VPC Endpoints

They allow resources in private subnets/VPCs to access or be accessed even though there’s no internet connection available/allowed. You could reach the same goal with a NAT Gateway but if you don’t want instances to have internet connectivity this is almost the only way.

This is extremely useful for services that are hosted in the AWS Public Zone and need you to access their public IP.

This service is powered by AWS PrivateLink.

In general Endpoint Gateways are preferrable over interface: no costs, only need to update the route table. But they may not be when:

  • You want to connect from on-premise (Site-to-site VPN, DirectConnect)

  • You want to access the services from a different VPC or a different region

VPC Endpoint Gateway

It is region resilient and highly available by default.

Only available for:

  • S3

  • DynamoDB

You create one gateway per service (E.g.: S3) per region. When you do so a Prefix List is added to routing tables: it contains the public IPs for S3/DynamoDB and the routing table defines a route that has the list as destination and the endpoint gateway as a next hop. The Prefix List is kept updated by AWS. This means that for the whole VPC traffic S3 or DynamoDB has a different gateway.

The Gateway is available for the whole VPC, and you select which subnets will have their route table updated.

It can only be used to access resources in the same region and VPC.

It comes at no additional cost.

Endpoint Policies

Control what can go through the gateway and what resources can be accessed (like a single S3 bucket).

Use Cases

  • You have a private subnet that needs to access S3 buckets or DynamoDB tables

  • Prevent leaky buckets: A bucket can be set up to be accessed only from a gateway endpoint via a Bucket Policy.

Interface Endpoints

They provide a similar functionality as gateway endpoint but support more services and act at a higher level.

They’re AZ resilient and not HA. IPv6 is supported even for services that don’t support IPv6 publicly.

Supported services:

  • S3

  • a lot more services! $ aws ec2 describe-vpc-endpoint-services --region eu-north-1 --filters Name=service-type,Values=Interface Name=owner,Values=amazo n --query ServiceNames

Upon configuring an interface endpoint for, say, Secrets Manager, an interface with a private IP is created in each specified subnet in the VPC. That interface can be used to access the service privately.

You can optionally assign a private IPv4 yourself and assign it a Security Group. You can optionally create an access policy.

Interface Endpoints are powered by AWS PrivateLink. And are billed per endpoint, per hour, per AZ + per GB of data processed.

DNS

Upon creating the endpoint you get:

  • A Regional DNS record: endpoint_id.service_id.region.vpce.amazonaws.com

  • A Zonal DNS record: endpoint_id-az_name.service_id.region.vpce.amazonaws.com

  • Optionally you can enable Private DNS: a private hosted zone that shadows the public record with the IP of the endpoint.
    Normally AWS services are accessible at protocol://service_code.region_code.amazonaws.com (like 'https://monitoring.us-east-2.amazonaws.com'), and that resolves to some public zone IP address. With Private DNS a record in a private hosted zone for service_code.region_code.amazonaws.com is created, that resolves to the (private) ip of the endpoint. So that applications are agnostic about the underlying network connectivity.
    enableDnsHostnames and enableDnsSupport are required for this functionality.