VPC Endpoints Educational Infographic

VPC ENDPOINTS EXPLAINED

Securely access S3 and DynamoDB without traversing the public internet, NAT Gateways, or Proxy Servers.

THE INGREDIENTS

What you need to establish a private connection.

Private Subnet

An isolated VPC subnet with no route to an Internet Gateway (IGW).

Endpoint Policy

IAM-style JSON policy attached to the endpoint to control resource access.

Route Tables

Required for Gateway Endpoints to direct traffic to S3 or DynamoDB.

PrivateLink (ENI)

Required for Interface Endpoints. Uses a private IP from your subnet pools.

THE ARCHITECTURE

Gateway vs Interface Comparison
AWS VPC (Private Subnet) EC2 Instance Gateway Endpoint (S3 / DynamoDB) Interface Endpoint (PrivateLink) AWS SERVICES S3 DynamoDB
Feature Gateway Endpoint Interface Endpoint
Services Supported S3 & DynamoDB Only Most AWS Services (EC2, Kinesis, etc.)
Cost FREE Hourly Rate + Data Processing Fee
Implementation Routing Table Entry Elastic Network Interface (ENI) + DNS
Access Method Public IP (but stays on AWS network) Private IP from your Subnet

No NAT Required

Instances in private subnets don’t need a NAT Gateway to reach S3/DynamoDB, saving significant costs.

Enhanced Security

Traffic never leaves the Amazon network. Use Endpoint Policies to restrict access to specific buckets.

DNS Resolution

Interface endpoints use Private DNS to override public service endpoints automatically.

© 2023 Cloud Architecture Series • Visual Guide for Solutions Architects

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top