | $5,885 |
Guide Inc. Vietnam is a software company of about 50 staff spread across Vietnam and Japan. Our cost structure is simple: payroll and AWS server bills dominate.
Lately, a new line item has been added: AI agent tools, Claude Code among them.
We adopted Claude Code in earnest to boost productivity across the team. The Team Plan premium seat at the time worked out to around $150/month per person. Rolling that out company-wide adds up fast.
Adopting AI tools to lift productivity is, I believe, the right call. But if new costs are coming in, you need to rebalance by reviewing existing costs. As a software company, the levers we can pull are payroll and server bills.
So we got to work on AWS cost optimization.
Letting Claude Code sniff out the cost “smells”
The fun part: we had Claude Code do the cost review itself.
Claude Code at our company is set up with an AWS CLI skill. AWS profile configuration, SSO authentication, running CLI commands — it can do all of that autonomously.
The first thing we did was sweep across our 19 AWS accounts. What infrastructure runs in each account, what does it cost, and is there anything that smells — anything that just feels off cost-wise?
Claude Code surfaced several clear improvement areas. Things that are easy to optimize in dev environments. Resources that have been sitting around long after they were needed. Items where a single setting change unlocks a big saving. We worked through them one by one.
The overall plan
Our baseline was $30,398/month as of December 2025. From late 2025 through the end of March 2026 we executed the items in sequence. Some items — VPN retirement, Private CA deletion — only show full impact starting in April, so once everything lands we expect about $5,000–$6,000/month off the December baseline.
A quick summary of the main actions.
1. Off-hours and weekend shutdown of dev ECS (-$988/month)
We set 55 dev ECS services to shut down automatically at night and on weekends. The dev environment is only used during business hours, but it was running 24/7. Obvious in hindsight, easy to overlook in practice.
2. AWS Client VPN → Headscale VPN migration (-$1,178/month)
Covered below. This was the most interesting one.
3. Private CA cleanup and encryption key optimization (-$2,300/month)
Retiring AWS App Mesh made the Private CA unnecessary, so we deleted it. We also revisited how we manage encryption keys to find a better balance between cost and security requirements.
4. RDS Reserved Instance purchase (-$811/month)
We bought RIs for a total of 5 instances across dev, staging, and prod in one go. $10,675 up front, a 44% discount, and roughly an 11-month payback.
5. Migration to Fargate Spot (-$263/month)
We moved dev ECS services to Fargate Spot. For dev workloads, Spot interruption risk is acceptable.
6. NAT Gateway consolidation (-$267/month)
In 3 accounts, we consolidated 3 NAT Gateways down to 1 each. We monitored traffic on the unused AZs for 7 days, confirmed it was zero, and only then deleted them.
The VPN migration — from $1,178/month to $42/month
The most interesting item was the VPN migration.
We use VPNs to access our customers’ development environments. We had been using AWS Client VPN. It turned out to cost much more than we’d thought.
- AWS Client VPN (4 endpoints): $776/month
- AWS Private CA (certificate authority): $402/month
- Total: $1,178/month
Honestly, I hadn’t realized VPNs cost us that much. It was one of the items I only discovered after having Claude Code run a cost survey.
Choosing Headscale
The replacement we picked was Headscale: an open-source control server for Tailscale. On the client side you keep using Tailscale as-is.
Our setup:
- Headscale server: 1 × EC2 t3.small (~$21/month)
- Auth: Logto Self-Hosted (OIDC, 1 × EC2 t3.small, ~$21/month)
- Total: about $42/month
$1,178 down to $42. A 96% reduction.
Logto as the auth backbone
A quick note on Logto, the authentication backbone we’re using. It’s an OSS, self-hostable auth platform with proper OAuth 2.0 / OIDC support. Google SSO, GitHub SSO, MFA, Organizations, M2M apps — all of these are free in the self-hosted edition.
For serious external-facing services there’s Logto Cloud, but as a single auth platform for internal systems it’s remarkably strong. The team ships actively, and I’m personally a big fan of the product.
A key design choice — don’t change the egress IP
The single most important thing during the VPN migration was not changing the public-facing IP address. Our customers have our IPs on their firewall allowlists; changing the IP would be a serious problem.
Solution: we placed Headscale behind our existing NAT Gateway. VPN traffic still egresses through the same NAT Gateway, so the source IP doesn’t change.
One month of dogfooding
After building it, we didn’t flip everyone over immediately. We ran one full month of dogfooding.
Honest truth: there were quite a few issues. Dropped connections, unstable exit nodes, certain machines failing to reconnect.
We worked through each of these with Claude Code: kernel parameter tuning (expanding UDP buffers, adjusting conntrack timeouts), running our own DERP relay servers, building out operational procedures for node management.
We still have things to improve, but at this point it runs stably in our development environment.
Performance
We checked performance, too.
- Initially: 11-14 Mbps (over a public DERP relay)
- After standing up our own DERP: 106-134 Mbps
That’s on par with or better than AWS Client VPN.
Verifying impact in Cost Explorer
Executing the actions isn’t the end — we always verified impact in AWS Cost Explorer, and we let Claude Code drive that via CLI too.
One discovery: the Fargate Spot move is hard to see through Cost Explorer’s standard filters. Spot discounts get buried inside the Fargate line item, so you have to look at it specifically. “We did it, but the savings aren’t showing up” problems like that, Claude Code can dig into for you.
Wrapping up
The cost structure of the AI era is shifting. New tooling costs like Claude Code show up on the bill, but the very same tools can be turned around and pointed at infrastructure cost optimization.
For us, yes, Claude Code added cost — but Claude Code itself delivered far more in AWS savings. We invest in AI, and AI pays for itself. That cycle is starting to spin nicely.
What I really learned this round was the importance of visibility first. Trying to walk through 19 accounts by hand isn’t realistic. Because Claude Code had the AWS CLI in hand and could sweep horizontally, we noticed things like “wait, the VPN costs that much?”
There might still be cost smells in your AWS environment that nobody’s noticed yet.
This time I focused on the VPN migration, but if there’s interest in any of the other actions I’m happy to write a dedicated piece. Drop a comment and let me know what you’d like to read about.
Masaki Kondo — CEO, Guide Inc. Vietnam https://koedesk.app