Overview
By default, resources in a VPC (like EC2 instances) require an Internet Gateway (IGW) or a NAT Gateway to communicate with AWS public services such as S3, DynamoDB, or Kinesis. VPC Endpoints eliminate this requirement, allowing you to connect your VPC to supported AWS services privately, as if they were inside your VPC, without ever leaving the Amazon network.
The Analogy: The Secret Tunnel
Imagine you live in a gated community (VPC). To get groceries from a store (AWS Service) outside, you usually have to drive through the main gate onto the public highway (Internet). A VPC Endpoint is like building a private underground tunnel directly from your basement to the store’s back room. You never touch the public road, it’s faster, and no one outside can see your car.
Imagine you live in a gated community (VPC). To get groceries from a store (AWS Service) outside, you usually have to drive through the main gate onto the public highway (Internet). A VPC Endpoint is like building a private underground tunnel directly from your basement to the store’s back room. You never touch the public road, it’s faster, and no one outside can see your car.
Core Concepts & Well-Architected Lens
- Security: Data does not traverse the public internet, reducing the attack surface. You can use Endpoint Policies to restrict which IAM principals can access which resources.
- Cost Optimization: Interface Endpoints have an hourly cost + data processing fee, while Gateway Endpoints are free.
- Performance: Reduced latency and jitter by keeping traffic on the AWS global backbone.
Comparison Table: Gateway vs. Interface Endpoints
| Feature | Gateway Endpoints | Interface Endpoints (PrivateLink) |
|---|---|---|
| Supported Services | S3 and DynamoDB ONLY. | Most other services (EC2, Kinesis, CloudWatch, etc.) + Marketplace. |
| Mechanism | A target in your Route Table. | An Elastic Network Interface (ENI) with a private IP. |
| Cost | Free. | Hourly charge + Data processing charge. |
| Access from On-Prem | No (unless using Proxy). | Yes (via Direct Connect or Client VPN). |
Scenario-Based Decision Matrix
- If you need to access S3 from a private subnet and want to avoid NAT Gateway costs… Use a Gateway Endpoint.
- If you need to access S3 from an on-premises data center via Direct Connect… Use an Interface Endpoint.
- If you are a SaaS provider wanting to offer your service to other AWS customers privately… Use AWS PrivateLink.
- If you need to access CloudWatch Logs without an IGW… Use an Interface Endpoint.
Exam Tips: Golden Nuggets
- The “S3 Exception”: S3 is unique because it supports both types. Choose Gateway for cost/VPC-only; choose Interface for on-prem access or cross-region requirements.
- Security Groups: Interface Endpoints (ENIs) require Security Groups to allow inbound traffic on the service port (e.g., 443). Gateway Endpoints do NOT use Security Groups.
- DNS Resolution: For Interface Endpoints, ensure “Enable DNS Hostnames” and “Enable DNS Support” are set to True in your VPC.
Visualizing Private Connectivity
Architecture: Traffic stays within the AWS network using Gateway (Blue) and Interface (Green) Endpoints.
Key Services
- Interface: PrivateLink, ENI-based.
- Gateway: Route Table-based (S3/Dynamo).
- Endpoint Policies: JSON policies for access control.
Common Pitfalls
- Forgetting to update Route Tables for Gateway Endpoints.
- Blocking port 443 on the Interface Endpoint Security Group.
- Assuming Gateway Endpoints work over Direct Connect.
Quick Patterns
- Hybrid Cloud: Use Interface Endpoints for On-Prem.
- SaaS Delivery: Use PrivateLink to sell your service.
- Compliance: Disable IGW and use Endpoints for high security.