[AWS] VPC Endpoints

A VPC Endpoint is a gateway object within a VPC and can be used to connect privately to AWS public services or other VPC endpoints without the need for Internet Gateway or a public subnet.

Features

  • You do not need to use Internet Gateway, NAT Gateway (public subnet), or AWS Direct Connect.
  • The traffic never leaves the AWS network.
    • Instances in your VPC do not require public IP address.
  • VPC Endpoints are highly available and horizontally scalable virtual devices.

Types of VPC Endpoints

There are 3 types of endpoints: Gateway endpoints, Interface endpoints, and Gateway Load Balancer endpoints.

Gateway EndpointInterface Endpoint
WhatA target of the route in the route tableAn Elastic Network Interface (ENI) with a private IP
HowUse a prefix in the route destination (Route table) to redirect trafficUse DNS entries to redirect traffic
IntegrationS3, DynamoDBAPI Gateway, CloudFormation, CloudWatch, SNS, …
SecurityVPC Endpoint policySecurity Groups

Gateway Endpoints

  • It is a virtual device that supports connection to DynamoDB and S3.
    • A Gateway endpoint is defined at the VPC level.
      • DNS resolution must be enabled in the VPC.
      • It cannot be extended out of the VPC (Peering, VPN, Direct Connect. or Transit Gateway)
    • A route is automatically added to a VPC’s routing table.
      • A prefix is used as a destination.
      • A target is a Gateway endpoint.
    • It can be associated with policies.
    Available Gateway endpoint Types
    Gateway endpoint list
    Gateway endpoint route table

    Interface Endpoints

    • It is powered by AWS PrivateLink.
    • It uses Elastic Network Interface (ENI) with a private IP as an entry point to other services.
      • The ENI is attached to a subnet.
    • VPC Settings
      • Enable DNS hostnames: true
      • Enable DNS support: true
    • It is a real network interface resided in a subnet and uses DNS names to resolve requests to AWS services.
    • It can be accessed from DX (Direct Connect) or VPN.
    • Limitations:
      • IPv4 TCP traffic only
      • Within the same Region only
      • No CloudWatch metric is available for the interface-based VPC endpoint.

    Gateway Load Balancer Endpoints

    • It is powered by AWS PrivateLink and uses ENI as an entry point like an Interface endpoint.
    • It is used as a target for a route in your route tables.

    Use Cases

    • When the entire VPC is private with no IGW.
    • When a specific instance has no public IP and needs to access public services.
    • To access resources restricted to specific VCPs or endpoints (such as private S3 bucket)
    Unknown's avatar

    Published by Pyongwon Lee

    IT (Cloud, Web) Development, Philosophy, Economics.

    Leave a Comment