A VPC Endpoint is a gateway object within a VPC and can be used to connect privately to AWS public services or other VPC endpoints without the need for Internet Gateway or a public subnet.
- You do not need to use Internet Gateway, NAT Gateway (public subnet), or AWS Direct Connect.
- The traffic never leaves the AWS network.
- Instances in your VPC do not require public IP address.
- VPC Endpoints are highly available and horizontally scalable virtual devices.
Types of VPC Endpoints
There are 2 types of endpoints.
- Gateway Endpoint:
- It is a virtual device that supports connection to DynamoDB and S3.
- A prefixed route is automatically added to a VPC’s routing table.
- It can be associated with policies.
- Interface Endpoint
- It is an elastic network interface (ENI) with a private IP address that serves as an entry point to other services such as SNS, EC2, or ELB.
- It is a real network interface resided in a subnet and uses DNS names to resolve requests to AWS services.
- An Interface VPC endpoint is powered by AWS PrivateLink.
- Limitations:
- IPv4 TCP traffic only, Within the same Region only
- No CloudWatch metric is available for the interface-based VPC endpoint.
Use Cases
VPC endpoints can be used:
- If the entire VPC is private with no IGW
- If a specific instance has no public IP and needs to access public services
- To access resources restricted to specific VCPs or endpoints (such as private S3 bucket)