VPC Endpoints (Gateway & Interface)

1. Why VPC Endpoints?

By default, traffic from your VPC to AWS services (S3, DynamoDB, SQS, etc.) goes over the public internet, through your NAT Gateway or IGW. VPC Endpoints allow you to connect to AWS services privately, without leaving the AWS network.

Core Benefit

VPC Endpoints = private access to AWS services. Traffic stays on the AWS backbone network. No IGW, NAT Gateway, or internet required. Improves security (no internet exposure) and reduces cost (no NAT Gateway data processing charges for AWS service traffic).

2. Gateway Endpoints

Key Characteristics

1. Supported for: S3 and DynamoDB ONLY (two services)
2. Created at the VPC level — acts as a target in route tables
3. You add a route in the subnet’s route table pointing to the Gateway Endpoint
4. FREE — no hourly charge, no data processing charge
5. Does NOT use an ENI (no IP address, no Security Group)
6. Cannot be accessed from on-premises (VPN/Direct Connect cannot use it)
7. Can attach an Endpoint Policy to restrict which buckets/tables are accessible

Route Table with Gateway Endpoint

S3 Gateway Endpoint = Free NAT Savings

Every byte of S3 traffic through NAT Gateway costs ~$0.045/GB. A Gateway Endpoint sends S3 traffic directly to S3 for FREE. For a workload processing 10 TB/month to S3, that’s $450/month saved. Always create an S3 Gateway Endpoint in every VPC.

3. Interface Endpoints (AWS PrivateLink)

Key Characteristics

1. Supported for: 100+ AWS services (CloudWatch, SQS, SNS, KMS, API Gateway, SSM, ECR, etc.)
2. Creates an ENI (Elastic Network Interface) with a private IP in your subnet
3. Traffic goes through the ENI to the AWS service via AWS PrivateLink
4. Has a Security Group (you control access at the network level)
5. Can be accessed from on-premises via VPN or Direct Connect
6. Charged per hour (~$0.01/hr per AZ) + per GB of data processed (~$0.01/GB)
7. Provides a private DNS name that resolves to the ENI’s private IP
8. Deploy in each AZ where you need access (for HA, deploy in 2+ AZs)

Private DNS

1. When you enable Private DNS on an Interface Endpoint, the service’s default public DNS name (e.g., sqs.us-east-1.amazonaws.com) resolves to the private ENI IP
2. Your application code does NOT need to change — same endpoint URL, but traffic goes privately
3. Requires the VPC to have DNS hostnames and DNS support enabled

4. Gateway vs Interface Endpoint Comparison

S3: Gateway vs Interface Endpoint

1. S3 supports BOTH Gateway and Interface Endpoints
2. Gateway Endpoint: free, route-table based, VPC-only, recommended for most cases
3. Interface Endpoint for S3: costs money, but can be accessed from on-premises via VPN/DX
4. Use Interface Endpoint for S3 ONLY when you need on-premises access to S3 privately

5. Endpoint Policies

1. JSON policies (like IAM policies) that control what the endpoint can access
2. Applied to both Gateway and Interface Endpoints
3. Default: full access to the service
4. Example: restrict a Gateway Endpoint to only allow access to a specific S3 bucket

6. AWS PrivateLink (Endpoint Services)

AWS PrivateLink lets you expose your own services to other VPCs or accounts privately, without VPC Peering or Transit Gateway.

1. Provider side: create a Network Load Balancer + VPC Endpoint Service
2. Consumer side: create an Interface Endpoint that connects to the provider’s service
3. Traffic stays on the AWS network. No internet, no peering, no route table changes.
4. Scales to thousands of consumers. Each consumer gets its own ENI.
5. Commonly used by SaaS vendors to expose services to customers securely

Exam Tip

VPC Endpoints: Gateway = S3 + DynamoDB, FREE, route table, VPC-only. Interface = 100+ services, ENI-based, has SG, costs money, works from on-premises. ALWAYS create S3 Gateway Endpoint (free NAT savings). "Private access to AWS services" = VPC Endpoint. "On-premises to S3 privately" = Interface Endpoint for S3 (not Gateway). PrivateLink = expose YOUR service to other VPCs (NLB + Endpoint Service).