Skip to content

Vpc endpoints

Gateway Endpoints

  • They provide private access to supported services. Currently DynamoDB and S3 are supported
  • A private only resource inside VPC can access public services using Gateway Endpoints
  • Gateway end points need to be created per service per region
  • A Gateway is attached to a VPC. This results in a Prefix List being added to route table. The prefix list has Gateway Endpoint as target
  • One needs to specify which subnets are going to use the gateway
  • An Endpoint Policy can be used to control access. E.g. only access certain buckets within S3
  • Gateway end points can't access cross region services
  • A bucket policy can be configured to allow access from a specific gateway end making the S3 bucket private only
  • Gateway Endpoints are not accessible outside VPC they are defined in

Interfaces Endpoints

  • Provide private access to AWS public services.
  • All services except DynamoDB are supported
  • Not highly available by default as they Interface Endpoints are added to specific subnets
  • One Interface Endpoint is required for each Subnet
  • Security Groups can be used to allow access unlike Gateway Endpoints. Endpoint Policies can still be used to restrict what can be done with the endpoint
  • Support TCP and IPV4 only. Behind the scene they use PrivateLink which helps inject AWS as well as 3rd party services directly into VPC
  • Interface Endpoints do not use prefix list, they use DNS. i.e. each service gets a new service endpoint DNS
  • Each endpoint gets a Regional DNS as well as Zonal DNS
  • Additionally they get Private DNS which associates a R53 Private Zone with VPC. This means the default DNS of the service, automatically resolves to private endpoint