AWS Networking: VPC Endpoints (PrivateLink)
VPC Endpoints enable private connections between your VPC and supported AWS services or VPC endpoint services. Traffic between your VPC and the service does not leave the Amazon network, eliminating the need for an Internet Gateway, NAT device, or VPN connection.
The “Private Tunnel” Analogy
Imagine your VPC is a high-security office building. Usually, to get supplies from a store (AWS Service), your employees have to drive out the front gate, onto the public highway (The Internet), and through a public entrance. A VPC Endpoint is like building a private, secure underground tunnel directly from your office basement to the store’s back room. You never step foot on the public highway, it’s faster, and much more secure.
1. Core Endpoint Types
For the SAA-C03 exam, you must distinguish between the two primary types of endpoints:
| Feature | Gateway Endpoints | Interface Endpoints (PrivateLink) |
|---|---|---|
| Services Supported | S3 and DynamoDB only. | Most other services (EC2 API, Kinesis, SNS, SQS, etc.) + Marketplace. |
| Mechanism | Uses a Route Table entry (Prefix List). | Uses an Elastic Network Interface (ENI) with a private IP. |
| Cost | Free. | Hourly charge + Data processing charge. |
| Access from On-Prem | No (cannot be extended via VPN/DX). | Yes (accessible via VPN or Direct Connect). |
2. Security and Policies
VPC Endpoints are not just about connectivity; they are a security boundary. You can attach Endpoint Policies to control which IAM principals can access which resources through the endpoint.
- Security Groups: Only apply to Interface Endpoints (since they have an ENI). You must allow inbound traffic on the service port (e.g., 443) from your VPC resources.
- Endpoint Policies: JSON documents (similar to IAM policies) that restrict access. For example, you can create a policy that only allows
s3:GetObjecton a specific bucket.
Decision Matrix: If-Then Guide
- If you need to access S3 or DynamoDB from within a VPC for free: Choose Gateway Endpoint.
- If you need to access S3 from an on-premises data center via Direct Connect: Choose Interface Endpoint.
- If you need to access a 3rd party SaaS service privately: Choose Interface Endpoint (PrivateLink).
- If you want to avoid NAT Gateway costs for high-volume AWS service traffic: Choose VPC Endpoints.
Exam Tips and Gotchas
- The “No Internet” Rule: VPC Endpoints allow resources in private subnets to reach AWS services without an Internet Gateway or NAT Gateway.
- DNS Resolution: For Interface Endpoints, ensure “Enable DNS Hostnames” and “Enable DNS Support” are set to
truein your VPC settings to use the default service DNS names. - Gateway Routing: If S3 traffic isn’t working via a Gateway Endpoint, check the Route Table. It must point to the
vpce-xxxtarget for the S3 Prefix List. - Cross-Region: Interface Endpoints are regional. You cannot directly access an endpoint in
us-east-1from a VPC inus-west-2without VPC Peering or Transit Gateway.
Topics covered:
Summary of key subtopics covered in this guide:
- Difference between Gateway and Interface Endpoints.
- Cost implications of PrivateLink vs. Gateway Endpoints.
- Security Group requirements for Interface Endpoints.
- Accessing AWS services from On-Premises via PrivateLink.
- Endpoint Policies for granular resource control.
VPC Endpoint Architecture Visualized
Low Latency: Traffic stays on the AWS backbone. No “hairpinning” through NAT Gateways or public internet.
Scalability: Interface endpoints handle up to 10 Gbps per AZ by default (burstable to 100 Gbps).
Stop the NAT Leak: NAT Gateways charge per GB processed. Moving S3 traffic to a Gateway Endpoint is $0.00/GB.
Use Case: High-volume data lakes in S3 should always use Gateway Endpoints.
PrivateLink: You can create your own Endpoint Service to share your application with other AWS accounts privately without VPC Peering.
CloudWatch: All VPC Endpoint activity can be logged via VPC Flow Logs for auditing.